[c-nsp] BGP TTL check (GTSM)

Justin Shore justin at justinshore.com
Wed Jun 18 15:31:14 EDT 2008


Oliver Boehmer (oboehmer) wrote:

> Just to be sure: your neighbor also enabled this on their end? It needs
> to be enabled on both ends to work..

Gents,

That's the problem.  I completely overlooked that part in the 
prerequisites section of the docs.  My bad.

However, that said, I thought the point of GTSM was to be able to apply 
the concept to numerous infrastructure protocols that use IP to 
communicate and to do so without requiring support on both ends (which 
is commonly an outside entity, hence the justification for this 
premise).  I thought the basic premise was to configure one end to check 
to make sure that the TTL is within a certain range before permitting 
the packet through, the point being that only your peer could get a 
packet through to your interface with that TTL.  I was under the 
impression that it was to do this based on the predictable nature of 
TTLs on IP packets sourced and and destined to directly-connected L3 
peers.  I didn't realize that both sides needed configuration.

That said, how often do people find upstream peers that support GTSM? 
My upstreams don't seem to do anything other than basic eBGP.  Hell we 
couldn't even get one of our upstreams (now a former upstream) to do BGP 
AUTH with us.  Do many upstreams support additional features like GTSM 
or BFD for BGP?  I'll ask the upstream I'm working with if they'll 
support this for us.

Thanks
  Justin



More information about the cisco-nsp mailing list