[c-nsp] BGP TTL check (GTSM)
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Jun 18 16:01:23 EDT 2008
Justin Shore <mailto:justin at justinshore.com> wrote on Wednesday, June
18, 2008 9:31 PM:
> Oliver Boehmer (oboehmer) wrote:
>
>> Just to be sure: your neighbor also enabled this on their end? It
>> needs to be enabled on both ends to work..
>
> Gents,
>
> That's the problem. I completely overlooked that part in the
> prerequisites section of the docs. My bad.
>
> However, that said, I thought the point of GTSM was to be able to
> apply the concept to numerous infrastructure protocols that use IP to
> communicate and to do so without requiring support on both ends (which
> is commonly an outside entity, hence the justification for this
> premise). I thought the basic premise was to configure one end to
> check to make sure that the TTL is within a certain range before
permitting
> the packet through, the point being that only your peer could get a
> packet through to your interface with that TTL. I was under the
> impression that it was to do this based on the predictable nature of
> TTLs on IP packets sourced and and destined to directly-connected L3
> peers. I didn't realize that both sides needed configuration.
You are correct. But BGP without BTSH/GTSM enabled uses TTL=1 towards
directly-connected neighbors, and the neighbor with BTSH configured
discards the packets (as you've observed).
So BTSH will not only introduce the inbound ttl check, but also uses
triggers BGP to set ttl=255 on originated packets. Hence the requirement
to enable it on both ends
oli
More information about the cisco-nsp
mailing list