[c-nsp] Best practise/security design for BGP and OSPF

Saku Ytti saku at ytti.fi
Fri May 26 09:48:02 EDT 2017


On 26 May 2017 at 14:44,  <adamv0025 at netconsultings.com> wrote:

Hey,

> Regarding OSPF unless you are using virtual-links or sham-links, then all
> messages are bound to a directly connected subnet so you can safely
> implement the ttl check with 254 (one hop).

This is implementation specific and you need to know which one it is.
If figuring out it is challenging start with 255 and see if it works,
if not, revert to 254. For example in JNPR lo0 filter we verify that
ICMP ND has hop-limit 255, because it's done before TTL is
decremented, verifying 254 would expose us to ICMP ND attacks from one
hop off-link.


-- 
  ++ytti


More information about the cisco-nsp mailing list