[c-nsp] GTSM IOS-XR

Saku Ytti saku at ytti.fi
Tue Aug 13 03:18:09 EDT 2019


On Tue, 13 Aug 2019 at 00:18, James Bensley
<jwbensley+cisco-nsp at gmail.com> wrote:

> For a BGP session for example, I would expect LTPS to drop TCP packets
> from any remote IP address which is not explicitly configured as a
> peer. Because everyone has 100% deployed uRPF and IP spoofing is an
> issue whatsoever in the world, have you managed to find a reliable way
> of repeating this issue from an IP address permitted by LTPS?

If you look at the LPTS rules (show lpts pifib entry location ..),
there is no TTL==255 rule for established BGP, only configured. Now to
be fair, I've not actually tried to reset the BGP session, so if there
is in addition software verification of TTL, then it's just punted
unnecessarily and only a DoS vector.

-- 
  ++ytti


More information about the cisco-nsp mailing list