BGP TTL Security

In IOS 12.4, Cisco added a feature to BGP that you might want to implement: TTL checking between peers. Although I've never heard of it happening, it is possible for a rogue router to hijack a BGP peer connection and inject bogus routes. To prevent this, you can use TTL checking between peers.

This feature takes advantage of the fact that it is thought to be impossible to forge the TTL count of an IP packet without internal access to the source or destination network. Since it's extremely difficult or impossible to forge TTL counts, we can apply a rule that only accepts IP packets with a TTL count tht is equal to our configured hop-count. (TTL can be considered a hop-count.)

This command is not supported for iBGP (internal) peers. It applies only to eBGP (external) peers.

For example, if the BGP peer was directly connected, we could set the hop-count (TTL) to 2, and our BGP process accepts only packets with that hop-count from that neighbor's IP address.

 neighbor ttl-security hops 2

With this setting, if the hop-count is less than 253, the packet is dropped. (You get 253 by subtracting our hop-count of 2 from 255.) The only TTL values that will be accepted are 254 and 253.

Cisco IOS in a Nutshell
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596008694
EAN: 2147483647
Year: 2006
Pages: 1031
Authors: James Boney
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: