Anonymous (not verified) Thu, 06/19/2008 - 11:11
User Badges:

BGP TTL Security Check is new BGP functionality that provides better protection against BGP session spoofing.


This features enables checking of ttl values on bgp packets from peers. Also, when this feature is configured, all TCP packets from BGP will be sent out with a ttl value of 255. All incoming TCP packets for BGP will be checked for a ttl value that is greater than or equal to the configured incoming-ttl value.


For most cases, since the peer is just one hop away, the incoming-ttl value will be configured as 254. If the EBGP peer is multiple hops away, then the incoming-ttl value should be configured to allow all required paths between the two peers.


Configuration:


Enable the BTSH feature via


[no] neighbor x.x.x.x incoming-ttl


can be in range 0-255.


The should represent the lower bound on the ttl value expected from the peer. In the case of

peers that are directly connected, the value would be 254. In the EBGP multihop case, the should

accomodate all required paths to the peer. Also, note that ebgp multihop and incoming-ttl are mutually exclusive features. Only one of them may be configured for each neighbor.


You can use this image c3550-i9q3l2-mz.122-25.SEA.bin in 3550 switch which supports the BGP ttl-security


Actions

This Discussion