Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Securing EBGP Sessions with TTL-Security Feature

     

     
    Introduction:

     

    Time to live (TTL) Security Feature protects Exterior Border Gateway Protocols (EBGP) peering sessions from attacks by forged IP packets. The feature compares the TTL field of the incoming packet against the hop count configured for the EBGP neighbor. The BGP will establish and maintain the session only if the TTL value in the IP packet is equal to or greater than the TTL value configured for the peer.

     

    This feature is configured using neighbor <ip-address> ttl-security hops <count> BGP configuration command. The TTL value is calculated by the router from the configured hop count i.e. TTL = 255 - (hop count).

     

    This feature has few limitations

    1. On enabling neighbor ttl-security feature, neighbor ebgp-multihop is not required.
    2. The feature is only for EBGP and not IBGP.

     

    Prerequisites

     

    • Understanding of Interior Routing Protocols (EIGRP)
    • Understanding of Exterior Routing Protocol (BGP)

     

    Background

     

    In this document, four routers (R1, R2, R3 & R4) are connected via fast Ethernet interfaces and all are configured with EIGRP routing protocol as IGP. R1 and R4 are advertising their loopback 0 interface prefixes (1.1.1.1/32 and 4.4.4.4/32).

     

    R1 and R4 are in different Autonomous Systems 100 and 200 and forms the EBGP peering. R4 is originating BGP packets with a TTL of 255, and R1 expects the packets it receives from R4 to have at least 252 (as in BGP configuration of R1 has neighbor 4.4.4.4 ttl-security hops 3, so a TTL value 255-3=252). 

     

    Any BGP packet originating behind R4, can’t reach R1 with a TTL of 252 and hence R1 will always reject that BGP packet. 

     

    Topology Diagram

    TopologyDiagram.bmp

    Configuration

     

    R1R2R3R4

    hostname R1

    ip cef

    no ip domain lookup

    interface Loopback0

      ip address 1.1.1.1 255.255.255.255

    interface FastEthernet0/0

      ip address 10.12.12.1 255.255.255.252

      duplex auto

      speed auto

      router eigrp 10

      network 1.1.1.1 0.0.0.0

      network 10.12.12.1 0.0.0.0

      no auto-summary

      eigrp router-id 1.1.1.1

    router bgp 100

      no synchronization

      bgp router-id 1.1.1.1

      bgp log-neighbor-changes

      neighbor 4.4.4.4 remote-as 200

      neighbor 4.4.4.4 ttl-security hops 3

      neighbor 4.4.4.4 update-source Loopback0

      no auto-summary

    end 

    hostname R2

    ip cef

    no ip domain lookup

    interface FastEthernet0/0

      ip address 10.12.12.2 255.255.255.252

      duplex auto

      speed auto

    interface FastEthernet0/1

      ip address 10.23.23.1 255.255.255.252

      duplex auto

      speed auto

    router eigrp 10

      network 10.12.12.2 0.0.0.0

      network 10.23.23.1 0.0.0.0

      no auto-summary

    end

    hostname R3

    ip cef

    no ip domain lookup

    interface FastEthernet0/0

      ip address 10.23.23.2 255.255.255.252

      duplex auto

      speed auto

    interface FastEthernet0/1

      ip address 10.34.34.1 255.255.255.252

      duplex auto

      speed auto

    router eigrp 10

      network 10.23.23.2 0.0.0.0

      network 10.34.34.1 0.0.0.0

      no auto-summary

      eigrp router-id 3.3.3.3

    end

    hostname R4

    ip cef

    interface Loopback0

      ip address 4.4.4.4 255.255.255.255

    interface FastEthernet0/0

      ip address 10.34.34.2 255.255.255.252

      duplex auto

      speed auto

    router eigrp 10

      network 4.4.4.4 0.0.0.0

      network 10.34.34.2 0.0.0.0

      no auto-summary

      eigrp router-id 4.4.4.4

    router bgp 200

      no synchronization

      bgp router-id 4.4.4.4

      bgp log-neighbor-changes

      neighbor 1.1.1.1 remote-as 100

      neighbor 1.1.1.1 ttl-security hops 3

      neighbor 1.1.1.1 update-source Loopback0

      no auto-summary

    end

     

    Verification

     

    R1#sh ip bgp sum

    BGP router identifier 1.1.1.1, local AS number 100

    BGP table version is 1, main routing table version 1

     

    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

    4.4.4.4         4   200      23      22        1    0    0 00:10:14        0

     

    R1#sh ip bgp neighbors 4.4.4.4

    BGP neighbor is 4.4.4.4,  remote AS 200, external link

      BGP version 4, remote router ID 4.4.4.4

      BGP state = Established, up for 00:09:57

      Last read 00:00:00, last write 00:00:57, hold time is 180, keepalive interval is 60 seconds

      Neighbor capabilities:

        Route refresh: advertised and received(old & new)

        Address family IPv4 Unicast: advertised and received

      Message statistics:

        InQ depth is 0

        OutQ depth is 0

                             Sent       Rcvd

        Opens:                  3          3

        Notifications:          0          0

        Updates:                0          0

        Keepalives:            18         20

        Route Refresh:          0          0

        Total:                 21         23

      Default minimum time between advertisement runs is 30 seconds

     

      For address family: IPv4 Unicast

      BGP table version 1, neighbor version 1/0

    Output queue size : 0

      Index 1, Offset 0, Mask 0x2

      1 update-group member

                                     Sent       Rcvd

      Prefix activity:               ----       ----

        Prefixes Current:               0          0

        Prefixes Total:                 0          0

        Implicit Withdraw:              0          0

        Explicit Withdraw:              0          0

        Used as bestpath:             n/a          0

        Used as multipath:            n/a          0

     

     

                                       Outbound    Inbound

      Local Policy Denied Prefixes:    --------    -------

        Total:                                0          0

      Number of NLRIs in the update sent: max 0, min 0

     

      Connections established 3; dropped 2

      Last reset 00:10:00, due to User reset

      External BGP neighbor may be up to 3 hops away.

    Connection state is ESTAB, I/O status: 1, unread input bytes: 0

    Connection is ECN Disabled, Mininum incoming TTL 252, Outgoing TTL 255

    Local host: 1.1.1.1, Local port: 39378

    Foreign host: 4.4.4.4, Foreign port: 179

     

    Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

     

    Event Timers (current time is 0x271CD8):

    Timer          Starts    Wakeups            Next

    Retrans            13          0             0x0

    TimeWait            0          0             0x0

    AckHold            12          9             0x0

    SendWnd             0          0             0x0

    KeepAlive           0          0             0x0

    GiveUp              0          0             0x0

    PmtuAger            0          0             0x0

    DeadWait            0          0             0x0

     

    iss: 4147902773  snduna: 4147903047  sndnxt: 4147903047     sndwnd:  16111

    irs: 1221993724  rcvnxt: 1221994017  rcvwnd:      16092  delrcvwnd:    292

     

    SRTT: 528 ms, RTTO: 1584 ms, RTV: 1056 ms, KRTT: 0 ms

    minRTT: 348 ms, maxRTT: 892 ms, ACK hold: 200 ms

    Flags: active open, nagle

    IP Precedence value : 6

     

    Datagrams (max data segment is 536 bytes):

    Rcvd: 22 (out of order: 0), with data: 12, total data bytes: 292

    Sent: 24 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 12, total data bytes: 273

     

    NOTE: Now, if the ttl-security hops is changed to 2, R1 and R4 will not form an EBGP session.

     

    Verify.bmp

    As seen, on changing the number of hops, the peering between R1 and R4 is lost.

    References

    BGP Support for TTL Security Check

    BGP Command Reference

    Cisco Support Page: Border Gateway Protocol

    Version history
    Revision #:
    2 of 2
    Last update:
    a month ago
    Updated by:
     
    Labels (1)
    Contributors