nanog mailing list archives
RE: BGP TTL check in 12.3(7)T
From: Pekka Savola <pekkas () netcore fi>
Date: Thu, 8 Apr 2004 19:33:37 +0300 (EEST)
On Thu, 8 Apr 2004, Blaine Christian wrote:
The TTL mechanism is just a way to distinguish at low cost between good for_us traffic and junk. So more of a classifer than a security layer, though it can be argued both ways. And even though it does have security in the title, it is _not_ a panacea for "securing" bgp or any routing information.http://www.faqs.org/rfcs/rfc3682.html I agree that it is not a panacea... But, you must admit, it provides an incredible level of comfort. It would be wonderful to only allow internally generated traffic to talk to the core of your network with a simple TTL filter. Versus anti-spoofing filters from hell.
You may be misunderstanding the applicability of GTSM. It's only really useful for eBGP sessions, not for "internally generated traffic" (unless you fix the TTLs manually for iBGP sessions). Spoofing filters (source address is most useful, but a few protocols being deployed now also require destination address based filtering) at your border are still best to prevent external abuse to your infrastructure?
Now, when do we get it at line speed on engine 0 cards? I hope some other vendors are listening to this conversation!
(tongue in cheek) Maybe you should be listening to the vendors instead, and pick ones which provide the features you need? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Current thread:
- BGP TTL check in 12.3(7)T Hank Nussbacher (Apr 08)
- Re: BGP TTL check in 12.3(7)T Magnus Eriksson (Apr 08)
- Re: BGP TTL check in 12.3(7)T vijay gill (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- RE: BGP TTL check in 12.3(7)T Pekka Savola (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- Re: BGP TTL check in 12.3(7)T David Meyer (Apr 08)
- Re: BGP TTL check in 12.3(7)T Iljitsch van Beijnum (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- Re: BGP TTL check in 12.3(7)T Iljitsch van Beijnum (Apr 08)
- Re: BGP TTL check in 12.3(7)T Pekka Savola (Apr 08)
- RE: BGP TTL check in 12.3(7)T Tony Li (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- <Possible follow-ups>
- RE: BGP TTL check in 12.3(7)T Michel Py (Apr 08)