nanog mailing list archives
RE: BGP TTL check in 12.3(7)T
From: "Blaine Christian" <blaine.christian () mci com>
Date: Thu, 8 Apr 2004 12:50:25 -0400
Hi Pekka,
Spoofing filters (source address is most useful, but a few protocols being deployed now also require destination address based filtering) at your border are still best to prevent external abuse to your infrastructure?
I agree that spoofing filters help also (perhaps we are not communicating)... But TTL helps in places where you can't just anti-spoof. For example, suppose you have box X which can do ZERO filtering at line rate. Then box Y that can... X->Y You have a BGP session between X and Y and many untrusted things talking to X. How would I anti-spoof X's protocol traffic when I am at Y? The nice thing about X is that it does, hopefully reliably, decrement the TTL. Michel, this same answer should apply to your statement. I agree that anti-spoofing helps. But TTL filtering can fix some very interesting problems. BTW, I am only commenting on TTL filtering and not necessarily Cisco's implementation (I have not even read through their implementation yet). Regards, Blaine
Current thread:
- BGP TTL check in 12.3(7)T Hank Nussbacher (Apr 08)
- Re: BGP TTL check in 12.3(7)T Magnus Eriksson (Apr 08)
- Re: BGP TTL check in 12.3(7)T vijay gill (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- RE: BGP TTL check in 12.3(7)T Pekka Savola (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- Re: BGP TTL check in 12.3(7)T David Meyer (Apr 08)
- Re: BGP TTL check in 12.3(7)T Iljitsch van Beijnum (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- Re: BGP TTL check in 12.3(7)T Iljitsch van Beijnum (Apr 08)
- Re: BGP TTL check in 12.3(7)T Pekka Savola (Apr 08)
- RE: BGP TTL check in 12.3(7)T Tony Li (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- <Possible follow-ups>
- RE: BGP TTL check in 12.3(7)T Michel Py (Apr 08)