nanog mailing list archives
Re: BGP TTL Security
From: Danny McPherson <danny () tcb net>
Date: Thu, 14 Feb 2008 13:14:59 -0700
On Feb 14, 2008, at 11:28 AM, Ben Butler wrote:
<=191 and the session stays down. Which is proper bizarre! Is it necessary to configure this on both side for the session to re-establish. Is this a Cisco bug?
You're missing the fundamentals of what protection this mechanism is meat to provide. A remote attacker can craft a packet such that it yields a TTL of 2, 1 or 0 at the target system. However, what a remote attacker can't do is craft a packet that yields a TTL or 255 or 254, for example. You probably want both values to be 254 if you've got one intermediate hop between the peers. -danny
Current thread:
- BGP TTL Security Ben Butler (Feb 14)
- Re: BGP TTL Security Danny McPherson (Feb 14)
- Re: BGP TTL Security Danny McPherson (Feb 14)
- <Possible follow-ups>
- FW: BGP TTL Security Ben Butler (Feb 14)