RE: BGP TTL check in 12.3(7)T

["Blaine Christian" <blaine.christian () mci com>]

> The TTL mechanism is just a way to distinguish at low cost 
> between good for_us traffic and junk. So more of a classifer 
> than a security layer, though it can be argued both ways.  
> And even though it does have security in the title, it is 
> _not_ a panacea for "securing" bgp or any routing information.
http://www.faqs.org/rfcs/rfc3682.html

I agree that it is not a panacea...  But, you must admit, it provides an
incredible level of comfort.  It would be wonderful to only allow internally
generated traffic to talk to the core of your network with a simple TTL
filter.  Versus anti-spoofing filters from hell.

Now, when do we get it at line speed on engine 0 cards?

I hope some other vendors are listening to this conversation!



> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of vijay gill
> Sent: Thursday, April 08, 2004 10:41 AM
> To: Hank Nussbacher
> Cc: nanog () merit edu
> Subject: Re: BGP TTL check in 12.3(7)T
>
>
>
> On Thu, Apr 08, 2004 at 11:30:38AM +0200, Hank Nussbacher wrote:
> >
> <http://www.cisco.com/en/US/products/sw/iosswr> el/ps5207/prod_bulletin0
> > 9186a00801abfda.html#wp55584>
> >
> > From Dave Meyer's NANOG 27 presentation: 
> > http://www.nanog.org/mtg-0302/hack.html
> >
> > Not bad - Feb 2003 till April 2004 to code, test and implement a 
> > change
> > driven by NANOG :-)
> >
> > Interesting that it is listed under the Routing 
> enhancements and not 
> > under
> > the Security enhancements of 12.3(7)T.
>
> The TTL mechanism is just a way to distinguish at low cost 
> between good for_us traffic and junk. So more of a classifer 
> than a security layer, though it can be argued both ways.  
> And even though it does have security in the title, it is 
> _not_ a panacea for "securing" bgp or any routing information.
http://www.faqs.org/rfcs/rfc3682.html

/vijay


/vijay