nanog mailing list archives
RE: BGP TTL check in 12.3(7)T
From: "Blaine Christian" <blaine.christian () mci com>
Date: Thu, 8 Apr 2004 11:02:49 -0400
The TTL mechanism is just a way to distinguish at low cost between good for_us traffic and junk. So more of a classifer than a security layer, though it can be argued both ways. And even though it does have security in the title, it is _not_ a panacea for "securing" bgp or any routing information.
http://www.faqs.org/rfcs/rfc3682.html I agree that it is not a panacea... But, you must admit, it provides an incredible level of comfort. It would be wonderful to only allow internally generated traffic to talk to the core of your network with a simple TTL filter. Versus anti-spoofing filters from hell. Now, when do we get it at line speed on engine 0 cards? I hope some other vendors are listening to this conversation!
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of vijay gill Sent: Thursday, April 08, 2004 10:41 AM To: Hank Nussbacher Cc: nanog () merit edu Subject: Re: BGP TTL check in 12.3(7)T On Thu, Apr 08, 2004 at 11:30:38AM +0200, Hank Nussbacher wrote:<http://www.cisco.com/en/US/products/sw/iosswr> el/ps5207/prod_bulletin09186a00801abfda.html#wp55584> From Dave Meyer's NANOG 27 presentation: http://www.nanog.org/mtg-0302/hack.html Not bad - Feb 2003 till April 2004 to code, test and implement a change driven by NANOG :-) Interesting that it is listed under the Routingenhancements and notunder the Security enhancements of 12.3(7)T.The TTL mechanism is just a way to distinguish at low cost between good for_us traffic and junk. So more of a classifer than a security layer, though it can be argued both ways. And even though it does have security in the title, it is _not_ a panacea for "securing" bgp or any routing information.
http://www.faqs.org/rfcs/rfc3682.html /vijay /vijay
Current thread:
- BGP TTL check in 12.3(7)T Hank Nussbacher (Apr 08)
- Re: BGP TTL check in 12.3(7)T Magnus Eriksson (Apr 08)
- Re: BGP TTL check in 12.3(7)T vijay gill (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- RE: BGP TTL check in 12.3(7)T Pekka Savola (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- Re: BGP TTL check in 12.3(7)T David Meyer (Apr 08)
- Re: BGP TTL check in 12.3(7)T Iljitsch van Beijnum (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- Re: BGP TTL check in 12.3(7)T Iljitsch van Beijnum (Apr 08)
- Re: BGP TTL check in 12.3(7)T Pekka Savola (Apr 08)
- RE: BGP TTL check in 12.3(7)T Tony Li (Apr 08)
- RE: BGP TTL check in 12.3(7)T Blaine Christian (Apr 08)
- <Possible follow-ups>
- RE: BGP TTL check in 12.3(7)T Michel Py (Apr 08)