BGP TTL check in 12.3(7)T
Blaine Christian
blaine.christian at mci.com
Thu Apr 8 16:50:25 UTC 2004
Hi Pekka,
>
> Spoofing filters (source address is most useful, but a few
> protocols being deployed now also require destination address
> based filtering) at your border are still best to prevent
> external abuse to your
> infrastructure?
>
I agree that spoofing filters help also (perhaps we are not
communicating)... But TTL helps in places where you can't just anti-spoof.
For example, suppose you have box X which can do ZERO filtering at line
rate. Then box Y that can...
X->Y
You have a BGP session between X and Y and many untrusted things talking to
X. How would I anti-spoof X's protocol traffic when I am at Y? The nice
thing about X is that it does, hopefully reliably, decrement the TTL.
Michel, this same answer should apply to your statement. I agree that
anti-spoofing helps. But TTL filtering can fix some very interesting
problems.
BTW, I am only commenting on TTL filtering and not necessarily Cisco's
implementation (I have not even read through their implementation yet).
Regards,
Blaine
More information about the NANOG
mailing list