BGP TTL check in 12.3(7)T

• Previous message (by thread): BGP TTL check in 12.3(7)T
• Next message (by thread): BGP TTL check in 12.3(7)T
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Pekka,

> 
> Spoofing filters (source address is most useful, but a few 
> protocols being deployed now also require destination address 
> based filtering) at your border are still best to prevent 
> external abuse to your 
> infrastructure?
> 

I agree that spoofing filters help also (perhaps we are not
communicating)...  But TTL helps in places where you can't just anti-spoof.
For example, suppose you have box X which can do ZERO filtering at line
rate.  Then box Y that can...

X->Y

You have a BGP session between X and Y and many untrusted things talking to
X.  How would I anti-spoof X's protocol traffic when I am at Y?  The nice
thing about X is that it does, hopefully reliably, decrement the TTL.

Michel, this same answer should apply to your statement.  I agree that
anti-spoofing helps.  But TTL filtering can fix some very interesting
problems.

BTW, I am only commenting on TTL filtering and not necessarily Cisco's
implementation (I have not even read through their implementation yet).

Regards,

Blaine

  

• Previous message (by thread): BGP TTL check in 12.3(7)T
• Next message (by thread): BGP TTL check in 12.3(7)T
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]