BGP TTL Security

• Previous message (by thread): Novell DNS+DHCP server -- any experience?
• Next message (by thread): BGP TTL Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I am trying to implement BGP TTL security between one of my routers and
an eBGP peer that  is one hop away over a layer 2 IX.

As soon as I add:

neighbor 212.121.34.1 ttl-security hops 2
or
neighbor 212.121.34.1 ttl-security hops 1

The peer drops to active/open sent with entries in syslog for hold time
expired.

I have validated via trace in both directions as being 1 hop.

I have read another article that implies the default behaviour at the
other end will to be send TTL 1 not 255 and consequently I need to
configure both ends to get the session to 
come back up.  An access list reveals all the packets I am receiving
have a TTL of 0.

The session re-establishes if I configure:

neighbor 212.121.34.1 ttl-security hops >=192

<=191 and the session stays down.

Which is proper bizarre!

Is it necessary to configure this on both side for the session to
re-establish.  Is this a Cisco bug?



Kind Regards

Ben Butler
++++++++++++++++++++++++++++++++++++++++++
C2 Internet Ltd
Globe House, The Gullet, Nantwich, Cheshire, CW5 5RL

E  mailto:ben.butler at c2internet.net
W  http://www.c2internet.net/
B1 http://c2internet.blogspot.com/
B2 http://c2noc.blogspot.com/
T  +44-(0)845-658-0020
F  +44-(0)845-658-0070

All quotes & services from C2 are bound by our standard
terms and conditions which are available on our website at:

http://www.c2internet.net/legal/main.htm#tandc

C2 Internet Limited is a company registered in England and
Wales with company number 03910154

Our VAT Registration number is GB 752 7650 17

• Previous message (by thread): Novell DNS+DHCP server -- any experience?
• Next message (by thread): BGP TTL Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]