BGP TTL Security
Ben Butler
ben.butler at c2internet.net
Thu Feb 14 18:28:20 UTC 2008
Hi,
I am trying to implement BGP TTL security between one of my routers and
an eBGP peer that is one hop away over a layer 2 IX.
As soon as I add:
neighbor 212.121.34.1 ttl-security hops 2
or
neighbor 212.121.34.1 ttl-security hops 1
The peer drops to active/open sent with entries in syslog for hold time
expired.
I have validated via trace in both directions as being 1 hop.
I have read another article that implies the default behaviour at the
other end will to be send TTL 1 not 255 and consequently I need to
configure both ends to get the session to
come back up. An access list reveals all the packets I am receiving
have a TTL of 0.
The session re-establishes if I configure:
neighbor 212.121.34.1 ttl-security hops >=192
<=191 and the session stays down.
Which is proper bizarre!
Is it necessary to configure this on both side for the session to
re-establish. Is this a Cisco bug?
Kind Regards
Ben Butler
++++++++++++++++++++++++++++++++++++++++++
C2 Internet Ltd
Globe House, The Gullet, Nantwich, Cheshire, CW5 5RL
E mailto:ben.butler at c2internet.net
W http://www.c2internet.net/
B1 http://c2internet.blogspot.com/
B2 http://c2noc.blogspot.com/
T +44-(0)845-658-0020
F +44-(0)845-658-0070
All quotes & services from C2 are bound by our standard
terms and conditions which are available on our website at:
http://www.c2internet.net/legal/main.htm#tandc
C2 Internet Limited is a company registered in England and
Wales with company number 03910154
Our VAT Registration number is GB 752 7650 17
More information about the NANOG
mailing list