BGP TTL Security
Danny McPherson
danny at tcb.net
Thu Feb 14 20:14:59 UTC 2008
On Feb 14, 2008, at 11:28 AM, Ben Butler wrote:
> <=191 and the session stays down.
>
> Which is proper bizarre!
>
> Is it necessary to configure this on both side for the session to
> re-establish. Is this a Cisco bug?
You're missing the fundamentals of what protection this
mechanism is meat to provide. A remote attacker can
craft a packet such that it yields a TTL of 2, 1 or 0 at
the target system.
However, what a remote attacker can't do is craft a
packet that yields a TTL or 255 or 254, for example.
You probably want both values to be 254 if you've
got one intermediate hop between the peers.
-danny
More information about the NANOG
mailing list