BGP TTL Security

• Previous message (by thread): BGP TTL Security
• Next message (by thread): 173/8 and 174/8 allocated to ARIN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Feb 14, 2008, at 11:28 AM, Ben Butler wrote:
>
> I have validated via trace in both directions as being 1 hop.
>
> I have read another article that implies the default behaviour at the
> other end will to be send TTL 1 not 255 and consequently I need to
> configure both ends to get the session to
> come back up.  An access list reveals all the packets I am receiving
> have a TTL of 0.
>
> The session re-establishes if I configure:
>
> neighbor 212.121.34.1 ttl-security hops >=192
>
> <=191 and the session stays down.

Ben,
After a prodding offlist I reread your message and understand
what point you're making now.  Indeed as you suggest above
the normal configuration should be 'ttl-security hops 2' or 'ttl
security hops 1'.

Not for sure, but I'd have to speculate that if this is only
working for you with 'ttl-security hops >= 192' perhaps your
peer is setting the TTL in it's packet to 64?  I believe that's
the default TTL for Linux, Foundry and a couple others.
Juniper's default TTL is 1 eBGP (though configurable), and
64 for iBGP, multihop, etc. IIRC.

In order to implement this effectively the peer would need to
be setting the transmitted TTL to 255.

And my apologies if my previous message seemed a bit
negative, that was certainly not my intention.

-danny

• Previous message (by thread): BGP TTL Security
• Next message (by thread): 173/8 and 174/8 allocated to ARIN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]