North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: BGP TTL check in 12.3(7)T
> The TTL mechanism is just a way to distinguish at low cost > between good for_us traffic and junk. So more of a classifer > than a security layer, though it can be argued both ways. > And even though it does have security in the title, it is > _not_ a panacea for "securing" bgp or any routing information. > http://www.faqs.org/rfcs/rfc3682.html I agree that it is not a panacea... But, you must admit, it provides an incredible level of comfort. It would be wonderful to only allow internally generated traffic to talk to the core of your network with a simple TTL filter. Versus anti-spoofing filters from hell. Now, when do we get it at line speed on engine 0 cards? I hope some other vendors are listening to this conversation! > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of vijay gill > Sent: Thursday, April 08, 2004 10:41 AM > To: Hank Nussbacher > Cc: [email protected] > Subject: Re: BGP TTL check in 12.3(7)T > > > > On Thu, Apr 08, 2004 at 11:30:38AM +0200, Hank Nussbacher wrote: > > > > > <http://www.cisco.com/en/US/products/sw/iosswr> el/ps5207/prod_bulletin0 > > 9186a00801abfda.html#wp55584> > > > > From Dave Meyer's NANOG 27 presentation: > > http://www.nanog.org/mtg-0302/hack.html > > > > Not bad - Feb 2003 till April 2004 to code, test and implement a > > change > > driven by NANOG :-) > > > > Interesting that it is listed under the Routing > enhancements and not > > under > > the Security enhancements of 12.3(7)T. > > The TTL mechanism is just a way to distinguish at low cost > between good for_us traffic and junk. So more of a classifer > than a security layer, though it can be argued both ways. > And even though it does have security in the title, it is > _not_ a panacea for "securing" bgp or any routing information. > http://www.faqs.org/rfcs/rfc3682.html /vijay /vijay
|