|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: BGP TTL check in 12.3(7)T
On Thu, 8 Apr 2004, Blaine Christian wrote: > > The TTL mechanism is just a way to distinguish at low cost > > between good for_us traffic and junk. So more of a classifer > > than a security layer, though it can be argued both ways. > > And even though it does have security in the title, it is > > _not_ a panacea for "securing" bgp or any routing information. > > > http://www.faqs.org/rfcs/rfc3682.html > > I agree that it is not a panacea... But, you must admit, it provides an > incredible level of comfort. It would be wonderful to only allow internally > generated traffic to talk to the core of your network with a simple TTL > filter. Versus anti-spoofing filters from hell. You may be misunderstanding the applicability of GTSM. It's only really useful for eBGP sessions, not for "internally generated traffic" (unless you fix the TTLs manually for iBGP sessions). Spoofing filters (source address is most useful, but a few protocols being deployed now also require destination address based filtering) at your border are still best to prevent external abuse to your infrastructure? > Now, when do we get it at line speed on engine 0 cards? > > I hope some other vendors are listening to this conversation! (tongue in cheek) Maybe you should be listening to the vendors instead, and pick ones which provide the features you need? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
|