North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: BGP TTL check in 12.3(7)T
Hi Pekka, > > Spoofing filters (source address is most useful, but a few > protocols being deployed now also require destination address > based filtering) at your border are still best to prevent > external abuse to your > infrastructure? > I agree that spoofing filters help also (perhaps we are not communicating)... But TTL helps in places where you can't just anti-spoof. For example, suppose you have box X which can do ZERO filtering at line rate. Then box Y that can... X->Y You have a BGP session between X and Y and many untrusted things talking to X. How would I anti-spoof X's protocol traffic when I am at Y? The nice thing about X is that it does, hopefully reliably, decrement the TTL. Michel, this same answer should apply to your statement. I agree that anti-spoofing helps. But TTL filtering can fix some very interesting problems. BTW, I am only commenting on TTL filtering and not necessarily Cisco's implementation (I have not even read through their implementation yet). Regards, Blaine
|