Re: BGP TTL Security

• From: Danny McPherson
• Date: Thu Feb 14 15:24:47 2008

<=191 and the session stays down.

Which is proper bizarre!

Is it necessary to configure this on both side for the session to
re-establish.  Is this a Cisco bug?

You're missing the fundamentals of what protection this
mechanism is meat to provide.  A remote attacker can
craft a packet such that it yields a TTL of 2, 1 or 0 at
the target system.

However, what a remote attacker can't do is craft a
packet that yields a TTL or 255 or 254, for example.
You probably want both values to be 254 if you've
got one intermediate hop between the peers.

• References:
  • BGP TTL Security Ben Butler

• Prev by Date: 173/8 and 174/8 allocated to ARIN
• Next by Date: Re: Question on the topology of Internet Exchange Points
• Date Index
• Thread Index
• Author Index
• Historical