|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical FW: BGP TTL Security
Hi Danny,
Thanks for you help - no problems.
I would agree 192 vs 63/64 it is to much of a coincidence for it not to
be related somehow.
Weirder and weirder - presumably people trying to hack the BGP session
below:
neighbor 212.121.34.1 ttl-security hops 192
And the session is up and we get:
Extended IP access list ACL-MATCH-TTL-0/254 (Compiled)
10 permit ip any any ttl eq 0 (869 matches)
20 permit ip any any ttl eq 1 (1 match)
260 permit ip any any ttl eq 25 (1 match)
580 permit ip any any ttl eq 57 (1 match)
590 permit ip any any ttl eq 58
600 permit ip any any ttl eq 59
610 permit ip any any ttl eq 60
620 permit ip any any ttl eq 61 (2 matches)
630 permit ip any any ttl eq 62 (2 matches)
640 permit ip any any ttl eq 63 (1 match) <- presumably the foundry
1210 permit ip any any ttl eq 120 (2 matches)
1220 permit ip any any ttl eq 121 (2 matches)
1230 permit ip any any ttl eq 122 (1 match)
1240 permit ip any any ttl eq 123 (1 match)
1250 permit ip any any ttl eq 124 (1 match)
2500 permit ip any any ttl eq 249 (6 matches)
2510 permit ip any any ttl eq 250 (3 matches)
This is connected to an ethernet IX and all peers are one hop away.
Kind Regards
Ben
-----Original Message-----
From: Danny McPherson [mailto:[email protected]]
Sent: 15 February 2008 01:16
To: Ben Butler
Cc: Hank Nussbacher
Subject: Re: BGP TTL Security
On Feb 14, 2008, at 6:12 PM, Ben Butler wrote:
> Hi,
>
> I have put a route map on the interface and matched every TTL from 0
> to
> 254 and I am only getting matches on TTL 0.
Is the ttl-security check still in place? I believe the way Cisco
implemented that is that if the TTL doesn't match the prescribed value
then they expire the TTL to drop the packet in the fast path.
> The box on the other side in this particular instance is a high end
> Foundry.
>
> I don't really care about the 192 thing because I will never have
> mutlihop peers that far away - it was simply an observation.
Well, that's quite a coincidence because Foundry's default IP TTL value
is 64, which is quit suspicious.
> The problem is needing to configure both sides of the peering and
> consequently on a per session basis / cordinatition which means a lot
> of work and inertia of organising other people to roll out the change.
Hrmm... On other thought..
Is the Foundry a multi-hop peer? If so, perhaps in their configuration
they're specifying ebgp multli-hop 1, which is triggering this behavior?
But I'd suspect the above rather than this, because of the
192 behavior.
Thoughts?
-danny
|