[102441] in North American Network Operators' Group
BGP TTL Security
daemon@ATHENA.MIT.EDU (Ben Butler)
Thu Feb 14 13:27:20 2008
Date: Thu, 14 Feb 2008 18:28:20 -0000
From: "Ben Butler" <ben.butler@c2internet.net>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
Hi,
I am trying to implement BGP TTL security between one of my routers and
an eBGP peer that is one hop away over a layer 2 IX.
As soon as I add:
neighbor 212.121.34.1 ttl-security hops 2
or
neighbor 212.121.34.1 ttl-security hops 1
The peer drops to active/open sent with entries in syslog for hold time
expired.
I have validated via trace in both directions as being 1 hop.
I have read another article that implies the default behaviour at the
other end will to be send TTL 1 not 255 and consequently I need to
configure both ends to get the session to=20
come back up. An access list reveals all the packets I am receiving
have a TTL of 0.
The session re-establishes if I configure:
neighbor 212.121.34.1 ttl-security hops >=3D192
<=3D191 and the session stays down.
Which is proper bizarre!
Is it necessary to configure this on both side for the session to
re-establish. Is this a Cisco bug?
Kind Regards
Ben Butler
++++++++++++++++++++++++++++++++++++++++++
C2 Internet Ltd
Globe House, The Gullet, Nantwich, Cheshire, CW5 5RL
E mailto:ben.butler@c2internet.net
W http://www.c2internet.net/
B1 http://c2internet.blogspot.com/
B2 http://c2noc.blogspot.com/
T +44-(0)845-658-0020
F +44-(0)845-658-0070
All quotes & services from C2 are bound by our standard
terms and conditions which are available on our website at:
http://www.c2internet.net/legal/main.htm#tandc
C2 Internet Limited is a company registered in England and
Wales with company number 03910154
Our VAT Registration number is GB 752 7650 17
