[102444] in North American Network Operators' Group
Re: BGP TTL Security
daemon@ATHENA.MIT.EDU (Danny McPherson)
Thu Feb 14 15:17:06 2008
In-Reply-To: <F9181128E9584B40B5A04C43800604B40F85DB@anyanka.c2internet.net>
From: Danny McPherson <danny@tcb.net>
Date: Thu, 14 Feb 2008 13:14:59 -0700
To: NANOG NANOG <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On Feb 14, 2008, at 11:28 AM, Ben Butler wrote:
> <=191 and the session stays down.
>
> Which is proper bizarre!
>
> Is it necessary to configure this on both side for the session to
> re-establish. Is this a Cisco bug?
You're missing the fundamentals of what protection this
mechanism is meat to provide. A remote attacker can
craft a packet such that it yields a TTL of 2, 1 or 0 at
the target system.
However, what a remote attacker can't do is craft a
packet that yields a TTL or 255 or 254, for example.
You probably want both values to be 254 if you've
got one intermediate hop between the peers.
-danny
