[69361] in North American Network Operators' Group
RE: BGP TTL check in 12.3(7)T
daemon@ATHENA.MIT.EDU (Pekka Savola)
Thu Apr  8 12:34:21 2004
Date: Thu, 8 Apr 2004 19:33:37 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: Blaine Christian <blaine.christian@mci.com>
Cc: "'vijay gill'" <vgill@vijaygill.com>, <nanog@merit.edu>
In-Reply-To: <001101c41d7a$8f2886f0$948d2799@mcilink.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 8 Apr 2004, Blaine Christian wrote:
> > The TTL mechanism is just a way to distinguish at low cost 
> > between good for_us traffic and junk. So more of a classifer 
> > than a security layer, though it can be argued both ways.  
> > And even though it does have security in the title, it is 
> > _not_ a panacea for "securing" bgp or any routing information.
> > 
> http://www.faqs.org/rfcs/rfc3682.html
> 
> I agree that it is not a panacea...  But, you must admit, it provides an
> incredible level of comfort.  It would be wonderful to only allow internally
> generated traffic to talk to the core of your network with a simple TTL
> filter.  Versus anti-spoofing filters from hell.
You may be misunderstanding the applicability of GTSM.  It's only 
really useful for eBGP sessions, not for "internally generated 
traffic" (unless you fix the TTLs manually for iBGP sessions).
Spoofing filters (source address is most useful, but a few protocols
being deployed now also require destination address based filtering)
at your border are still best to prevent external abuse to your 
infrastructure?
> Now, when do we get it at line speed on engine 0 cards?
>
> I hope some other vendors are listening to this conversation!
(tongue in cheek)
Maybe you should be listening to the vendors instead, and pick ones 
which provide the features you need?
-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings