[69363] in North American Network Operators' Group
RE: BGP TTL check in 12.3(7)T
daemon@ATHENA.MIT.EDU (Blaine Christian)
Thu Apr 8 12:51:07 2004
From: "Blaine Christian" <blaine.christian@mci.com>
To: "'Pekka Savola'" <pekkas@netcore.fi>
Cc: "'vijay gill'" <vgill@vijaygill.com>, <nanog@merit.edu>
Date: Thu, 8 Apr 2004 12:50:25 -0400
In-reply-to: <Pine.LNX.4.44.0404081929510.1435-100000@netcore.fi>
Errors-To: owner-nanog-outgoing@merit.edu
Hi Pekka,
>
> Spoofing filters (source address is most useful, but a few
> protocols being deployed now also require destination address
> based filtering) at your border are still best to prevent
> external abuse to your
> infrastructure?
>
I agree that spoofing filters help also (perhaps we are not
communicating)... But TTL helps in places where you can't just anti-spoof.
For example, suppose you have box X which can do ZERO filtering at line
rate. Then box Y that can...
X->Y
You have a BGP session between X and Y and many untrusted things talking to
X. How would I anti-spoof X's protocol traffic when I am at Y? The nice
thing about X is that it does, hopefully reliably, decrement the TTL.
Michel, this same answer should apply to your statement. I agree that
anti-spoofing helps. But TTL filtering can fix some very interesting
problems.
BTW, I am only commenting on TTL filtering and not necessarily Cisco's
implementation (I have not even read through their implementation yet).
Regards,
Blaine
