Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
21222324252627282930
26
OL-11615-01
TTL Security Check
Based on the Generalized TTL Security Mechanism (GTSM, RFC 3682), the TTL security check is a
security feature that protects BGP peers from multi-hop attacks. This feature allows the configuration of
a minimum acceptable TTL value for the packets exchanged between two eBGP peers. When enabled,
both peering routers transmit all their traffic to each other with a TTL of 255. In addition, routers
establish a peering session only if the other eBGP peer sends packets with a TTL equal to or greater than
the TTL value configured for the peering session. All packets received with TTL values less than the
predefined value are silently discarded. In this way, the TTL security check prevents all possible attacks
from attackers not connected directly to the same physical network connecting the two routers.
For example, when TTL security check is enabled between two eBGP peers, both routers transmit all
their traffic to each other with a TTL of 255. If the routers are one hop away, the security check will
accept only incoming packets with a TTL equal to or greater than 254. This ensures that traffic from all
devices that are not directly connected will not be accepted because all traffic from devices not directly
connected will arrive with a TTL of less than 254, as shown in
Figure 3.
Figure 3 TTL Security Check
In the example shown in Figure 3, Router A will accept only those packets with a TTL of 254 or greater.
Regardless of the TTL value the attacker sets, all of their packets will reach Router A with a TTL of less
than 254.
Note The TTL security check feature is currently available for BGP only. Work is currently in progress to
implement this feature for other routing protocols, such as OSPF and EIGRP.
In Cisco IOS software, the TTL security check can be enabled per peer using the neighbor ttl-security
command:
Router(config)# router bgp
as-number
Router(config-router)# switchport mode access
Router(config-router)# neighbor
ip-address
ttl-security hops
hop-count
In this example, TTL security check is enabled for the 10.1.1.1 eBGP neighbor, which resides two hops
away:
Router(config)# router bgp 1
Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2
For more information about TTL Security Check, refer to the following URL:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide
_chapter09186a0080455621.html
ABC
eBGP
BGP Attack Packets
190960
Attacker