The BGP Support for TTL Security Check feature is a lightweight security mechanism to protect (eBGP) peering sessions from CPU utilization-based attacks using forged IP packets. Enabling this feature prevents attempts to hijack the eBGP peering session by a host on a network segment that is not part of either BGP network or by a host on a network segment that is not between the eBGP peers.
This feature is enabled by configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific eBGP peer. When this feature is enabled, BGP will establish and maintain the session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. If the value is less than the configured value, the packet is silently discarded and no Internet Control Message Protocol (ICMP) message is generated.
Configuration Example:
On R1:
R1(config)#router bgp 100
R1(config-router)#neighbor 172.16.0.1 ttl-security hops 5
Now R1 wills silently drop the packet because TTL value in the incoming packet should be 250 or greater.
On the other side neighbor we can configure ebgp-multihop to 250 or to ebgp-multihop which will set the default value to 255.
If we have frame-relay hub and spoke network then we have to configure the TTL value including additional hops also as traffic will go through hub router.
No comments:
Post a Comment