12-21-2011 02:21 AM - edited 03-01-2019 04:45 PM
Time to live (TTL) Security Feature protects Exterior Border Gateway Protocols (EBGP) peering sessions from attacks by forged IP packets. The feature compares the TTL field of the incoming packet against the hop count configured for the EBGP neighbor. The BGP will establish and maintain the session only if the TTL value in the IP packet is equal to or greater than the TTL value configured for the peer.
This feature is configured using neighbor <ip-address> ttl-security hops <count> BGP configuration command. The TTL value is calculated by the router from the configured hop count i.e. TTL = 255 - (hop count).
This feature has few limitations
In this document, four routers (R1, R2, R3 & R4) are connected via fast Ethernet interfaces and all are configured with EIGRP routing protocol as IGP. R1 and R4 are advertising their loopback 0 interface prefixes (1.1.1.1/32 and 4.4.4.4/32).
R1 and R4 are in different Autonomous Systems 100 and 200 and forms the EBGP peering. R4 is originating BGP packets with a TTL of 255, and R1 expects the packets it receives from R4 to have at least 252 (as in BGP configuration of R1 has neighbor 4.4.4.4 ttl-security hops 3, so a TTL value 255-3=252).
Any BGP packet originating behind R4, can’t reach R1 with a TTL of 252 and hence R1 will always reject that BGP packet.
R1R2R3R4
hostname R1 ip cef no ip domain lookup interface Loopback0 ip address 1.1.1.1 255.255.255.255 interface FastEthernet0/0 ip address 10.12.12.1 255.255.255.252 duplex auto speed auto router eigrp 10 network 1.1.1.1 0.0.0.0 network 10.12.12.1 0.0.0.0 no auto-summary eigrp router-id 1.1.1.1 router bgp 100 no synchronization bgp router-id 1.1.1.1 bgp log-neighbor-changes neighbor 4.4.4.4 remote-as 200 neighbor 4.4.4.4 ttl-security hops 3 neighbor 4.4.4.4 update-source Loopback0 no auto-summary end | hostname R2 ip cef no ip domain lookup interface FastEthernet0/0 ip address 10.12.12.2 255.255.255.252 duplex auto speed auto interface FastEthernet0/1 ip address 10.23.23.1 255.255.255.252 duplex auto speed auto router eigrp 10 network 10.12.12.2 0.0.0.0 network 10.23.23.1 0.0.0.0 no auto-summary end | hostname R3 ip cef no ip domain lookup interface FastEthernet0/0 ip address 10.23.23.2 255.255.255.252 duplex auto speed auto interface FastEthernet0/1 ip address 10.34.34.1 255.255.255.252 duplex auto speed auto router eigrp 10 network 10.23.23.2 0.0.0.0 network 10.34.34.1 0.0.0.0 no auto-summary eigrp router-id 3.3.3.3 end | hostname R4 ip cef interface Loopback0 ip address 4.4.4.4 255.255.255.255 interface FastEthernet0/0 ip address 10.34.34.2 255.255.255.252 duplex auto speed auto router eigrp 10 network 4.4.4.4 0.0.0.0 network 10.34.34.2 0.0.0.0 no auto-summary eigrp router-id 4.4.4.4 router bgp 200 no synchronization bgp router-id 4.4.4.4 bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 ttl-security hops 3 neighbor 1.1.1.1 update-source Loopback0 no auto-summary end |
R1#sh ip bgp sum
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4 4 200 23 22 1 0 0 00:10:14 0
R1#sh ip bgp neighbors 4.4.4.4
BGP neighbor is 4.4.4.4, remote AS 200, external link
BGP version 4, remote router ID 4.4.4.4
BGP state = Established, up for 00:09:57
Last read 00:00:00, last write 00:00:57, hold time is 180, keepalive interval is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 3 3
Notifications: 0 0
Updates: 0 0
Keepalives: 18 20
Route Refresh: 0 0
Total: 21 23
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Connections established 3; dropped 2
Last reset 00:10:00, due to User reset
External BGP neighbor may be up to 3 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 252, Outgoing TTL 255
Local host: 1.1.1.1, Local port: 39378
Foreign host: 4.4.4.4, Foreign port: 179
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x271CD8):
Timer Starts Wakeups Next
Retrans 13 0 0x0
TimeWait 0 0 0x0
AckHold 12 9 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
iss: 4147902773 snduna: 4147903047 sndnxt: 4147903047 sndwnd: 16111
irs: 1221993724 rcvnxt: 1221994017 rcvwnd: 16092 delrcvwnd: 292
SRTT: 528 ms, RTTO: 1584 ms, RTV: 1056 ms, KRTT: 0 ms
minRTT: 348 ms, maxRTT: 892 ms, ACK hold: 200 ms
Flags: active open, nagle
IP Precedence value : 6
Datagrams (max data segment is 536 bytes):
Rcvd: 22 (out of order: 0), with data: 12, total data bytes: 292
Sent: 24 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 12, total data bytes: 273
NOTE: Now, if the ttl-security hops is changed to 2, R1 and R4 will not form an EBGP session.
As seen, on changing the number of hops, the peering between R1 and R4 is lost.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: