Solved: Re: BGP TTL Security

Mitrixsen · ‎02-28-2026

Hello, everyone.

I have a short question. In eBGP, by default, as long as the incoming TTL of received packets is high enough, the packets can traverse many routers and still be accepted by the local router. In other words, our local eBGP router sends BGP packets with a TTL of 1 but accepts BGP packets that have a TTL of 1 or higher because by default, there is no TTL check.

But that opens the door to spoofing a peering, because all someone trying to spoof a peering that is, say, 4 hops away would have to do is set their source IP address and set their TTL to 4.

So I've been thinking. Without TTL Security, a router can receive packets from a peering that was spoofed or invalid BGP packets in general since it accepts any TTL. but wouldn't authentication prevent BGP from accepting such packets?

Thank you
David

balaji.bandi · ‎02-28-2026

BGP Authentication (MD5) is the primary defence against a spoofed session being established, even if the TTL allows the packet to reach the router.

On the other hand, while authentication prevents unauthorised access, it does not prevent a Denial of Service (DoS) attack.

I have an example below when I was testing my Lab :

In this example, we assume the eBGP neighbour is directly connected. GTSM works by sending packets with a TTL of 255 and rejecting any incoming packet with a TTL less than 255.

router bgp 65001
 neighbour 192.168.1.2 remote-as 65002
 !
 ! 1. Enable MD5 Authentication
 neighbor 192.168.1.2 password MySecretPassword123
 !
 ! 2. Enable TTL Security (GTSM)
 ! The "hops 1" argument means the neighbour must be 1 hop away (TTL 255)
 neighbour 192.168.1.2 ttl-security hops 1
 exit

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Flavio Miranda · ‎02-28-2026

@Mitrixsen

Although the security flaw you mentioned is a concern and enable 'ttl-security hops x' is a best practice, BGP works over TCP, which means, by spoofing an peering IP is not so simple as SYN/ACK goes to the spoofed source and the attacked can not completed the handshake. Meaning, the IP spoofing will not allow the session establishment.

But, due other kind of attacks like TCP reset injection, ttl-security is important because Off-path attacker cannot send packet with high TTL.
Authentication is another important layer on the process and must be used as well.

View solution in original post

paul driver · ‎02-28-2026

Hello
yes - hence why its preferable to use both
TTL - to allow up to the front door - meaning if no correct ttl you are not even considered
auth= to allow through the door if you have the correct credentials

Edited- additionally i would recommend not to use MD5 authentication and opt for a more secure solution in TCP-AO utilising key chain

Key chain xxx tcp
key x
key string xx
send-id xx
receive-id xx
cryptographic-algorithm xxx
bgp xx
Neighbour x.x.x.x AO

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

balaji.bandi · ‎02-28-2026

BGP Authentication (MD5) is the primary defence against a spoofed session being established, even if the TTL allows the packet to reach the router.

On the other hand, while authentication prevents unauthorised access, it does not prevent a Denial of Service (DoS) attack.

I have an example below when I was testing my Lab :

In this example, we assume the eBGP neighbour is directly connected. GTSM works by sending packets with a TTL of 255 and rejecting any incoming packet with a TTL less than 255.

router bgp 65001
 neighbour 192.168.1.2 remote-as 65002
 !
 ! 1. Enable MD5 Authentication
 neighbor 192.168.1.2 password MySecretPassword123
 !
 ! 2. Enable TTL Security (GTSM)
 ! The "hops 1" argument means the neighbour must be 1 hop away (TTL 255)
 neighbour 192.168.1.2 ttl-security hops 1
 exit

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎02-28-2026

@Mitrixsen

Although the security flaw you mentioned is a concern and enable 'ttl-security hops x' is a best practice, BGP works over TCP, which means, by spoofing an peering IP is not so simple as SYN/ACK goes to the spoofed source and the attacked can not completed the handshake. Meaning, the IP spoofing will not allow the session establishment.

But, due other kind of attacks like TCP reset injection, ttl-security is important because Off-path attacker cannot send packet with high TTL.
Authentication is another important layer on the process and must be used as well.

paul driver · ‎02-28-2026

Hello
yes - hence why its preferable to use both
TTL - to allow up to the front door - meaning if no correct ttl you are not even considered
auth= to allow through the door if you have the correct credentials

Edited- additionally i would recommend not to use MD5 authentication and opt for a more secure solution in TCP-AO utilising key chain

Key chain xxx tcp
key x
key string xx
send-id xx
receive-id xx
cryptographic-algorithm xxx
bgp xx
Neighbour x.x.x.x AO

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul