Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
3
Replies

is there drawback to setting ttl-security hop on bgp neighbor?

hfakoor222
Spotlight
Spotlight

‎06-12-2022 03:22 PM

lab I am doing mentions

Background

An EBGP session between two directly connected peers means a TTL hop count of 1 is set on the originating router, with the destination router expecting the packet to arrive with TTL of 0. However, an attacker elsewhere on the Internet can also send a packet which will arrive with TTL of 0, and potential disrupt the BGP session between the two peers.

GTSM works by setting TTLs between EBGP speakers to be 255, as described in the BGP Best Practices presentation. This way, a third party can only be at least one more hop away; it cannot send a BGP packet with TTL which the local peer router would be able to use, because the TTL would be incorrect. If they tried to send a packet with TTL 255, and they were one hop beyond the source router, the packet would arrive on the destination router with a TTL of 253, two hops away, an incorrect value and therefore ignored. (In fact, the attacker would have to be on the same physical media used between the two peers meaning that, in the case of an IXP, they’d have to be on the IXP LAN itself - not entirely impossible!)

Some operators require GTSM on any EBGP session they set up - so the purpose of this exercise is to show how it is done. Both operators need to implement GTSM on the peering link, which means coordination is required.

 

https://nsrc.org/workshops/2019/mnnog1/riso/networking/routing-security/en/labs/securing-bgp.html

 

 

 

 

 

 

So I set 1 max hop on peering router, and I think this can be a good idea for IGP routers also if I feel there may be a security issue

so in any case on my peering router is now 1 max hop away

2.png

 

 

 

Is there a danger or drawback to using max hops on a neighbor? If I ever worked as a network engineer would it be best practice to use this technique?

 

 

 

 

 

 

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎06-12-2022 03:33 PM

https://ccieblog.co.uk/bgp/bgp-disable-connected-check-vs-ebgp-multi-hop

 

I think that disable connected check is OK for your case of one hop far peer.

0 Helpful

hfakoor222
Spotlight
Spotlight
In response to MHM Cisco World

‎06-12-2022 03:59 PM

Thank you! That was a good article. I'm wondering if TTL security hop is normally used by network engineers when doing BGP.

0 Helpful

MHM Cisco World
VIP
VIP
In response to hfakoor222

‎06-12-2022 04:12 PM - edited ‎06-12-2022 04:14 PM

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2017/pdf/agendas/BRKRST-2045-Agenda.pdf

 

not only this other security need for BGP, this link describe BGP security need.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card