06-12-2022 03:22 PM
lab I am doing mentions
An EBGP session between two directly connected peers means a TTL hop count of 1 is set on the originating router, with the destination router expecting the packet to arrive with TTL of 0. However, an attacker elsewhere on the Internet can also send a packet which will arrive with TTL of 0, and potential disrupt the BGP session between the two peers.
GTSM works by setting TTLs between EBGP speakers to be 255, as described in the BGP Best Practices presentation. This way, a third party can only be at least one more hop away; it cannot send a BGP packet with TTL which the local peer router would be able to use, because the TTL would be incorrect. If they tried to send a packet with TTL 255, and they were one hop beyond the source router, the packet would arrive on the destination router with a TTL of 253, two hops away, an incorrect value and therefore ignored. (In fact, the attacker would have to be on the same physical media used between the two peers meaning that, in the case of an IXP, they’d have to be on the IXP LAN itself - not entirely impossible!)
Some operators require GTSM on any EBGP session they set up - so the purpose of this exercise is to show how it is done. Both operators need to implement GTSM on the peering link, which means coordination is required.
https://nsrc.org/workshops/2019/mnnog1/riso/networking/routing-security/en/labs/securing-bgp.html
So I set 1 max hop on peering router, and I think this can be a good idea for IGP routers also if I feel there may be a security issue
so in any case on my peering router is now 1 max hop away
Is there a danger or drawback to using max hops on a neighbor? If I ever worked as a network engineer would it be best practice to use this technique?
06-12-2022 03:33 PM
https://ccieblog.co.uk/bgp/bgp-disable-connected-check-vs-ebgp-multi-hop
I think that disable connected check is OK for your case of one hop far peer.
06-12-2022 03:59 PM
Thank you! That was a good article. I'm wondering if TTL security hop is normally used by network engineers when doing BGP.
06-12-2022 04:12 PM - edited 06-12-2022 04:14 PM
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2017/pdf/agendas/BRKRST-2045-Agenda.pdf
not only this other security need for BGP, this link describe BGP security need.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide