Understanding BGP TTL Security

By stretch | Monday, November 23, 2009 at 8:08 a.m. UTC

By default, IOS sends BGP messages to EBGP neighbors with an IP time-to-live (TTL) of 1. (This can be adjusted with ebgp-multihop attached to the desired neighbor or peer group under BGP configuration.) Sending BGP messages with a TTL of one requires that the peer be directly connected, or the packets will expire in transit. Likewise, a BGP router will only accept incoming BGP messages with a TTL of 1 (or whatever value is specified by ebgp-multihop), which can help mitigate spoofing attacks.

However, there is an inherent vulnerability to this approach: it is trivial for a remote attacker to adjust the TTL of sent packets so that they appear to originating from a directly-connected peer.

ttl-security1.png

By spoofing legitimate-looking packets toward a BGP router at high volume, a denial of service (DoS) attack may be accomplished.

A very simple solution to this, as discussed in RFC 3682, is to invert the direction in which the TTL is counted. The maximum value of the 8-bit TTL field in an IP packet is 255; instead of accepting only packets with a TTL set to 1, we can accept only packets with a TTL of 255 to ensure the originator really is exactly one hop away. This is accomplished on IOS with the TTL security feature, by appending ttl-security hops <count> to the BGP peer statement.

ttl-security2.png

Only BGP messages with an IP TTL greater than or equal to 255 minus the specified hop count will be accepted. TTL security and EBGP multihop are mutually exclusive; ebgp-multihop is no longer needed when TTL security is in use.

Bookmark and Share
Posted in Routing, Security

Comments

MCL.Nicolas (guest) commented on Monday, November 23, 2009 at 8:49 a.m. UTC

Nice tips !! Did not know that it was possible :)

thanks Jeremy

mellowd commented on Monday, November 23, 2009 at 12:57 p.m. UTC

I've got to give this a try

tonhe commented on Monday, November 23, 2009 at 3:12 p.m. UTC

Its a shame this is a Cisco proprietary command since its such a wonderful security feature. And FYI For everyone, it does require IOS Version >= 12.3(7)T

luismg commented on Monday, November 23, 2009 at 4:39 p.m. UTC

In fact you should use ttl = 2 when your source of bgp update is a loopback interface.

Ysaad commented on Monday, November 23, 2009 at 5:59 p.m. UTC

It is a very nice explanation. I never understood the difference between ebgp-multihop and ttl-security featues...Thanks

oipunx commented on Monday, November 23, 2009 at 8:17 p.m. UTC

I'd like to implement this today as well!

Steve (guest) commented on Tuesday, November 24, 2009 at 8:24 p.m. UTC

Should this "whatever value is specified by ebgp-multihop" read "whatever value is specified by ebgp-multihop or lower"?

CallMeTim commented on Wednesday, November 25, 2009 at 12:18 a.m. UTC

Just to make sure I understand this... and I've never used or read about ttl security hop but understand and use ebgp-multihop.

Formula would be: TTL ≤ 255-h

h = actual hops

ciscodreamer commented on Wednesday, November 25, 2009 at 5:41 a.m. UTC

cool post, I didn't know what this feature is for. Simple and very nice explanation.

kizi (guest) commented on Wednesday, November 25, 2009 at 2:22 p.m. UTC

spot on, thanks for all this useful info that you give away with each of your posts.

you blog has really made me a better administrator.

thanks a ton!

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.