Community Groups Rewards Enterprise

“[My 11th Success Story] How to understand BGP TTL Security”

aamallik
aamallik  Diamond  (1)
7 years 4 months ago  View: 1908  Reply: 3
1F


Dear admin,

One day before configuring I found the below information regarding BGP TTL security in Huawei Support website. I read them & realized it just helped me a lot at the time of configuring in live network.

 

By default, IOS sends BGP messages to EBGP neighbors with an IP time-to-live (TTL) of 1. (This can be adjusted with ebgp-multihop attached to the desired neighbor or peer group under BGP configuration.)

 Sending BGP messages with a TTL of one requires that the peer be directly connected,

or the packets will expire in transit. Likewise, a BGP router will only accept incoming

BGP messages with a TTL of 1 (or whatever value is specified by ebgp-multihop), which can help mitigate spoofing attacks.

However, there is an inherent vulnerability to this approach: it is trivial for a remote

attacker to adjust the TTL of sent packets so that they appear to originating from a directly-

connected peer.

By spoofing legitimate-looking packets toward a BGP router at high volume, a denial of service (DoS) attack may be

 accomplished,please refer to network picture as attachment_1.

How to avoid the attack described above?

 

Huawei Suggestion:

A very simple solution to this, as discussed in RFC 3682, is to invert the direction in which the TTL is counted. The maximum value of the 8-bit TTL field in an IP packet is 255; instead of accepting only packets with a TTL set to 1,

we can accept only packets with a TTL of 255 to ensure the originator really is exactly

one hop away. This is accomplished on IOS with the TTL security feature, by appending

ttl-security hops <count> to the BGP peer statement, please refer to the network picture

as attachment_2.

Only BGP messages with an IP TTL greater than or equal to 255 minus the specified hop

count will be accepted. TTL security and EBGP multihop are mutually exclusive; ebgp-multihop is no longer needed when TTL security is in use.

 

Thanks to Huawei Team

Comment| Reply
Favorite Favorite (0) | Like |Report
behzad80045985
behzad80045985  Silver 
7 years 4 months ago
2F
Have you used this feature?

That is quite interesting.  Thanks for sharing. Its new for me.

Comment| Reply
|Report
Pema Wangdi
Pema Wangdi  Diamond 
7 years 4 months ago
3F
Good wish admin should consider it .......
Comment| Reply
|Report
sumon_ahsan
sumon_ahsan  Diamond 
7 years 4 months ago
4F
very nice idea...
Comment| Reply
|Report
Reply
Return New post Share

Hot Group

Fixed Network Info Community
Members:9595   Posts:9360
Wireless Network Info Community
Members:2501   Posts:11275
Support HedEx User Group
Members:14004   Posts:4898
Core Network Info Community
Members:1125   Posts:14720
Network OSS Club
Members:4641   Posts:1596
Information For
Consumers
Enterprises
Carriers
Journalist
Suppliers
Job Seekers
About HUAWEI
Corporate Information
Corporate Governance
Executives
Bond Investor Relations
Sustainability
Cyber Security
Publications
Annual Report
News & Events
Latest News
Media Kit
Media Contact
Security Bulletins
Events
Huawei| Huawei Connect| Support| Privacy| Terms of Use
Contact Us:hworld@huawei.com
Follow Huawei Connect :
Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.