Re: BGP ttl-security

From: Hash Aminu (hashng@gmail.com)
Date: Sun Mar 02 2008 - 14:30:08 ARST

• Next message: Fang Gao: "Re: hdlc clock rate"
• Previous message: Rik Guyler: "RE: OSPF AUTHENTICATION"
• Maybe in reply to: Todd, Douglas M.: "BGP ttl-security"
• Next in thread: Todd, Douglas M.: "RE: BGP ttl-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Todd,

IMHO you are comparing two features that are not doing the same thing, the
Multi hop feature is to modify the default E-BGPpeering behavior of ttl=1
to a number higher.
the ttl security is to tell the peering session that it should only accept
routes that are "equal to or greater than" the configured value.
For peering to an AS more than one hop (directly connected) away you will
have to use the multi hop feature; while on the other hand an established
session can be secured with the ttl security feature.

the requirements for ttl security are:

 BGP must be configured in your network and eBGP peering sessions must be
established.<---Either you use the multi-hop or not depending on your
peering setup.

This feature needs to be configured on each participating router. It
protects the eBGP peering session in the incoming direction only and has no
effect on outgoing IP packets or the remote router. <- therefore you will
not use the trace route from the originating router to test it.

HTH

Hash

On Sun, Mar 2, 2008 at 1:34 PM, Todd, Douglas M. <DTODD@partners.org> wrote:

> Hey All:
>
> (PS: My last name is Todd, First name is Douglas)
>
> I have used the ttl-security feature in place of the ebgp-multihop. My
> routes
> are inaccessible, regardless of the hop count used.
>
> Process:
>
> 1) I do a trace from source to destination
> 2) 4 hops are seen
> 3) add 1 hop to the 4
> 4) I have 5 hops now.
>
> nei a.b.c.d ttl-security hop 4
>
> I have tried 5 hops, 6 hops 7 hops. The neighbor comes up, route are
> inaccessible. If I use multihop, routes are fine.
>
> Some ideas?
>
> Thanks.
>
> Douglas
>
>
>
>
> The information transmitted in this electronic communication is intended
> only
> for the person or entity to whom it is addressed and may contain
> confidential
> and/or privileged material. Any review, retransmission, dissemination or
> other
> use of or taking of any action in reliance upon this information by
> persons or
> entities other than the intended recipient is prohibited. If you received
> this
> information in error, please contact the Compliance HelpLine at
> 800-856-1983 and
> properly dispose of this information.
>
> ______________________________ _________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
Hash!!!
CCIE#16818

• Next message: Fang Gao: "Re: hdlc clock rate"
• Previous message: Rik Guyler: "RE: OSPF AUTHENTICATION"
• Maybe in reply to: Todd, Douglas M.: "BGP ttl-security"
• Next in thread: Todd, Douglas M.: "RE: BGP ttl-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:52 ART