Re: BGP ttl-security

From: dara tomar (wish2ie@gmail.com)
Date: Sun Mar 02 2008 - 18:23:20 ARST

• Next message: Tandou Mohamed: "Re: OSPF AUTHENTICATION"
• Previous message: Todd, Douglas M.: "RE: BGP ttl-security"
• Maybe in reply to: Todd, Douglas M.: "BGP ttl-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

*Gary,

AFAIK the Rfc 3682 describes the GTSM feature required to make a secure BGP
deployment from CPU-utilisation based attacks,
Not seen in books coverage, but yes some cisco slides from networkers do
cover this.

Regards,
Dara*
On Mon, Mar 3, 2008 at 1:42 AM, Gary Duncanson <
gary.duncanson@googlemail.com> wrote:

> Other than CCO is this feature covered in any of the books on the
> recommended reading list?
>
> Thanks
> Gary
> ----- Original Message -----
> From: "Todd, Douglas M." <DTODD@PARTNERS.ORG>
> To: "Hash Aminu" <hashng@gmail.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Sunday, March 02, 2008 7:58 PM
> Subject: RE: BGP ttl-security
>
>
> > Hash:
> >
> > I think you hit it on the head. I need to do a little more reading on
> > this
> > feature... I was believing that I could use the ttl-security feature in
> > place of
> > disable-connect-check. ebgp-multihop and disable-connect-check have
> > similar
> > functions (though not the exact same).
> >
> > I will need to work with this to see how this works. I understand the
> > concept,
> > but need to see the action.
> >
> > ttl-security does not work with ebgp-multihop, but should work with
> > disable-connect-check.
> >
> > I'll need to put the config back to gether. and send it out for clarity.
> >
> > Thx.
> >
> > :)
> >
> > ________________________________
> >
> > From: Hash Aminu [mailto:hashng@gmail.com]
> > Sent: Sun 3/2/2008 11:30 AM
> > To: Todd, Douglas M.
> > Cc: ccielab@groupstudy.com
> > Subject: Re: BGP ttl-security
> >
> >
> >
> > Hi Todd,
> >
> > IMHO you are comparing two features that are not doing the same thing,
> the
> > Multi
> > hop feature is to modify the default E-BGPpeering behavior of ttl=1
> to
> > a
> > number higher.
> > the ttl security is to tell the peering session that it should only
> > accept
> > routes that are "equal to or greater than" the configured value.
> > For peering to an AS more than one hop (directly connected) away you
> will
> > have
> > to use the multi hop feature; while on the other hand an established
> > session can
> > be secured with the ttl security feature.
> >
> > the requirements for ttl security are:
> >
> >
> >
> > *BGP must be configured in your network and eBGP peering sessions must
> be
> > established.<---Either you use the multi-hop or not depending on your
> > peering
> > setup.
> >
> >
> > *This feature needs to be configured on each participating router. It
> > protects
> > the eBGP peering session in the incoming direction only and has no
> effect
> > on
> > outgoing IP packets or the remote router. <- therefore you will not use
> > the
> > trace route from the originating router to test it.
> >
> >
> >
> > HTH
> >
> > Hash
> >
> >
> > On Sun, Mar 2, 2008 at 1:34 PM, Todd, Douglas M. <DTODD@partners.org>
> > wrote:
> >
> >
> > Hey All:
> >
> > (PS: My last name is Todd, First name is Douglas)
> >
> > I have used the ttl-security feature in place of the ebgp-multihop. My
> > routes
> > are inaccessible, regardless of the hop count used.
> >
> > Process:
> >
> > 1) I do a trace from source to destination
> > 2) 4 hops are seen
> > 3) add 1 hop to the 4
> > 4) I have 5 hops now.
> >
> > nei a.b.c.d ttl-security hop 4
> >
> > I have tried 5 hops, 6 hops 7 hops. The neighbor comes up, route are
> > inaccessible. If I use multihop, routes are fine.
> >
> > Some ideas?
> >
> > Thanks.
> >
> > Douglas
> >
> >
> >
> >
> > The information transmitted in this electronic communication is intended
> > only
> > for the person or entity to whom it is addressed and may contain
> > confidential
> > and/or privileged material. Any review, retransmission, dissemination or
> > other
> > use of or taking of any action in reliance upon this information by
> > persons or
> > entities other than the intended recipient is prohibited. If you
> > received this
> > information in error, please contact the Compliance HelpLine at
> > 800-856-1983 and
> > properly dispose of this information.
> >
> > ______________________________ _________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> > --
> > Hash!!!
> > CCIE#16818
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Tandou Mohamed: "Re: OSPF AUTHENTICATION"
• Previous message: Todd, Douglas M.: "RE: BGP ttl-security"
• Maybe in reply to: Todd, Douglas M.: "BGP ttl-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:52 ART