RE: EBGP and multihops from Jack Router on 2010-08-21 (Ccielab archives 08/2010)

From: Jack Router <pan.router_at_gmail.com>
Date: Sat, 21 Aug 2010 00:31:28 -0400

I have tested ebgp neghbors with ttl-security on both ends and it works.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
karim jamali
Sent: 20-Aug-10 17:27
To: Grammer, Christopher; Cisco certification
Subject: Re: EBGP and multihops

Dear Chris,

Thanks for the valuable information:)..However it may seem strange that in
DOC cd it says that the TTL security feature doesn't affect outgoing
packets. As per your packet capture it shows that in deed it plays the role
of ebgp multihop by setting the outbound packet TTL to 255 and plays an
inbound security role for checking the TTL of the packet against that is
configured.

Thus if we only use ttl-security check on both routers, the peering should
work.

Best Regards,

On Sat, Aug 21, 2010 at 12:09 AM, Grammer, Christopher <
cgrammer_at_essilorusa.com> wrote:

> It i just a TTL-security "trick."
>
> When you configure TTL-Security you tell the router to do 2 things:
>
> 1) Set the outbound BGP packets with a TTL of 255
> 2) Only except packets with a TTL greater than 253
>
> Here is an abbreviated packet capture between R1 and R2 using the loopback
> addresses for eBGP peering.
> The neighbor TTL security is set to hops 2.
>
> *************************
> Internet Protocol, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)
> Time to live: 255
> Protocol: TCP (0x06)
> Source port: bgp (179)
> *************************
>
> If I remove the TTL-Security and use "disable-connected-check" on both
> routers...still using loopbacks as peer:
> If you use disable-connected-check, you tell the router 2 things:
>
> 1) Leave the TTL 1
> 2) If i receive a BGP packet with a TTL of anything including 0, accept
the
> packet
>
> *************************
> Internet Protocol, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)
> Time to live: 1
> Protocol: TCP (0x06)
> Source port: bgp (179)
> *************************
>
>
> Chris
>
>
>
>
>
> On Fri, Aug 20, 2010 at 2:33 PM, karim jamali
<karim.jamali_at_gmail.com>wrote:
>
>> Hi Jack,
>>
>> Honestly I am not sure..Can you test with both ttl-security without any
>> ebgp
>> multihop,since your case might be the on one side you configured EBGP
>> multhop that's why one router can reach the other, the other is accepting
>> its packet after checking the TTL of incoming packet with configure ttl.
I
>> believe with both sides only configured with ttl-security it won't work,
>> due
>> to if doc is correct "that the feature doesn't affect outgoing packets"
>>
>> Best Regards,
>>
>> On Fri, Aug 20, 2010 at 9:48 PM, Jack Router <pan.router_at_gmail.com>
>> wrote:
>>
>> > Karim,
>> >
>> > I am always confused when documentation says that something "should" be
>> > configured. In this case it certainly "does not have to" be configured
>> on
>> > every router in order for EBGP routers to establish neighborships.
>> > Ttl-security on one and + ebgp-multihop on another will work. I just
>> labbed
>> > this:
>> >
>> > #################################
>> > ROUTER 1:
>> >
>> > R1#sh run | s router bgp
>> > router bgp 100
>> > no synchronization
>> > bgp log-neighbor-changes
>> > neighbor 2.2.2.2 remote-as 200
>> > neighbor 2.2.2.2 ttl-security hops 2 <<<<<<<<<<<<<
>> > neighbor 2.2.2.2 update-source Loopback0
>> > no auto-summary
>> >
>> > R1#sh ip bgp summary
>> > BGP router identifier 1.1.1.1, local AS number 100
>> > BGP table version is 1, main routing table version 1
>> >
>> > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>> > State/PfxRcd
>> > 2.2.2.2 4 200 44 45 1 0 0 00:13:21
>> > 0
>> >
>> > #################################
>> > ROUTER 2:
>> >
>> > R2#sh run | s router bgp
>> > router bgp 200
>> > no synchronization
>> > bgp log-neighbor-changes
>> > neighbor 1.1.1.1 remote-as 100
>> > neighbor 1.1.1.1 ebgp-multihop 255 <<<<<<<<<<<<<<<<<
>> > neighbor 1.1.1.1 update-source Loopback0
>> > no auto-summary
>> >
>> > R2#sh ip bgp summ
>> > R2#sh ip bgp summary
>> > BGP router identifier 2.2.2.2, local AS number 200
>> > BGP table version is 1, main routing table version 1
>> >
>> > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>> > State/PfxRcd
>> > 1.1.1.1 4 100 44 45 1 0 0 00:13:59
>> > 0
>> >
>> > #################################
>> >
>> > I will continue testing tonight :)
>> >
>> > -----Original Message-----
>> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> > karim jamali
>> > Sent: 20-Aug-10 13:01
>> > To: Carlos G Mendioroz; Cisco certification
>> > Subject: Re: EBGP and multihops
>> >
>> > Hello,
>> >
>> > I am not sure regarding method 2, would appreciate it if someone can
>> > correct
>> > me.
>> >
>> > However as per Cisco Doc in the reference below:
>> >
>> > BGP ttll-security hops
>> > This feature should be configured on each participating router. It
>> secures
>> > the BGP session in the incoming direction only and has no effect on
>> > outgoing
>> > IP packets or the remote router.
>> >
>> > This shows that this feature is only meant to protect against forged IP
>> > addresses, and works by comparing the TTL of an incoming packet against
>> a
>> > configured TTL,
>> >
>> >
>> >
>>
http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_n1g
>> > t.html#wp1100096<
>>
http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_n1g
%0At.html#wp1100096
>> >
>>
>> >
>> > Method 2:
>> > Router bgp 100
>> > neighbor 2.2.2.2 update-source Loopback0
>> > neighbor 2.2.2.2 ttl-security hops (+ mandatory hop count)
>> >
>> > HTH,
>> >
>> > Regards,
>> >
>> > On Fri, Aug 20, 2010 at 7:30 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar
>> > >wrote:
>> >
>> > > Jack, inside comments:
>> > >
>> > > Jack Router @ 20/8/2010 1:24 -0300 dixit:
>> > >
>> > > Hello,
>> > >>
>> > >> After labing a bit with EBGP neighbors using loopback interfaces I
>> have
>> > >> some
>> > >> observations. Perhaps someone can clarify if I am correct:
>> > >>
>> > >> R1-------------------R2
>> > >> AS 100 AS 200 L0: 1.1.1.1 L0: 2.2.2.2
>> > >>
>> > >> The task is to establish neighborships between R1 and R2 using L0
>> > >> interfaces.
>> > >>
>> > >> I think that three methods are possible.
>> > >> Following examples show R1 configurations, R2 has reverse
>> configuration:
>> > >> Method 1:
>> > >> Router bgp 100
>> > >> neighbor 2.2.2.2 update-source Loopback0
>> > >> neighbor 2.2.2.2 ebgp-multihop (+ optional hop count, default is
>> 255)
>> > >>
>> > >
>> > > Old way, send with ttl greater than 1.
>> > >
>> > >
>> > >
>> > >> Method 2:
>> > >> Router bgp 100
>> > >> neighbor 2.2.2.2 update-source Loopback0
>> > >> neighbor 2.2.2.2 ttl-security hops (+ mandatory hop count)
>> > >>
>> > >
>> > > New security mode, to discard attacks that come from far away,
>> > > if the TTL is not enough.
>> > > The difference lies in the added security against DOS attacks,
>> > > because it will not reach the BGP code.
>> > >
>> > >
>> > >
>> > >> Method 3:
>> > >> Router bgp 100
>> > >> neighbor 2.2.2.2 update-source Loopback0
>> > >> neighbor 2.2.2.2 disable connected check
>> > >>
>> > >
>> > > Easy hack, implied by 1 or 2, just for 1 hop but originated by
>> > > a different interface than the connected one.
>> > >
>> > >
>> > >
>> > >> My understanding is that all methods will play with TTL of packets
>> sent
>> > >> from
>> > >> one neighbor to another thus allowing packets to reach defined
>> neighbor.
>> > >> In
>> > >> that sense method 1 and 2 are identical as TTL can be defined.
>> > >> Method 3 is a bit different as it will set TTL to 255 and there is
no
>> > way
>> > >> to
>> > >> change it.
>> > >>
>> > >> Am I right ?
>> > >>
>> > > I would expect that method 3 does not mess with TTL at all.
>> > > But have not tested it, would you ?
>> > > -Carlos
>> > >
>> > >
>> > >
>> > >> Thanks,
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
>> _______________________________________________________________________
>> > >> Subscription information may be found at:
>> > >> http://www.groupstudy.com/list/CCIELab.html
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > > --
>> > > Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>> > >
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > KJ
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> KJ
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Sat Aug 21 2010 - 00:31:28 ART

This archive was generated by hypermail 2.2.0 : Wed Sep 01 2010 - 11:20:52 ART