topleft
topright

Main Menu

Home
Tech News
Links
Contact Us
Search
FAQ
About

Front Page

Generalized TTL Security Mechanism
Written by Paul Stewart   
Tuesday, 30 March 2010
 

Recently a very extensive list was published as the CCIE Security Lab Exam v3.0 Checklist.  It can be seen over on Cisco Learning network, but requires a logon first.  There are a few things that piqued my interest in this document.  The thing that leads me to write this short blog post in the midst of my last week of studies is item “6.17-The Generalized TTL Security Mechanism known as ‘BGP TTL Security Hack’ (BTSH)”.  What is this? What does it mean?  I’ve done about a half an hour or so of research and would like to post what I found.

 

Generalized TTL Security Mechanism is defined on Wikipedia as basically a method for not passing traffic to the route process if the TTL is an unexpected value.  When we think about this in the context of BGP, we know that our peers should be very close (typically), if not directly connected.  This means that we should expect a predictable TTL based on what the peer’s default TTL value happens to be (minus any intermediary hops).  So we can use this to protect our route processor in the following way.

 

 

 ip access-list extended BADBGP
  permit tcp any any eq bgp ttl lt 254
  permit tcp any eq bgp any ttl lt 254

class-map BADBGP
 match access-group name BADBGP

policy-map CPINPUT
 class BADBGP
   drop
 class class-default

control-plane
 service-policy input CPINPUT

 

I tested this by raising the 254 to a 255 and clearing my BGP relationships.  There are some ttl protection mechanisms in BGP as well, but the intent of this (at least in my estimation) is to protect the route processor.  I think this will work, but would be interested in everyone else's comments.  I'm really curious if this really adds any protection to the CPU beyond the protecton  offered by the default eBGP configuration that only allows the peer to be x hops away where x is defined in the "neighbor y.y.y.y ebgp-multihop x" command.

 

References:

ACL Support for Filtering on TTL Value

Generalized TTL Security Mechanism (GTSM) 

The BGP TTL Security Hack (BTSH)

 

 

 

 

 

If you found this document useful, please share it with your friends.

If you have anything to add, please comment below.

 

 

 




Digg!Reddit!Del.icio.us!Slashdot!StumbleUpon!

Users' Comments (2)
Posted by Dan K, on 07-04-2010 21:39,
You might want to check out the BGP command "neighbor x.x.x.x ttl-security hops n" which will provide this security on a per-neighbor basis.
 
» Report this comment to administrator

Posted by Paul Stewart, on 09-04-2010 00:19,
I agree. I do think the default eBGP configuration is a form of GTSM protection. I do believe matching the TTL at the control plane can drop the packets sooner and add a level of processor protection.
 
» Report this comment to administrator

Add your comment



mXcomment 1.0.7 © 2007-2010 - visualclinic.fr
License Creative Commons - Some rights reserved
[ Back ]

Polls

What type of Study do you prefer?
 

Packet Bytes

Joomla Templates by Joomlashack