Generalized TTL Security Mechanism

Recently a very extensive list was published as the CCIE Security Lab Exam v3.0 Checklist.  It can be seen over on Cisco Learning network, but requires a logon first.  There are a few things that piqued my interest in this document.  The thing that leads me to write this short blog post in the midst of my last week of studies is item “6.17-The Generalized TTL Security Mechanism known as ‘BGP TTL Security Hack’ (BTSH)”.  What is this? What does it mean?  I’ve done about a half an hour or so of research and would like to post what I found.

Generalized TTL Security Mechanism is defined on Wikipedia as basically a method for not passing traffic to the route process if the TTL is an unexpected value.  When we think about this in the context of BGP, we know that our peers should be very close (typically), if not directly connected.  This means that we should expect a predictable TTL based on what the peer’s default TTL value happens to be (minus any intermediary hops).  So we can use this to protect our route processor in the following way.

ip access-list extended BADBGP
permit tcp any any eq bgp ttl lt 254
permit tcp any eq bgp any ttl lt 254

class-map BADBGP
match access-group name BADBGP

policy-map CPINPUT
class BADBGP
drop
class class-default

control-plane
service-policy input CPINPUT

I tested this by raising the 254 to a 255 and clearing my BGP relationships.  There are some ttl protection mechanisms in BGP as well, but the intent of this (at least in my estimation) is to protect the route processor.  I think this will work, but would be interested in everyone else’s comments.  I’m really curious if this really adds any protection to the CPU beyond the protecton  offered by the default eBGP configuration that only allows the peer to be x hops away where x is defined in the “neighbor y.y.y.y ebgp-multihop x” command.

References:

ACL Support for Filtering on TTL Value

Generalized TTL Security Mechanism (GTSM) 

The BGP TTL Security Hack (BTSH)

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.