Recently a very extensive list was published as the CCIE Security Lab Exam v3.0 Checklist. It can be seen over on Cisco Learning network, but requires a logon first. There are a few things that piqued my interest in this document. The thing that leads me to write this short blog post in the midst of my last week of studies is item “6.17-The Generalized TTL Security Mechanism known as ‘BGP TTL Security Hack’ (BTSH)”. What is this? What does it mean? I’ve done about a half an hour or so of research and would like to post what I found.
Generalized TTL Security Mechanism is defined on Wikipedia as basically a method for not passing traffic to the route process if the TTL is an unexpected value. When we think about this in the context of BGP, we know that our peers should be very close (typically), if not directly connected. This means that we should expect a predictable TTL based on what the peer’s default TTL value happens to be (minus any intermediary hops). So we can use this to protect our route processor in the following way.
ip access-list extended BADBGP
permit tcp any any eq bgp ttl lt 254
permit tcp any eq bgp any ttl lt 254
match access-group name BADBGP
service-policy input CPINPUT
I tested this by raising the 254 to a 255 and clearing my BGP relationships. There are some ttl protection mechanisms in BGP as well, but the intent of this (at least in my estimation) is to protect the route processor. I think this will work, but would be interested in everyone else’s comments. I’m really curious if this really adds any protection to the CPU beyond the protecton offered by the default eBGP configuration that only allows the peer to be x hops away where x is defined in the “neighbor y.y.y.y ebgp-multihop x” command.