7.59 BGP TTL Security
• Configure R3 to accept TCP packets from eBGP peers only if they are no more than one hop away.
---------------------------------------------
General TTL Security Mechanism (GTSM) defined in RFC 3682 specifies a
protection method against BGP session hijacking and resource exhaustion
attacks. Generally, BGP process listens on the TCP port 139 and accepts all
TCP SYN packets destined to this port, unless they are filtered by an ACL. It is
possible to generate a barrage of spoofed packets imitating a valid BGP session
and inject false information (if the session is unauthenticated) or generate a TCP
SYN-flooding attack.
GTSM utilizes the simple fact that every router on the path to the BGP speaker
decrements the TTL field in IP packets by one. Based on this, it is possible to
identify potentially spoofed packets by looking at their TTL field – the packets
send from “afar” will have the TTL field below some threshold. It is possible to
define a “secure radius” in the number of hop counts to accept the incoming IP
packets. For example, if all BGP peers are within 10 hops away from the local
BGP speaker, then all incoming IP packets will have their TTL field set to at no
less than 245. This is because all IP packets start with TTL=255 and the field is
decremented by every hop on the path. Thus, by accepting the IP packets with
TTL greater than or equal to 245 it is possible to minimize the risk of spoofed
packets reaching the BGP process. Notice that the usefulness of GTSM feature
decreases as the diameter of eBGP Multihop session grows.
In order to configure the TTL security checks for a BGP peer use the command
neighbor <IP> ttl-security hops <hop-count>. This command
applies to eBGP peering sessions only (either directly-connected or multihop)
and specifies the number of hops the remote peer could be away from the local
speaker. Keep in mind the internal BGP sessions are not protected, and
therefore the internal network assumed to be “trusted”. All packets incoming TCP
packets targeted at BGP port with the IP TTL value below (255 - <hop-count>)
are silently discarded by the router. In addition, the feature sets TTL value for
outgoing TCP/IP packets to 255-<hop-count> to make sure the remote peer will
accept the local packets. The GTSM feature is mutually exclusive with the ebgp-multihopBGP feature. This is because the eBGP session by default sets
TTL=1 in the outgoing IP packets and with the multihop <n> session
parameter, the TTL value is set to <n>, which is not compatible with GTSM
Therefore, make sure you configured GTSM feature on both sides of the peering link.
---------------------------------------------
R1:
router bgp 100
neighbor 155.1.13.3 ttl-security hops 1
R3:
router bgp 200
neighbor 155.1.13.1 ttl-security hops 1
neighbor 155.1.37.7 ttl-security hops 1
SW1:
router bgp 300
neighbor 155.1.37.3 ttl-security hops 1
---------------------------------------------
Rack1R3#show ip bgp neighbors 155.1.13.1 | include hop|TTL
External BGP neighbor may be up to 1 hop away.
Connection is ECN Disabled, Mininum incoming TTL 254, Outgoing TTL 255
Rack1R3#
Rack1R3#
Rack1R3#show ip bgp neighbors 155.1.37.7 | include hop|TTL
External BGP neighbor may be up to 1 hop away.
Connection is ECN Disabled, Mininum incoming TTL 254, Outgoing TTL 255
Rack1R3#
沒有留言:
張貼留言