BGP Support for TTL Security Check
BGP Support for TTL Security Check
The BGP support for TTL Security Check is a mechanism to protect eBGP peering sessions from attacks that can be caused using forged IP packets. This feature can prevent from hosts who attempts to hijack an eBGP session. This feature is used to protect only eBGP peering sessions, and is not supported for iBGP peers.
This feature protects the eBGP peering session by comparing the TTL of received IP packet against a hop-count configured locally for each eBGP neighbor. If the TTL value of received IP packet is equal to or greater than the configured value, then the IP packet is accepted and processed normally. If the TTL value of the IP packet is less than the configured value, then the IP packet is silently discarded and no ICMP notification message is sent.
This feature is configured using neighbor <ip-address> ttl-security hops <count> BGP configuration command. The range of hop count is 1 to 254. When this feature is enabled, BGP will only establish eBGP peering or maintain session if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the neighbor. The hop-count is used to configure the number of hops separating the two peers. The TTL value is determined by the router from the configured hop-count i.e. TTL = 255 - (hop count).
This feature only secures eBGP session in incoming direction only; it does not affect outgoing IP packets.
NOTE: If TTL security feature is enabled, neighbor ebgp-multihop command is not required. Both commands cannot be used at the same time.
Network topology:
An eBGP session will be configured between R1 & R2 routers using source-interfaces as their Loopback interfaces. EIGRP will be used to provide reachability between Loopback interfaces.
eBGP configuration
R1 router:
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
!
interface serial 1/0
ip address 10.1.1.1 255.255.255.252
!
router eigrp 10
no auto-summary
network 1.1.1.1
network 10.1.1.0
!
router bgp 100
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source Loopback 0
neighbor 2.2.2.2 ttl-security hops 2
!
R2 router:
interface Loopback 0
ip address 2.2.2.2 255.255.255.255
!
interface Serial 1/0
ip address 10.1.1.2 255.255.255.252
!
router eigrp 10
no auto-summary
network 2.2.2.2
network 10.1.1.0
!
router bgp 200
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback 0
neighbor 1.1.1.1 ttl-security hops 2
!
The show ip bgp neighbors command provides information about the BGP neighbor like compatibilities supported, session state, etc. From the following output it can be seen that this router R1 will accept only BGP connection from neighbor 2.2.2.2 if it is no more than 2 hops away. So, IP packets from 2.2.2.2 should have TTL value of atleast 253.
show ip bgp neighbors
R1# show ip bgp neighbors
BGP neighbor is 2.2.2.2, remote AS 200, external link
BGP version 4, remote router ID 2.2.2.2
BGP state = Established, up for 00:00:20
Last read 00:00:20, last write 00:00:20, hold time is 180, keepalive interval
is 60 seconds
Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 2 2
Notifications: 0 0
Updates: 0 0
Keepalives: 6 6
Route Refresh: 0 0
Total: 8 8
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
Connections established 2; dropped 1
Last reset 00:00:27, due to User reset
External BGP neighbor may be up to 2 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255
Local host: 1.1.1.1, Local port: 39101
Foreign host: 2.2.2.2, Foreign port: 179
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x8B960):
Timer Starts Wakeups Next
Retrans 4 0 0x0
TimeWait 0 0 0x0
AckHold 2 0 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
iss: 3703040670 snduna: 3703040773 sndnxt: 3703040773 sndwnd: 16282
irs: 3131008732 rcvnxt: 3131008835 rcvwnd: 16282 delrcvwnd: 102
SRTT: 128 ms, RTTO: 1445 ms, RTV: 1317 ms, KRTT: 0 ms
minRTT: 32 ms, maxRTT: 336 ms, ACK hold: 200 ms
Flags: active open, nagle
IP Precedence value : 6
Datagrams (max data segment is 536 bytes):
Rcvd: 4 (out of order: 0), with data: 2, total data bytes: 102
Sent: 5 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0),
with data: 3, total data bytes: 102
Any attacker behind R2 router will not be able to attack this router since the TTL value of its IP packets will be less than 253 and hence BGP will silently discard the packets.