BGP Support for TTL Security Check

The BGP support for TTL Security Check is a mechanism to protect eBGP peering sessions from attacks that can be caused using forged IP packets. This feature can prevent from hosts who attempts to hijack an eBGP session. This feature is used to protect only eBGP peering sessions, and is not supported for iBGP peers.

This feature protects the eBGP peering session by comparing the TTL of received IP packet against a hop-count configured locally for each eBGP neighbor. If the TTL value of received IP packet is equal to or greater than the configured value, then the IP packet is accepted and processed normally. If the TTL value of the IP packet is less than the configured value, then the IP packet is silently discarded and no ICMP notification message is sent.

This feature is configured using neighbor <ip-address> ttl-security hops <count> BGP configuration command. The range of hop count is 1 to 254. When this feature is enabled, BGP will only establish eBGP peering or maintain session if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the neighbor. The hop-count is used to configure the number of hops separating the two peers. The TTL value is determined by the router from the configured hop-count i.e. TTL = 255 - (hop count).

This feature only secures eBGP session in incoming direction only; it does not affect outgoing IP packets.

NOTE: If TTL security feature is enabled, neighbor ebgp-multihop command is not required. Both commands cannot be used at the same time.

Network topology:

An eBGP session will be configured between R1 & R2 routers using source-interfaces as their Loopback interfaces. EIGRP will be used to provide reachability between Loopback interfaces.

eBGP configuration

R1 router:

interface Loopback 0

 ip address 1.1.1.1 255.255.255.255

interface serial 1/0

 ip address 10.1.1.1 255.255.255.252

router eigrp 10

 no auto-summary

 network 1.1.1.1

 network 10.1.1.0

router bgp 100

 neighbor 2.2.2.2 remote-as 200

 neighbor 2.2.2.2 update-source Loopback 0

 neighbor 2.2.2.2 ttl-security hops 2

R2 router:

interface Loopback 0

 ip address 2.2.2.2 255.255.255.255

interface Serial 1/0

 ip address 10.1.1.2 255.255.255.252

router eigrp 10

 no auto-summary

 network 2.2.2.2

 network 10.1.1.0

router bgp 200

 neighbor 1.1.1.1 remote-as 100

 neighbor 1.1.1.1 update-source Loopback 0

 neighbor 1.1.1.1 ttl-security hops 2

The show ip bgp neighbors command provides information about the BGP neighbor like compatibilities supported, session state, etc. From the following output it can be seen that this router R1 will accept only BGP connection from neighbor 2.2.2.2 if it is no more than 2 hops away. So, IP packets from 2.2.2.2 should have TTL value of atleast 253.

show ip bgp neighbors

R1# show ip bgp neighbors

BGP neighbor is 2.2.2.2,  remote AS 200, external link

  BGP version 4, remote router ID 2.2.2.2

  BGP state = Established, up for 00:00:20

  Last read 00:00:20, last write 00:00:20, hold time is 180, keepalive interval

is 60 seconds

  Neighbor capabilities:

    Route refresh: advertised and received(old & new)

    Address family IPv4 Unicast: advertised and received

  Message statistics:

    InQ depth is 0

    OutQ depth is 0

                         Sent       Rcvd

    Opens:                  2          2

    Notifications:          0          0

    Updates:                0          0

    Keepalives:             6          6

    Route Refresh:          0          0

    Total:                  8          8

  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast

  BGP table version 1, neighbor version 1/0

 Output queue size : 0

  Index 1, Offset 0, Mask 0x2

  1 update-group member

                                 Sent       Rcvd

  Prefix activity:               ----       ----

    Prefixes Current:               0          0

    Prefixes Total:                 0          0

    Implicit Withdraw:              0          0

    Explicit Withdraw:              0          0

    Used as bestpath:             n/a          0

    Used as multipath:            n/a          0

                                   Outbound    Inbound

  Local Policy Denied Prefixes:    --------    -------

    Total:                                0          0

  Number of NLRIs in the update sent: max 0, min 0

  Connections established 2; dropped 1

  Last reset 00:00:27, due to User reset

  External BGP neighbor may be up to 2 hops away.

Connection state is ESTAB, I/O status: 1, unread input bytes: 0

Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255

Local host: 1.1.1.1, Local port: 39101

Foreign host: 2.2.2.2, Foreign port: 179

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x8B960):

Timer          Starts    Wakeups            Next

Retrans             4          0             0x0

TimeWait            0          0             0x0

AckHold             2          0             0x0

SendWnd             0          0             0x0

KeepAlive           0          0             0x0

GiveUp              0          0             0x0

PmtuAger            0          0             0x0

DeadWait            0          0             0x0

iss: 3703040670  snduna: 3703040773  sndnxt: 3703040773     sndwnd:  16282

irs: 3131008732  rcvnxt: 3131008835  rcvwnd:      16282  delrcvwnd:    102

SRTT: 128 ms, RTTO: 1445 ms, RTV: 1317 ms, KRTT: 0 ms

minRTT: 32 ms, maxRTT: 336 ms, ACK hold: 200 ms

Flags: active open, nagle

IP Precedence value : 6

Datagrams (max data segment is 536 bytes):

Rcvd: 4 (out of order: 0), with data: 2, total data bytes: 102

Sent: 5 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0),

 with data: 3, total data bytes: 102

Any attacker behind R2 router will not be able to attack this router since the TTL value of its IP packets will be less than 253 and hence BGP will silently discard the packets.