Monday, October 12, 2009

EBGP Multihop protection

I assume ofcourse if your reading this blog you probably know what BGP is :) So I won't bore you with that, but what I will say is man: BGP Security globally is in a pretty sorry state.

From non-password encrypted BGP sessions to lax prefix filters, disaster is just a step away with such lax security.

A fairly simple attack that you might fall victim to is BGP spoofing. Take for example you peer with and you dont use MD5 encryption because the network engineer at that ISP thinks MD5 is some oddly named rock-band

Further to this, not only does he not know what he is doing from a encryption perspective, he has also failed to implement any sort of ip spoofing protection on his network. One of the customers on his network, Dr Evil decides to spoof a BGP packet to you as source where he claims he knows the routes to google. Since your not using MD5 your quite stuffed at this point! But I have prefix list protection you say! Okay fair enough, what if he just kept sending resets for your BGP Session? That could still potentially cause you issues.

"Save me Dr Cisco!" I hear you cry.

Enter BGP TTL-Security check

this funky little feature takes advantage of the fact that all IP packets have a TTL value. If your peering with someone directly (and its important to note that key word DIRECTLY (Remember, if the other end is sourcing its BGP traffic from a loopback interface or is peering to YOUR loopback interface the hop count is going to be slightly diffirent.))

So if a packet is spoofed from a customer, the TTL will still have to be "marked down" and thus when the TTL Value makes it to your router it will be something like 248 or 249 instead of 254 or 253 as it should be.

The BGP Support for TTL Security Check feature is configured with the neighbor ttl-security command in router configuration mode or address family configuration mode. When this feature is enabled, BGP will establish or maintain a session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. Enabling this feature secures the eBGP session in the incoming direction only and has no effect on outgoing IP packets or the remote router. The hop-count argument is used to configure the maximum number of hops that separate the two peers. The TTL value is determined by the router from the configured hop count. The value for this argument is a number from 1 to 254.

I hope this helps guys!


  1. Always a source of useful info.. thanks Pete!

    I came across this once before... infact I think NextGen encourage you to do this and provide you with cut and paste samples too ;)


  2. Nice post,
    I liked the Dr. Cisco :)