UNDERSTANDING TTL SECURITY IN BGP

While forming eBGP neighborship via Service provider network, there is security risk involved on probable attack from unsecured Internet Service provider domain to secured customer environment. A drawback to eBGP multihop is that by spoofing legitimate packets towards a BGP router at high volume a DOS attack may be accomplished.

Cisco has devised method to address the threat on BGP communication to meet clean communication between customer and provider BGP interlock.

By default the Cisco IOS send eBGP messages with a TTL value of 1.We can however modify this value using the eBGP multi-hop feature. If the TTL value of 1 is sent it requires the BGP neighbors to be directly connected else the neighbourship won’t be established.

Using eBGP multihop we can form neighbourship with peers at some hops away rather than being directly connected.

TTL-Security is a mechanism we use to protect our eBGP session against such DOS attacks.TTL-Security check can only be used with eBGP sessions and not with iBGP sessions.TTL-Security and eBGP multihop are mutually exclusive and only one can be configured to form directly connected or multihop peering sessions.eBGP

Post Comment