Based on the Generalized TTL Security Mechanism (GTSM, RFC 3682), the TTL security check is a security feature that protects BGP peers from multi-hop attacks. This feature allows the configuration of a minimum acceptable TTL value for the packets exchanged between two eBGP peers. When enabled, both peering routers transmit all their traffic to each other with a TTL of 255. In addition, routers establish a peering session only if the other eBGP peer sends packets with a TTL equal to or greater than the TTL value configured for the peering session. All packets received with TTL values less than the predefined value are silently discarded. In this way, the TTL security check prevents all possible attacks from attackers not connected directly to the same physical network connecting the two routers.
For example, when TTL security check is enabled between two eBGP peers, both routers transmit all their traffic to each other with a TTL of 255. If the routers are one hop away, the security check will accept only incoming packets with a TTL equal to or greater than 254. This ensures that traffic from all devices that are not directly connected will not be accepted because all traffic from devices not directly connected will arrive with a TTL of less than 254, as shown in Figure 3.
In the example shown in Figure 3, Router A will accept only those packets with a TTL of 254 or greater. Regardless of the TTL value the attacker sets, all of their packets will reach Router A with a TTL of less than 254.
In Cisco IOS software, the TTL security check can be enabled per peer using the neighbor ttl-security command:
Router(config)# router bgp as-number
Router(config-router)# switchport mode access
Router(config-router)# neighbor ip-address ttl-security hops hop-count
In this example, TTL security check is enabled for the 10.1.1.1 eBGP neighbor, which resides two hops away:
Router(config)# router bgp 1
Router(config-router)# neighbor 10.1.1.1 ttl-security hops 2
For more information about TTL Security Check, refer to the following URL:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide
_chapter09186a0080455621.html
Tidak ada komentar:
Posting Komentar