Re: [OSL | CCIE_RS] BGP: TTL Security

Wed, 26 Feb 2014 12:56:25 -0800 

Sorry, a copy/paste went wrong there for the configuration of BGP on R2. It
was configured with AS 65002, I just couldn't be bothered to copy twice
(mis)edited the R2 portion when I was composing the message. Here's the
correct configuration:

R2:
router bgp 65002
 neighbor 192.168.12.1 remote-as 65001
 neighbor 192.168.12.1 ttl-security hops 2
 !
 address-family ipv4
  neighbor 192.168.12.1 activate
!

Proof is below :-)

------------------------------8<------------------------------
Frame 6: 111 bytes on wire (888 bits), 111 bytes captured (888 bits)
Ethernet II, Src: 00:50:56:92:37:3d (00:50:56:92:37:3d), Dst:
00:0c:29:84:d3:2e (00:0c:29:84:d3:2e)
Internet Protocol Version 4, Src: 192.168.12.2 (192.168.12.2), Dst:
192.168.12.1 (192.168.12.1)
Transmission Control Protocol, Src Port: bgp (179), Dst Port: 51300
(51300), Seq: 1, Ack: 58, Len: 57
Border Gateway Protocol - OPEN Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 57
    Type: OPEN Message (1)
    Version: 4
    My AS: 65002
    Hold Time: 180
    BGP Identifier: 192.168.12.2 (192.168.12.2)
    Optional Parameters Length: 28
    Optional Parameters
------------------------------8<------------------------------

--
Marko Milivojevic - CCIE #18427 (SP R&S)
Senior CCIE Instructor / Managing Partner - iPexpert
:: Free Video Training: http://youtube.com/iPexpertInc
:: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427
:: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444




On Wed, Feb 26, 2014 at 12:41 PM, Marko Milivojevic <[email protected]>wrote:

> I can confirm (and so can you in the lab environment).
>
> When configured with the ttl-security, several things are important for
> the eBGP neighbors:
>
> 1) The TTL is set to 255, instead of 1 (default)
> 2) TTL security feature needs to be turned on on both sides
> 3) TTL of the incoming packet will be matched against the configured hop
> count using a simple check: (255-Packet_TTL) <= hops
>
> Let's take a look.
>
> (AS65001)R1[Gi1]---{192.168.12.0/24}---[Gi1]R2(AS65002)<http://192.168.12.0/24%7D---%5BGi1%5DR2(AS65002)>
>
>
> R1:
> interface GigabitEthernet1
>  ip address 192.168.12.1 255.255.255.0
> !
> router bgp 65001
>  neighbor 192.168.12.2 remote-as 65002
>  neighbor 192.168.12.2 ttl-security hops 2
>  !
>  address-family ipv4
>   neighbor 192.168.12.2 activate
> !
>
> R2:
> interface GigabitEthernet1
>  ip address 192.168.12.2 255.255.255.0
> !
> router bgp 65001
>  neighbor 192.168.12.1 remote-as 65001
>  neighbor 192.168.12.1 ttl-security hops 2
>  !
>  address-family ipv4
>   neighbor 192.168.12.1 activate
> !
>
> R1:
> R1#show bgp ipv4 unicast summary
> BGP router identifier 192.168.12.1, local AS number 65001
> BGP table version is 1, main routing table version 1
>
> Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down
>  State/PfxRcd
> 192.168.12.2    4        65002       7       7        1    0    0 00:04:15
>        0
>
> So, the session is up, even though they're directly connected (proving the
> point of the TTL statement above). But what WAS the actual TTL used on the
> wire? See for yourself - this is the SYN packet for that session.
>
> Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
> Ethernet II, Src: 00:0c:29:84:d3:2e (00:0c:29:84:d3:2e), Dst:
> 00:50:56:92:37:3d (00:50:56:92:37:3d)
> Internet Protocol Version 4, Src: 192.168.12.1 (192.168.12.1), Dst:
> 192.168.12.2 (192.168.12.2)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN:
> 0x00: Not-ECT (Not ECN-Capable Transport))
>     Total Length: 44
>     Identification: 0xa870 (43120)
>     Flags: 0x02 (Don't Fragment)
>     Fragment offset: 0
>     Time to live: 255
>     Protocol: TCP (6)
>     Header checksum: 0x3947 [correct]
>     Source: 192.168.12.1 (192.168.12.1)
>     Destination: 192.168.12.2 (192.168.12.2)
> Transmission Control Protocol, Src Port: 51300 (51300), Dst Port: bgp
> (179), Seq: 0, Len: 0
>
> --
> Marko Milivojevic - CCIE #18427 (SP R&S)
> Senior CCIE Instructor / Managing Partner - iPexpert
> :: Free Video Training: http://youtube.com/iPexpertInc
> :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427
> :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444
>
>
>
> On Wed, Feb 26, 2014 at 12:19 PM, Edgar Díaz Orellana <
> [email protected]> wrote:
>
>> In fact using an loopback interface is kind of had a second hop, 1 of
>> them is external the other is internal thru control-plane.
>>
>> That's why need to use 2 hops if you had neighbors peering thru loopbacks
>>
>> Sent from my iPhone
>>
>> > On 26-02-2014, at 14:09, marc abel <[email protected]> wrote:
>> >
>> > Are you peering between loopbacks? In this case you would need to do
>> > ttl-security hops 2. Your neighbor is going to decrement 1 ttl before
>> > sending and then local router would decrement 1 before delivering to
>> > loopback interface. This probably wouldn't show up in your traceroute,
>> but
>> > you would have a ttl of 253.
>> >
>> >
>> > On Wed, Feb 26, 2014 at 10:22 AM, Christopher Lemish <
>> > [email protected]> wrote:
>> >
>> >> Guys,
>> >>
>> >> I just turned up a BGP session for a customer (doing BGP Failover for
>> >> them).  I am using the "neigh ttl-security hops" cmd.  A traceroute
>> >> confirms it is 1 hop away.  The Cisco documentation explains that if a
>> TTL
>> >> is received that equals the TTL value expected or is higher, the router
>> >> will accept that packet.
>> >>
>> >> I was troubleshooting it quickly and the cmd "neigh x.x.x.x
>> ttl-security
>> >> hops 254" is the only hop count that maintains the BGP session.  I
>> thought
>> >> I recall that the ttl-security cmd "must exactly" match the number of
>> hops
>> >> away from one of Joe's videos.  But, I thought we could use the "neigh
>> >> x.x.x.x ttl-security hops 1" which means it is 1 hop away and would
>> accept
>> >> a TTL of 254 or higher, indicating that it is 1 hop away.
>> >>
>> >> (TTL=255)-->(TTL=254)
>> >>       PE--------CE
>> >>
>> >> The IOS version of this 3925 is the following:
>> >> Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version
>> >> 15.2(4)M5, RELEASE SOFTWARE (fc2)
>> >>
>> >> Thank you,
>> >> Chris
>> >>
>> >> _______________________________________________
>> >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos
>> ::
>> >>
>> >> iPexpert on YouTube: www.youtube.com/ipexpertinc
>> >
>> >
>> >
>> > --
>> > Marc Abel
>> > CCIE #35470
>> > (Routing and Switching)
>> > _______________________________________________
>> > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
>> >
>> > iPexpert on YouTube: www.youtube.com/ipexpertinc
>> _______________________________________________
>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
>>
>> iPexpert on YouTube: www.youtube.com/ipexpertinc
>>
>
>
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc

Reply via email to