Good point to had in mind all the time. Enable the TTL sec or multihop in both sides.
I totally forgot that. Thanks Marko !!! Sent from my iPhone > On 26-02-2014, at 21:36, Bob McCouch <[email protected]> wrote: > > I think the issue is exactly what Marko mentions in #1 & 2: > > 1) The TTL is set to 255, instead of 1 (default) > 2) TTL security feature needs to be turned on on both sides > > If you were to only enable TTL security on one side, it would need "hops 254" > because the other EBGP peer will send its packets with TTL 1, the default for > EBGP sessions. You need to enable it on both sides for it to work correctly > by setting the TTL to 255 and then subtracting only the expected number of > hops. After all, spoofing a packet that lands on your router with a TTL 1 is > not too hard. But spoofing a packet that lands on your router with a TTL of > 254 would be quite a feat if you're not on the same wire. > > Best, > Bob > CCIE #38296 > HerdingPackets.net > > >> On Wed, Feb 26, 2014 at 3:41 PM, Marko Milivojevic <[email protected]> >> wrote: >> I can confirm (and so can you in the lab environment). >> >> When configured with the ttl-security, several things are important for the >> eBGP neighbors: >> >> 1) The TTL is set to 255, instead of 1 (default) >> 2) TTL security feature needs to be turned on on both sides >> 3) TTL of the incoming packet will be matched against the configured hop >> count using a simple check: (255-Packet_TTL) <= hops >> >> Let's take a look. >> >> (AS65001)R1[Gi1]---{192.168.12.0/24}---[Gi1]R2(AS65002) >> >> >> R1: >> interface GigabitEthernet1 >> ip address 192.168.12.1 255.255.255.0 >> ! >> router bgp 65001 >> neighbor 192.168.12.2 remote-as 65002 >> neighbor 192.168.12.2 ttl-security hops 2 >> ! >> address-family ipv4 >> neighbor 192.168.12.2 activate >> ! >> >> R2: >> interface GigabitEthernet1 >> ip address 192.168.12.2 255.255.255.0 >> ! >> router bgp 65001 >> neighbor 192.168.12.1 remote-as 65001 >> neighbor 192.168.12.1 ttl-security hops 2 >> ! >> address-family ipv4 >> neighbor 192.168.12.1 activate >> ! >> >> R1: >> R1#show bgp ipv4 unicast summary >> BGP router identifier 192.168.12.1, local AS number 65001 >> BGP table version is 1, main routing table version 1 >> >> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down >> State/PfxRcd >> 192.168.12.2 4 65002 7 7 1 0 0 00:04:15 >> 0 >> >> So, the session is up, even though they're directly connected (proving the >> point of the TTL statement above). But what WAS the actual TTL used on the >> wire? See for yourself - this is the SYN packet for that session. >> >> Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) >> Ethernet II, Src: 00:0c:29:84:d3:2e (00:0c:29:84:d3:2e), Dst: >> 00:50:56:92:37:3d (00:50:56:92:37:3d) >> Internet Protocol Version 4, Src: 192.168.12.1 (192.168.12.1), Dst: >> 192.168.12.2 (192.168.12.2) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: >> 0x00: Not-ECT (Not ECN-Capable Transport)) >> Total Length: 44 >> Identification: 0xa870 (43120) >> Flags: 0x02 (Don't Fragment) >> Fragment offset: 0 >> Time to live: 255 >> Protocol: TCP (6) >> Header checksum: 0x3947 [correct] >> Source: 192.168.12.1 (192.168.12.1) >> Destination: 192.168.12.2 (192.168.12.2) >> Transmission Control Protocol, Src Port: 51300 (51300), Dst Port: bgp >> (179), Seq: 0, Len: 0 >> >> -- >> Marko Milivojevic - CCIE #18427 (SP R&S) >> Senior CCIE Instructor / Managing Partner - iPexpert >> :: Free Video Training: http://youtube.com/iPexpertInc >> :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 >> :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444 >> >> >> >> On Wed, Feb 26, 2014 at 12:19 PM, Edgar Díaz Orellana < >> [email protected]> wrote: >> >> > In fact using an loopback interface is kind of had a second hop, 1 of them >> > is external the other is internal thru control-plane. >> > >> > That's why need to use 2 hops if you had neighbors peering thru loopbacks >> > >> > Sent from my iPhone >> > >> > > On 26-02-2014, at 14:09, marc abel <[email protected]> wrote: >> > > >> > > Are you peering between loopbacks? In this case you would need to do >> > > ttl-security hops 2. Your neighbor is going to decrement 1 ttl before >> > > sending and then local router would decrement 1 before delivering to >> > > loopback interface. This probably wouldn't show up in your traceroute, >> > but >> > > you would have a ttl of 253. >> > > >> > > >> > > On Wed, Feb 26, 2014 at 10:22 AM, Christopher Lemish < >> > > [email protected]> wrote: >> > > >> > >> Guys, >> > >> >> > >> I just turned up a BGP session for a customer (doing BGP Failover for >> > >> them). I am using the "neigh ttl-security hops" cmd. A traceroute >> > >> confirms it is 1 hop away. The Cisco documentation explains that if a >> > TTL >> > >> is received that equals the TTL value expected or is higher, the router >> > >> will accept that packet. >> > >> >> > >> I was troubleshooting it quickly and the cmd "neigh x.x.x.x ttl-security >> > >> hops 254" is the only hop count that maintains the BGP session. I >> > thought >> > >> I recall that the ttl-security cmd "must exactly" match the number of >> > hops >> > >> away from one of Joe's videos. But, I thought we could use the "neigh >> > >> x.x.x.x ttl-security hops 1" which means it is 1 hop away and would >> > accept >> > >> a TTL of 254 or higher, indicating that it is 1 hop away. >> > >> >> > >> (TTL=255)-->(TTL=254) >> > >> PE--------CE >> > >> >> > >> The IOS version of this 3925 is the following: >> > >> Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version >> > >> 15.2(4)M5, RELEASE SOFTWARE (fc2) >> > >> >> > >> Thank you, >> > >> Chris >> > >> >> > >> _______________________________________________ >> > >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> > >> >> > >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > > >> > > >> > > >> > > -- >> > > Marc Abel >> > > CCIE #35470 >> > > (Routing and Switching) >> > > _______________________________________________ >> > > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> > > >> > > iPexpert on YouTube: www.youtube.com/ipexpertinc >> > _______________________________________________ >> > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> > >> > iPexpert on YouTube: www.youtube.com/ipexpertinc >> > >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
