Oh I'm not at all surprised about SP'ss reluctance to use MD5 on the session. Use your Google-fu to search for attack vectors using it and also some phenomenal NANOG presentations why it's useless and causes more harm than good :-). In that sense, on external sessions, "ttl-security hops 255" is much more efficient and secure than using the MD5 protection :-)
Good question about the RST. What happened when you labbed it up? ;-) [ this has nothing to do with the lab any longer ] -- Marko Milivojevic - CCIE #18427 (SP R&S) Senior CCIE Instructor / Managing Partner - iPexpert :: Free Video Training: http://youtube.com/iPexpertInc :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444 On Thu, Feb 27, 2014 at 10:36 AM, Bob McCouch <[email protected]> wrote: > The value of TTL security is not that it "scopes" your BGP advertisements, > quite the opposite. It's an anti-spoofing technique. By default, EBGP > packets have a TTL of 1 to limit their scope to the local segment. However, > an attacker could spoof a TCP RST from anywhere on the Internet that > appears to come from your neighbor to kill your session. BGP TTL security > addresses this by setting the TTL up to 255 (which in theory means the > "scope" of the advertisement is much larger), but requires that the > received packet have a TTL of 255-(hops). So if you say "ttl-security hops > 1" then it means the received BGP messages must have an IP TTL of 254 (or > higher as Marko pointed out). > > It's pretty easy to spoof a packet and have it land with a TTL of 1 at > your target. But it's very hard to spoof a packet from across the Internet > and have it land at your target with a TTL of 254. That's what TTL security > does for you. > > That said, I've never used it in production. It's usually enough of a > battle to get an ISP to actually put an MD5 on the session... > > A spoofed packet could get past ACLs. I'm not sure off hand if the TCP RST > has to have the MD5 on it or not to get processed and reset the connection. > Anyone know that? > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
