Gonna make me break out scapy and everything aren't you... Sigh.... :-P
Bob -- Sent from my iPhone, please excuse any typos. > On Feb 27, 2014, at 1:42 PM, Marko Milivojevic <[email protected]> wrote: > > > Oh I'm not at all surprised about SP'ss reluctance to use MD5 on the session. > Use your Google-fu to search for attack vectors using it and also some > phenomenal NANOG presentations why it's useless and causes more harm than > good :-). In that sense, on external sessions, "ttl-security hops 255" is > much more efficient and secure than using the MD5 protection :-) > > Good question about the RST. What happened when you labbed it up? ;-) > > [ this has nothing to do with the lab any longer ] > > -- > Marko Milivojevic - CCIE #18427 (SP R&S) > Senior CCIE Instructor / Managing Partner - iPexpert > :: Free Video Training: http://youtube.com/iPexpertInc > :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 > :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444 > > > >> On Thu, Feb 27, 2014 at 10:36 AM, Bob McCouch <[email protected]> wrote: >> The value of TTL security is not that it "scopes" your BGP advertisements, >> quite the opposite. It's an anti-spoofing technique. By default, EBGP >> packets have a TTL of 1 to limit their scope to the local segment. However, >> an attacker could spoof a TCP RST from anywhere on the Internet that appears >> to come from your neighbor to kill your session. BGP TTL security addresses >> this by setting the TTL up to 255 (which in theory means the "scope" of the >> advertisement is much larger), but requires that the received packet have a >> TTL of 255-(hops). So if you say "ttl-security hops 1" then it means the >> received BGP messages must have an IP TTL of 254 (or higher as Marko pointed >> out). >> >> It's pretty easy to spoof a packet and have it land with a TTL of 1 at your >> target. But it's very hard to spoof a packet from across the Internet and >> have it land at your target with a TTL of 254. That's what TTL security does >> for you. >> >> That said, I've never used it in production. It's usually enough of a battle >> to get an ISP to actually put an MD5 on the session... >> >> A spoofed packet could get past ACLs. I'm not sure off hand if the TCP RST >> has to have the MD5 on it or not to get processed and reset the connection. >> Anyone know that? _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
