Yessir. And I expect to see the results here :-)
On Thu, Feb 27, 2014 at 10:48 AM, Bob McCouch <[email protected]> wrote: > Gonna make me break out scapy and everything aren't you... Sigh.... > > :-P > > Bob > -- > Sent from my iPhone, please excuse any typos. > > On Feb 27, 2014, at 1:42 PM, Marko Milivojevic <[email protected]> > wrote: > > > Oh I'm not at all surprised about SP'ss reluctance to use MD5 on the > session. Use your Google-fu to search for attack vectors using it and also > some phenomenal NANOG presentations why it's useless and causes more harm > than good :-). In that sense, on external sessions, "ttl-security hops 255" > is much more efficient and secure than using the MD5 protection :-) > > Good question about the RST. What happened when you labbed it up? ;-) > > [ this has nothing to do with the lab any longer ] > > -- > Marko Milivojevic - CCIE #18427 (SP R&S) > Senior CCIE Instructor / Managing Partner - iPexpert > :: Free Video Training: http://youtube.com/iPexpertInc > :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 > :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444 > > > > On Thu, Feb 27, 2014 at 10:36 AM, Bob McCouch <[email protected]> wrote: > >> The value of TTL security is not that it "scopes" your BGP >> advertisements, quite the opposite. It's an anti-spoofing technique. By >> default, EBGP packets have a TTL of 1 to limit their scope to the local >> segment. However, an attacker could spoof a TCP RST from anywhere on the >> Internet that appears to come from your neighbor to kill your session. BGP >> TTL security addresses this by setting the TTL up to 255 (which in theory >> means the "scope" of the advertisement is much larger), but requires that >> the received packet have a TTL of 255-(hops). So if you say "ttl-security >> hops 1" then it means the received BGP messages must have an IP TTL of 254 >> (or higher as Marko pointed out). >> >> It's pretty easy to spoof a packet and have it land with a TTL of 1 at >> your target. But it's very hard to spoof a packet from across the Internet >> and have it land at your target with a TTL of 254. That's what TTL security >> does for you. >> >> That said, I've never used it in production. It's usually enough of a >> battle to get an ISP to actually put an MD5 on the session... >> >> A spoofed packet could get past ACLs. I'm not sure off hand if the TCP >> RST has to have the MD5 on it or not to get processed and reset the >> connection. Anyone know that? >> > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
