Hi Don't use ttl check on iBGP sessions, it doesn't add any security.
Regarding OSPF unless you are using virtual-links or sham-links, then all messages are bound to a directly connected subnet so you can safely implement the ttl check with 254 (one hop). Regarding securing PE-RR iBGP sessions, there's nothing that can be done from security perspective, other than maybe the obligatory MD5 hash, cause at this stage it's too late or way too complex to implement any security. The BGP infrastructure has to be protected at the edges of the AS. Maybe the only other thing that you can enable if not enabled by default and supported is the BGP enhanced attribute error handling (or even BGP attribute filtering -but again that if implemented should be done at the edge). But just checked and the enhanced attribute error handling is enabled by default on XE 3S and IOS 15. and XR 4.3. adam netconsultings.com ::carrier-class solutions for the telecommunications industry:: From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com] Sent: Thursday, May 25, 2017 3:25 AM To: Saku Ytti; adamv0...@netconsultings.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF Cheers for the replies - Just to clarify, these templates were for purely PE->RR (Not for transit), we do run key-chain auth on OSPF, and I was hoping to do likewise for iBGP -> RR's, but I dont *think* key-chains are supported in XE (Yet?)...I need to do some more reading, but I believe XR supports it, but not XE? Regarding TTL....(In both OSPF and BGP)....hop count can be arbitrary, if we encounter a link failure...do we just use worse case scenario hops ? Is there anything you'd add/remove from the templates that Ive sent through? (Obviously soft-reconfig inbound chews memory, and can be removed, but things like max-prefix .....have it currently set at warning only...recommend killing the session for x minutes if it's exceed?)....any other suggestions are greatly appreciated....thanks. _____ From: Saku Ytti <s...@ytti.fi <mailto:s...@ytti.fi> > Sent: Tuesday, 23 May 2017 7:10 PM To: adamv0...@netconsultings.com <mailto:adamv0...@netconsultings.com> Cc: CiscoNSP List; cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF On 23 May 2017 at 12:00, <adamv0...@netconsultings.com <mailto:adamv0...@netconsultings.com> > wrote: Hey, > Regarding OSPF, > Best security is to use it solely for routing PE loopbacks (i.e. no > connectivity outside the core). But because it's IP, you might receive spooffed packet further down the line and believe you received it from far-end. So OP's question about TTL-security is valid one, and I'd support that. I'd also run MD5 auth. But of course if you have good iACL, stopping internet from sending other than ICMP, UDP highports to links and loops, you should be pretty safe. ISIS and OSPF have quite interesting properties, ISIS is more secure out-of-the-box, but in many cases you cannot stop box from punting CLNS packets, so any edge-interface may reach control-plane by crafted CLNS packets (without ISIS being configured on the interface). Where-as OSPF out-of-the-box is less secure due to IP, but pretty much every box supports ACLs, allowing you to consistently protect box.' -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/