BGP TTL Hack and BIRD

Kris Pederson kpederson at equinix.com
Fri Apr 4 18:45:53 CEST 2014


Hi,

Does BIRD support the "TTL Hack"? If so, please advise on configuration recommendations. Thanks!

Details on this hack:

===
The Generalized TTL Security Mechanism (GTSM, RFC 3682 [39]), often referred to as the "TTL hack", is a simple but effective defense that takes advantage of TTL processing. As noted, normal
communications such as e-mail or Web browsing often require 20 or more nodes to reach their destination, and this value varies depending on the application. With BGP, however, peers are normally adjacent, thus only one hop should be required for a packet sent in a BGP message. A BGP message that has passed through multiple nodes is therefore almost certainly either an error or a packet from an attacker. The TTL hack sets the TTL to 255 on outgoing packets. Since routers decrement the TTL field by one when a packet is forwarded, adjacent peers should see incoming packets with TTL = 255. (Note that some implementations decrement the TTL before processing, in which case the incoming packets should have TTL = 254.) A lower value is an indication that the packet originated from somewhere other than the neighboring peer router (see Fig. 4-3). (Note that it is impossible for the packet to start with an initial value above 255, because the TTL field is an 8-bit value.) When implementing the TTL hack, it is also possible to set an expected incoming value below 255 on a per-peer basis when the peer is a known number of hops away, allowing a small variation to allow for changes in topology. For example, if the peer is known to be one hop away, the adjacent peer should reject packets with a TTL < 254. One limitation with the TTL hack is its availability. Code implementing RFC 3682 is provided on newer routers from major vendors, but may not always be included on older, or "legacy", routers, so not all organizations may be able to deploy it.


Kris Pederson
Equinix

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20140404/c5fa5573/attachment.html>


More information about the Bird-users mailing list