Hi Piotr Thanks for the inputs.
When the BGP peers are not directly connected, I can use ebgp-multihop or ttl-security to solve the establishment issue. If I need security, I can go for ttl-security. Am I right? With regards Kings On Mon, Feb 22, 2010 at 12:18 AM, Piotr Matusiak <[email protected]> wrote: > Kings, > > Below is the message I sent you a month ago about difference between > ttl-security and ebgp-multihop commands. > > ---- > Those commands are mutually exclusive. > You can easily check what TTL router expects and what TTL it's using when > sending BGP packets with a command: > show ip bgp neighbors 10.20.30.40 | inc TTL > > When using ttl-security command the router expects TTL for incoming > packets to be 255 minus ttl-security hop value. This also sets TTL for > outgoing packets to 255 (like ebgp-multihop command without any number). > > As we know two routers are at the same hop count distance from each other, > so 255 will be 250 (255-5) on the far end. > > In contrast to that, ebgp-multihop command sets TTL for outgoing packets > (default is 1, so EBGP peers must be on the same subnet to establish > adjacency). This is also fine, but it does not protect peer in case an > attacker sets fake TTL in the packet and send it to out - lots of such > packets causing DOS attack, as the router must process each packet before it > drops it. > ----- > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security) > > > > 2010/2/21 Kingsley Charles <[email protected]> > >> Hi all >> >> I have two BGP peers connected as following: >> >> >> L0 (3.3.3.3) R1 F0/0 (10.20.30.40) ------------------- (10.20.30.44) R2 L0 >> (4.4.4.4) >> >> >> R1 >> >> neighbor 4.4.4.4 remote-as 3 >> neigbhor 4.4.4.4 update-source l0 >> >> >> R2 >> >> neighbor 3.3.3.3 remote-as 4 >> neigbhor 3.3.3.3 update-source l0 >> >> >> The BGP session comes up, when I configure either bgp neigbhor *ttl-security >> hop 2* or neighbor *ebgp-multihop 2* or neigbhor *disable-conected-check*. >> >> >> >> *ebgp-multihop 2 * >> ** >> By default, BGP sends the packet with TTL 255 and is 253 when it reaches >> the loopback . *ebgp-multihop 2 *accepts bgp connection that can be 2 >> hops away. >> >> >> *disable-conected-check* >> ** >> This command removes the check of directly connected for which TTL = 254. >> >> ** >> *ttl-security hop 2* >> ** >> *Definition from cisco * >> >> TTL Security Check protects the eBGP neighbor session by comparing the >> value in the TTL field of received IP packets against a hop count that is >> configured locally for each eBGP neighbor session. If the value in the TTL >> field of the incoming IP packet is greater than or equal to the locally >> configured value, the IP packet is accepted and processed normally. If >> the TTL value in the IP packet is less than the locally configured value, >> the packet is silently discarded and no ICMP message is generated. This is >> designed behavior; a response to a forged packet is unnecessary. >> >> My understading is that BGP packet comes with ttl of 255 and since 255 > >> 2, BGP is allowed to establish. I think, I am wromg here. >> >> >> >> Can someone please explain, the three options. >> >> >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
