Hi Piotr Thanks, that was the answer I was expecting. So the BGP packet's TTL is decremented before reaching the BGP code and hence BGP Control Plane is considered as one hop, right?
And on my next query, when we use loopback interface as the source, then we not add one more hop, isn't it. L0 R1 ---------------- R2 ------------------- R3 L0 R1 and R3 are bgp peers and they are using L0 as the source. If we need to configure ttl security, then "neighbor X.X.X.X ttl-security hops 2" is required. Even for this we should 2 hops not 3 (considering loopack interface as another hop). Hence for both case, with R1 and R3 as BGP peers, irrespective of whether they use physical or loopback interface, neighbor X.X.X.X ttl-security should be configured with 2 hops. L0 R1 ---------------- R2 ------------------- R3 L0 R1 ---------------- R2 ------------------- R3 With regards Kings On Wed, May 11, 2011 at 2:30 PM, Piotr Matusiak <[email protected]> wrote: > Hi Kings, > > Yes, the issue you observer is a feature not bug :) > Basically, GTSM is a software feature (most likely on lower platforms) and > BGP code is checked very late in the path. So that, the BGP code checks TTL > value after TCP code where MD5 checksum is verified and TTL is decremented. > > GTSM was designed mainly for directly connected hops and it has some issues > with multi-hop environment. > > > Regards, > Piotr > > 2011/5/11 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> I am not referring to directly connected BGP peers. >> >> I have two routers (R1 and R3) establishing a BGP connection with a router >> in between. For a successful BGP peering either we need to configure >> "neighbor >> X.X.X.X ttl-security hops 2" or "neighbor X.X.X.X ebgp-multihop 2". Hence >> 2 hops is required. >> >> R1 ---------- R2 ------------- R3 >> >> As a general statement, the TTL is decremented after the routing process >> when the packets comes to the Exit interface. >> >> Actually speaking, it is only "1" hop between R1 and R3 right? It is "2" >> hops, only if the packets from R1 transits R3. Now with BGP, the packets >> goes to RP directly and doesn't transits but the IOS expects 2 hops for >> ebgp-multihop or ttl-security. So my question is when the TTL decremented >> for the BGP packets? >> >> >> With regards >> Kings >> >> >> On Wed, May 11, 2011 at 1:00 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Kings, >>> >>> I'm not sure if I get you right. Do you want to have ttl-security = 1 and >>> configure eBGP peers on loopbacks? >>> >>> You can configure it this way but it simply does not work because there >>> are "two" checks that all eBGP sessions have: >>> -- TTL is set to "1" on both sides >>> AND >>> -- the "peer" must be directly connected >>> >>> When loopbacks are used, it is the second test that fails since the >>> loopback address of the peer is not part within a "C" (Connected) subnet. >>> There is ONLY "1" TTL decrement done on the packet.... NOT 2. >>> >>> The way people always got around this in the past was to use >>> "ebgp-multihop 2" -- which "disables" the connected check. This opens a >>> (small) security hole, so Cisco added the "disable-connected-check" command >>> which permits eBGP between loopbacks + the default TTL=1 setting... and >>> closes the diameter of attacks. >>> >>> >>> Try this: >>> >>> router bgp 1 >>> >>> nei 2.2.2.2 remote 2 >>> >>> nei 2.2.2.2 up lo0 >>> >>> nei 2.2.2.2 disable-conn >>> >>> >>> Regards, >>> >>> Piotr >>> >>> >>> >>> >>> >>> 2011/5/11 Kingsley Charles <[email protected]> >>> >>>> Hi Piotr/all >>>> >>>> Waiting for you inputs :-) >>>> >>>> With regards >>>> KIngs >>>> >>>> >>>> On Tue, May 10, 2011 at 4:58 PM, Kingsley Charles < >>>> [email protected]> wrote: >>>> >>>>> Hi Piotr >>>>> >>>>> I labbed it out many times and observed the following: >>>>> >>>>> With the above given case which has one router in between, "neighbor >>>>> X.X.X.X ttl-security hops 2" is required or "neighbor X.X.X.X >>>>> ebgp-multihop 2" >>>>> >>>>> With the same setup, if I use loopback interfaces as source address, it >>>>> requires "neighbor X.X.X.X ttl-security hops 2" is required or >>>>> "neighbor X.X.X.X ebgp-multihop 2". Even when we use loopback interface, >>>>> the >>>>> hops is same as the loopback is still on the same router. Hence hops 2 is >>>>> also required here. >>>>> >>>>> Earlier my understanding was that the TTL is decremented after routing >>>>> process when the packets lands the "Forwarding Interface". If the TTL is >>>>> "0", the ICMP time exceeded is sent back where the ingress interface's IP >>>>> address is used as the source address for the ICMP packet. >>>>> >>>>> Said with this, BGP seems to be specially handled by IOS where it >>>>> decrements TTL though it is going to control plane and not to any >>>>> forwarding >>>>> Interface. >>>>> >>>>> >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Tue, May 10, 2011 at 4:40 PM, Piotr Matusiak <[email protected]>wrote: >>>>> >>>>>> Hi Kings, >>>>>> >>>>>> The TTL is decreased by 1 on every routed hop. If it is decreased on >>>>>> inside interface that would mean the R3 sees 253. I think the R3 will see >>>>>> 254 - assuming you're not using loopbacks. >>>>>> >>>>>> Regards, >>>>>> Piotr >>>>>> >>>>>> 2011/5/10 Kingsley Charles <[email protected]> >>>>>> >>>>>>> Hi all >>>>>>> >>>>>>> When a router receives a packet, will the TTL be decremented on the >>>>>>> ingress interface or egress interfaces while exiting? I am raising this >>>>>>> question due to the following case. >>>>>>> >>>>>>> >>>>>>> R1 ---------- R2 ------------- R3 >>>>>>> >>>>>>> >>>>>>> >>>>>>> R1 and R3 are EBGP peers and we should configure hops as "2" with BGP >>>>>>> ttl security as following: >>>>>>> >>>>>>> neighbor X.X.X.X ttl-security hops 2 >>>>>>> >>>>>>> Here R2 is the only router in between which reduces the TTL. If hops >>>>>>> is "2", the received TTL should be either 253 or above. Hence, it means >>>>>>> the >>>>>>> TTL is decremented on the ingress interface right? >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>> www.PlatinumPlacement.com >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
