Tuesday, September 07, 2010

eBgp-Multihop vs. ttl-security

Today I have answered one of the Cisco CCIE groupstudy questions on the relation between the two features.

To understand the relation first lets explore what each feature job and purpose in life:
eBgp-multihop – like in IGP the default ttl for packets is 1 and that is to ensure delivery only to the directly connected network node, but unlike IGP eBgp is often (in real networks) established via interface loopback and because packet generated / sourced from Interface loopback going out the router using its next hop interface that break the communication as 1-1 = 0 and 0 TTL mean packet can’t be delivered to destination, so

what to do?!
increase TTL (is the answer :-)) 
using the eBgp-multihop is like simply indicating what TTL should be set to the packet to ensure delivery to the desired network

ttl-security – so we now understand the eBgp affect packet going out of our system by manipulating its TTL,
How do I prevent neighbor coming 10 hops away from me?!
you set the ttl-security.

Now you will say, if you didn't want to be neighbor do not set him up on your side and that would be also ok, but lets say you have neighbor relation with 2 router and each is 3 hops away (normally)  now one router experienced a link fail causing it to change route to reach you and now he is 5 hops away, and your policy is to maintain neighbor relation with no more then 3 hops away.

but again you would say, so set the eBgp-multihop to 3 (or 4 if using the loopback) and you would be again correct.

so why ttl-security, mainly it is to prevent DoS attack!

hope this helped in some way to understand the difference and each feature job in life.

Post a Comment