Nov 25, 2009

BGP Best Path Criteria

Updated from Cisco 360 Workshop 1 Vol.1

1. Highest weight(default=0)
2. Highest local preference(default=100)
3. Locally originated(Next hop:0.0.0.0, weight=32768)
4. Shortest AS path length
5. Lowest origin code(IGP < EGP < incomplete)
6. Lowest MED(default=0)
7. EBGP over IBGP
8. If internal, prefer path with lowest IGP metric to next hop
9. If external, consider multipath (NEW!)
10. If external, prefer old one
11. Lowest router ID or originator ID
12. Minimum cluster list length (NEW!)
13. Lowest neighbor address

Nov 23, 2009

Understanding BGP TTL Security - Packet Life

Understanding BGP TTL Security - Packet Life

By default, IOS sends BGP messages to EBGP neighbors with an IP time-to-live (TTL) of 1. (This can be adjusted with ebgp-multihop attached to the desired neighbor or peer group under BGP configuration.) Sending BGP messages with a TTL of one requires that the peer be directly connected, or the packets will expire in transit. Likewise, a BGP router will only accept incoming BGP messages with a TTL of 1 (or whatever value is specified by ebgp-multihop), which can help mitigate spoofing attacks.

However, there is an inherent vulnerability to this approach: it is trivial for a remote attacker to adjust the TTL of sent packets so that they appear to originating from a directly-connected peer.

ttl-security1.png

By spoofing legitimate-looking packets toward a BGP router at high volume, a denial of service (DoS) attack may be accomplished.

A very simple solution to this, as discussed in RFC 3682, is to invert the direction in which the TTL is counted. The maximum value of the 8-bit TTL field in an IP packet is 255; instead of accepting only packets with a TTL set to 1, we can accept only packets with a TTL of 255 to ensure the originator really is exactly one hop away. This is accomplished on IOS with the TTL security feature, by appending ttl-security hops to the BGP peer statement.

ttl-security2.png

Only BGP messages with an IP TTL greater than or equal to 255 minus the specified hop count will be accepted. TTL security and EBGP multihop are mutually exclusive; ebgp-multihop is no longer needed when TTL security is in use.

Examples

The following example sets the expected incoming TTL value for a directly connected eBGP peer. The hop-count argument is set to 2 configuring BGP to only accept IP packets with a TTL count in the header that is equal to or greater than 253. If the 10.1.1.1 neighbor is more than 2 hops away, the peering session will not be accepted.

neighbor 10.1.1.1 ttl-security hops 2