Posts

Showing posts from November 22, 2009

BGP Best Path Criteria

Updated from Cisco 360 Workshop 1 Vol.1
1. Highest weight(default=0) 2. Highest local preference(default=100) 3. Locally originated(Next hop:0.0.0.0, weight=32768) 4. Shortest AS path length 5. Lowest origin code(IGP < EGP < incomplete) 6. Lowest MED(default=0) 7. EBGP over IBGP 8. If internal, prefer path with lowest IGP metric to next hop 9. If external, consider multipath (NEW!) 10. If external, prefer old one 11. Lowest router ID or originator ID 12. Minimum cluster list length (NEW!) 13. Lowest neighbor address

Understanding BGP TTL Security - Packet Life

Image
Understanding BGP TTL Security - Packet Life
By default, IOS sends BGP messages to EBGP neighbors with an IP time-to-live (TTL) of 1. (This can be adjusted with ebgp-multihopattached to the desired neighbor or peer group under BGP configuration.) Sending BGP messages with a TTL of one requires that the peer be directly connected, or the packets will expire in transit. Likewise, a BGP router will only accept incoming BGP messages with a TTL of 1 (or whatever value is specified by ebgp-multihop), which can help mitigate spoofing attacks.
However, there is an inherent vulnerability to this approach: it is trivial for a remote attacker to adjust the TTL of sent packets so that they appear to originating from a directly-connected peer. By spoofing legitimate-looking packets toward a BGP router at high volume, a denial of service (DoS) attack may be accomplished.
A very simple solution to this, as discussed in RFC 3682, is to invert the direction in which the TTL is counted. The maximum value o…