North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
RE: BGP TTL check in 12.3(7)T
- From: Blaine Christian
- Date: Thu Apr 08 12:52:53 2004
Hi Pekka,
>
> Spoofing filters (source address is most useful, but a few
> protocols being deployed now also require destination address
> based filtering) at your border are still best to prevent
> external abuse to your
> infrastructure?
>
I agree that spoofing filters help also (perhaps we are not
communicating)... But TTL helps in places where you can't just anti-spoof.
For example, suppose you have box X which can do ZERO filtering at line
rate. Then box Y that can...
X->Y
You have a BGP session between X and Y and many untrusted things talking to
X. How would I anti-spoof X's protocol traffic when I am at Y? The nice
thing about X is that it does, hopefully reliably, decrement the TTL.
Michel, this same answer should apply to your statement. I agree that
anti-spoofing helps. But TTL filtering can fix some very interesting
problems.
BTW, I am only commenting on TTL filtering and not necessarily Cisco's
implementation (I have not even read through their implementation yet).
Regards,
Blaine
|
