BGP TTL Security

In IOS 12.4, Cisco added a feature to BGP that you might want to implement: TTL checking between peers. Although I've never heard of it happening, it is possible for a rogue router to hijack a BGP peer connection and inject bogus routes. To prevent this, you can use TTL checking between peers.

This feature takes advantage of the fact that it is thought to be impossible to forge the TTL count of an IP packet without internal access to the source or destination network. Since it's extremely difficult or impossible to forge TTL counts, we can apply a rule that only accepts IP packets with a TTL count tht is equal to our configured hop-count. (TTL can be considered a hop-count.)

This command is not supported for iBGP (internal) peers. It applies only to eBGP (external) peers.

For example, if the BGP peer was directly connected, we could set the hop-count (TTL) to 2, and our BGP process accepts only packets with that hop-count from that neighbor's IP address.

neighbor 10.10.1.1 ttl-security hops 2

With this setting, if the hop-count is less than 253, the packet is dropped. (You get 253 by subtracting our hop-count of 2 from 255.) The only TTL values that will be accepted are 254 and 253.