github.com/osrg/gobgp/v3@v3.30.0/docs/sources/ttl-security.md (about) 1 # TTL Security 2 3 This page explains how to configure TTL Security in accordance with 4 [RFC3682](https://tools.ietf.org/html/rfc3682): The Generalized TTL Security 5 Mechanism (GTSM). 6 7 ## Prerequisites 8 9 Assume you finished [Getting Started](getting-started.md). 10 11 ## Contents 12 13 - [Configuration](#configuration) 14 - [Verification](#verification) 15 16 ## Configuration 17 18 If the BGP neighbor "10.0.0.2" is directly connected and the "malicious" BGP 19 router is 2 hops away, you can block the connection from the malicious BGP 20 router with `ttl-min >= 254` in `[neighbors.ttl-security.config]` section. 21 If specify `ttl-min = 255`, this allows only directly connected neighbor, and 22 `ttl-min = 254` allows also the neighbor on 1 hop away. 23 24 ```toml 25 [global.config] 26 router-id = "10.0.0.1" 27 28 [[neighbors]] 29 [neighbors.config] 30 neighbor-address = "10.0.0.2" 31 [neighbors.ttl-security.config] 32 enabled = true 33 ttl-min = 255 34 ``` 35 36 **NOTE:** TTL Security feature is mututally exclusive with 37 [eBGP Multihop](ebgp-multihop.md). 38 These features cannot be configured for the same neighbor. 39 40 ## Verification 41 42 With TTL Security configuration, GoBGP will set TTL of all BGP messages to 43 255 and set the minimal acceptable TTL to the given `ttl-min` value. 44 Then, with the above configuration, only directly connected neighbor 45 "10.0.0.2" is acceptable and the malicious BGP router will be blocked. 46 47 For the connection from the proper neighbor: 48 49 ```bash 50 $ gobgpd -f gobgpd.toml 51 {"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 52 {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 53 {"level":"info","msg":"Peer 10.0.0.2 is added","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 54 {"Topic":"Peer","level":"info","msg":"Add a peer configuration for:10.0.0.2","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 55 {"Key":"10.0.0.2","State":"BGP_FSM_OPENCONFIRM","Topic":"Peer","level":"info","msg":"Peer Up","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 56 ...(snip)... 57 ``` 58 59 ```bash 60 $ tcpdump -i ethXX tcp -v 61 tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes 62 hh:mm:ss IP (tos 0x0, ttl 255, id 51126, offset 0, flags [DF], proto TCP (6), length 60) 63 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0x7df2 (correct), seq 889149897, win 29200, options [mss 1460,sackOK,TS val 4431487 ecr 0,nop,wscale 9], length 0 64 hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) 65 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x12ac), seq 2886345048, ack 889149898, win 28960, options [mss 1460,sackOK,TS val 4431487 ecr 4431487,nop,wscale 9], length 0 66 hh:mm:ss IP (tos 0x0, ttl 255, id 51127, offset 0, flags [DF], proto TCP (6), length 52) 67 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb260), ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0 68 hh:mm:ss IP (tos 0x0, ttl 255, id 51128, offset 0, flags [DF], proto TCP (6), length 103) 69 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [P.], cksum 0x83ad (incorrect -> 0x8860), seq 1:52, ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP 70 Open Message (1), length: 51 71 Version 4, my AS 65002, Holdtime 90s, ID 2.2.2.2 72 Optional parameters, length: 22 73 Option Capabilities Advertisement (2), length: 20 74 Route Refresh (2), length: 0 75 Multiprotocol Extensions (1), length: 4 76 AFI IPv4 (1), SAFI Unicast (1) 77 Multiprotocol Extensions (1), length: 4 78 AFI IPv6 (2), SAFI Unicast (1) 79 32-Bit AS Number (65), length: 4 80 4 Byte AS 65002 81 hh:mm:ss IP (tos 0x0, ttl 255, id 48934, offset 0, flags [DF], proto TCP (6), length 52) 82 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [.], cksum 0x837a (incorrect -> 0xb22e), ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 0 83 hh:mm:ss IP (tos 0x0, ttl 255, id 48935, offset 0, flags [DF], proto TCP (6), length 103) 84 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [P.], cksum 0x83ad (incorrect -> 0x8b31), seq 1:52, ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP 85 Open Message (1), length: 51 86 Version 4, my AS 65001, Holdtime 90s, ID 1.1.1.1 87 Optional parameters, length: 22 88 Option Capabilities Advertisement (2), length: 20 89 Route Refresh (2), length: 0 90 Multiprotocol Extensions (1), length: 4 91 AFI IPv4 (1), SAFI Unicast (1) 92 Multiprotocol Extensions (1), length: 4 93 AFI IPv6 (2), SAFI Unicast (1) 94 32-Bit AS Number (65), length: 4 95 4 Byte AS 65001 96 hh:mm:ss IP (tos 0x0, ttl 255, id 51129, offset 0, flags [DF], proto TCP (6), length 52) 97 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb1fa), ack 52, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0 98 hh:mm:ss IP (tos 0x0, ttl 255, id 51131, offset 0, flags [DF], proto TCP (6), length 52) 99 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb1ca), ack 71, win 58, options [nop,nop,TS val 4431497 ecr 4431487], length 0 100 ...(snip)... 101 ``` 102 103 For the connection from the malicious BGP router: 104 105 ```bash 106 $ gobgpd -f gobgpd.toml 107 {"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 108 {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 109 {"level":"info","msg":"Peer 10.0.0.2 is added","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 110 {"Topic":"Peer","level":"info","msg":"Add a peer configuration for:10.0.0.2","time":"YYYY-MM-DDTHH:mm:ss+09:00"} 111 ...(No connection)... 112 ``` 113 114 ```bash 115 $ tcpdump -i ethXX tcp -v 116 tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes 117 hh:mm:ss IP (tos 0x0, ttl 253, id 396, offset 0, flags [DF], proto TCP (6), length 60) 118 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0xf680 (correct), seq 1704340403, win 29200, options [mss 1460,sackOK,TS val 4270655 ecr 0,nop,wscale 9], length 0 119 hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) 120 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1e1a), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4270656 ecr 4270655,nop,wscale 9], length 0 121 hh:mm:ss IP (tos 0x0, ttl 253, id 397, offset 0, flags [DF], proto TCP (6), length 60) 122 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0x8382 (incorrect -> 0xf586), seq 1704340403, win 29200, options [mss 1460,sackOK,TS val 4270905 ecr 0,nop,wscale 9], length 0 123 hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) 124 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1d21), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4270905 ecr 4270655,nop,wscale 9], length 0 125 hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) 126 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1c27), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4271155 ecr 4270655,nop,wscale 9], length 0 127 hh:mm:ss IP (tos 0x0, ttl 253, id 398, offset 0, flags [DF], proto TCP (6), length 60) 128 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0x8382 (incorrect -> 0xf391), seq 1704340403, win 29200, options [mss 1460,sackOK,TS val 4271406 ecr 0,nop,wscale 9], length 0 129 hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) 130 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1b2c), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4271406 ecr 4270655,nop,wscale 9], length 0 131 ...(snip)... 132 ```