You Are Here: Home » Router » -Router Cisco » BGP Support for TTL Security Check

BGP Support for TTL Security Check

BGP Support for TTL Security Check

The BGP support for TTL Security Check is a mechanism to protect eBGP peering sessions from attacks that can be caused using forged IP packets. This feature can prevent from hosts who attempts to hijack an eBGP session. This feature is used to protect only eBGP peering sessions, and is not supported for iBGP peers.

This feature protects the eBGP peering session by comparing the TTL of received IP packet against a hop-count configured locally for each eBGP neighbor. If the TTL value of received IP packet is equal to or greater than the configured value, then the IP packet is accepted and processed normally. If the TTL value of the IP packet is less than the configured value, then the IP packet is silently discarded and no ICMP notification message is sent.

This feature is configured using neighbor <ip-address> ttl-security hops <count> BGP configuration command. The range of hop count is 1 to 254. When this feature is enabled, BGP will only establish eBGP peering or maintain session if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the neighbor. The hop-count is used to configure the number of hops separating the two peers. The TTL value is determined by the router from the configured hop-count i.e. TTL = 255 Р(hop count).

This feature only secures eBGP session in incoming direction only; it does not affect outgoing IP packets.

NOTE: If TTL security feature is enabled, neighbor ebgp-multihop command is not required. Both commands cannot be used at the same time.

Network topology:

An eBGP session will be configured between R1 & R2 routers using source-interfaces as their Loopback interfaces. EIGRP will be used to provide reachability between Loopback interfaces.

eBGP configuration

R1 router:

interface Loopback 0
 ip address
interface serial 1/0
 ip address
router eigrp 10
 no auto-summary
router bgp 100
 neighbor remote-as 200
 neighbor update-source Loopback 0
 neighbor ttl-security hops 2

R2 router:

interface Loopback 0
 ip address
interface Serial 1/0
 ip address
router eigrp 10
 no auto-summary
router bgp 200
 neighbor remote-as 100
 neighbor update-source Loopback 0
 neighbor ttl-security hops 2

The show ip bgp neighbors command provides information about the BGP neighbor like compatibilities supported, session state, etc. From the following output it can be seen that this router R1 will accept only BGP connection from neighbor if it is no more than 2 hops away. So, IP packets from should have TTL value of atleast 253.

show ip bgp neighbors

R1# show ip bgp neighbors
BGP neighbor is,  remote AS 200, external link
  BGP version 4, remote router ID
  BGP state = Established, up for 00:00:20

  Last read 00:00:20, last write 00:00:20, hold time is 180, keepalive interval
is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(old & new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  2          2
    Notifications:          0          0
    Updates:                0          0
    Keepalives:             6          6
    Route Refresh:          0          0
    Total:                  8          8
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  BGP table version 1, neighbor version 1/0
 Output queue size : 0
  Index 1, Offset 0, Mask 0x2
  1 update-group member
                                 Sent       Rcvd
  Prefix activity:               ----       ----
    Prefixes Current:               0          0
    Prefixes Total:                 0          0
    Implicit Withdraw:              0          0
    Explicit Withdraw:              0          0
    Used as bestpath:             n/a          0
    Used as multipath:            n/a          0

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    --------    -------
    Total:                                0          0
  Number of NLRIs in the update sent: max 0, min 0

  Connections established 2; dropped 1
  Last reset 00:00:27, due to User reset
  External BGP neighbor may be up to 2 hops away.
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255

Local host:, Local port: 39101
Foreign host:, Foreign port: 179

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x8B960):
Timer          Starts    Wakeups            Next
Retrans             4          0             0x0
TimeWait            0          0             0x0
AckHold             2          0             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0

iss: 3703040670  snduna: 3703040773  sndnxt: 3703040773     sndwnd:  16282
irs: 3131008732  rcvnxt: 3131008835  rcvwnd:      16282  delrcvwnd:    102

SRTT: 128 ms, RTTO: 1445 ms, RTV: 1317 ms, KRTT: 0 ms
minRTT: 32 ms, maxRTT: 336 ms, ACK hold: 200 ms
Flags: active open, nagle
IP Precedence value : 6

Datagrams (max data segment is 536 bytes):
Rcvd: 4 (out of order: 0), with data: 2, total data bytes: 102
Sent: 5 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0),
 with data: 3, total data bytes: 102

Any attacker behind R2 router will not be able to attack this router since the TTL value of its IP packets will be less than 253 and hence BGP will silently discard the packets.

About The Author

Number of Entries : 295

Leave a Comment

© 2011 Powered By Wordpress, Goodnews Theme By Geeks Docuementation

Scroll to top