Automation
Showing results for 
Search instead for 
Do you mean 

Is there an easy way to turn on TTL-based security?

by Cordelia on ‎08-07-2015 05:24 PM - edited on ‎09-07-2017 03:16 PM by Administrator Administrator

The ttl-security script is an easy mechanism to turn on TTL-based security (GTSM).

 

We need to make an lo0 filter based on our BGP config. Any members of BGP groups with "apply-macro ttl-security" turned on are listed in the "ttl-security" filter and are only allowed if the TTL on incoming packets is 254, meaning they are exactly one hop away.

Implementation

 

Three parts to this script. First we set the TTL to 255. Then we make a filter that discards traffic where TTL != 254. Then we put that filter in lo0. We don't want to interfere with an existing filter on lo0, so we have to look at the current state. If there's no filter, we make one and put a "then accept" on it. If there's a single filter, we turn it into a filter list with our's at the front of the list. If there's already a filter list, we add our's to the front of the list.

 

See the document ttl-security