On this post, I’m going to explore on the difference between E-BGP Multihop and BGP TTL Security…

Here’s my topology for this laboratory…

 Here’s my router configurations:

  R1#sh run | sec bgp
 router bgp 100
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 200
 neighbor 2.2.2.2 ebgp-multihop 2
 neighbor 2.2.2.2 update-source Loopback1
R1#


R2#sh run | sec bgp
router bgp 200
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 ebgp-multihop 2
 neighbor 1.1.1.1 update-source Loopback2

 Let’s check the TTL value of R1:

As observed below, the Minimum incoming TTL value to R1 is 0…This is the default behavior..In order to established the peering with R2, as I’m aware that it would be two hops away to peer with R2 ( R2 is using the loopback interface),the Outgoing TTL value is set to 2..

EBGP MULTI-HOP is prone to BGP attacks such as DOS or denial of service attacks…This happens by spoofing the IP address of the BGP router from a remote host/router.


 R1#sh ip bgp neighbors 2.2.2.2
BGP neighbor is 2.2.2.2,  remote AS 200, external link
  BGP version 4, remote router ID 23.23.23.23
  BGP state = Established, up for 00:04:43
  Last read 00:00:18, last write 00:00:08, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Enhanced Refresh Capability: advertised and received
    Multisession Capability:
    Stateful switchover support enabled: NO for session 1
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                1          1
    Keepalives:             7          7
    Route Refresh:          0          0
    Total:                  9          9
  Default minimum time between advertisement runs is 30 seconds

Datagrams (max data segment is 1460 bytes):
Rcvd: 16 (out of order: 0), with data: 9, total data bytes: 213
Sent: 17 (retransmit: 0 fastretransmit: 0),with data: 9, total data bytes: 213

 So what is BGP TTL SECURITY? Here are important concepts to understand with BGP TTL Security: (Source Cisco)

 1. This feature protects the eBGP peering session by comparing the value in the TTL field of received IP packets against a hop count that is configured locally for each eBGP peering session.

2. If the value in the TTL field of the incoming IP packet is greater than or equal to the locally configured value, the IP packet is accepted and processed normally. 

3. If the TTL value in the IP packet is less than the locally configured value, the packet is silently discarded and no ICMP message is generated. This is designed behavior; a response to a forged packet is unnecessary.

4. It does not work with EBGP Multi-hop…as both of them are mutually exclusive, meaning only one of them can work when apply under BGP process…

5. BGP TTL Security only works with EBGP and not with IBGP…


To simplify further the difference between EBGP Multi-hop and BGP TTL Security..Here’s the major difference:


1. EBGP multihop sets the maximum number of hops in which a EBGP speaker will be able to established a TCP sessions and established the BGP peering..

2.  Two important  concepts with TTL Security:
       a. The default TTL of 255 is being used…

       b. The TTL of the received packet from other BGP speaker should be greater than or equal to the 
            minimum TLL (255 minus configured hop count).

       Example, If I have configured a hop count  of 2 under BGP TTL security command, the TTL
       value is 253…It means that in order for a neighbor to formed BGP , it must have a TTL on it’s  
       IP packet with a value of  253, 254 and 255…Otherwise, it will not formed BGP peering with my 
       router…

 Let’s configured BGP TTL Security…I have removed the EBGP multihop and added the ttl security with HOP count of 4 on R1 and R2…The outgoing TTL value was set to 255 (Default)…

 R1#      sh run | sec bgp
 router bgp 100
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 200
 neighbor 2.2.2.2 ttl-security hops 4
 neighbor 2.2.2.2 update-source Loopback1

R2#sh run | sec bgp
router bgp 200
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 ttl-security hops 4
 neighbor 1.1.1.1 update-source Loopback2

Now, let’s check the TTL value on R1…

So based on the results below, the Minimum Incoming TTL expected to formed the BGP peering should be 251 ( 255-4)…

  R1#sh ip bgp neighbors 2.2.2.2
BGP neighbor is 2.2.2.2,  remote AS 200, external link
  BGP version 4, remote router ID 23.23.23.23
  BGP state = Established, up for 00:00:13
  Last read 00:00:13, last write 00:00:12, hold time is 180, keepalive interval is 60 seconds
  Neighbor sessions:
    1 active, is not multisession capable (disabled)
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    Four-octets ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Enhanced Refresh Capability: advertised and received
    Multisession Capability:
    Stateful switchover support enabled: NO for session 1
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                1          1
    Keepalives:             2          2
    Route Refresh:          0          0
    Total:                  4          4
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  Session: 2.2.2.2
  BGP table version 1, neighbor version 1/0
  Output queue size : 0
  Index 2, Advertise bit 0
  2 update-group member
  Slow-peer detection is disabled
  Slow-peer split-update-group dynamic is disabled
                                 Sent       Rcvd
  Prefix activity:               —-       —-
    Prefixes Current:               0          0
    Prefixes Total:                 0          0
    Implicit Withdraw:              0          0
    Explicit Withdraw:              0          0
    Used as bestpath:             n/a          0
    Used as multipath:            n/a          0

                                   Outbound    Inbound
  Local Policy Denied Prefixes:    ——–    ——-
    Total:                                0          0
  Number of NLRIs in the update sent: max 0, min 0
  Last detected as dynamic slow peer: never
  Dynamic slow peer recovered: never
  Refresh Epoch: 1
  Last Sent Refresh Start-of-rib: never
  Last Sent Refresh End-of-rib: never
  Last Received Refresh Start-of-rib: never
  Last Received Refresh End-of-rib: never
                                       Sent       Rcvd
        Refresh activity:              —-       —-
          Refresh Start-of-RIB          0          0
          Refresh End-of-RIB            0          0

  Address tracking is enabled, the RIB does have a route to 2.2.2.2
  Connections established 2; dropped 1
  Last reset 00:00:14, due to User reset of session 1
  External BGP neighbor may be up to 4 hops away.
  Transport(tcp) path-mtu-discovery is enabled
  Graceful-Restart is disabled
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Mininum incoming TTL 251, Outgoing TTL 255
Local host: 1.1.1.1, Local port: 58236
Foreign host: 2.2.2.2, Foreign port: 179
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x417574):
Timer          Starts    Wakeups            Next
Retrans             4          0             0x0
TimeWait            0          0             0x0
AckHold             2          1             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            1          0        0x4A67E8
DeadWait            0          0             0x0
Linger              0          0             0x0

iss: 2400433020  snduna: 2400433139  sndnxt: 2400433139     sndwnd:  16266
irs: 2360908630  rcvnxt: 2360908749  rcvwnd:      16266  delrcvwnd:    118

SRTT: 124 ms, RTTO: 1405 ms, RTV: 1281 ms, KRTT: 0 ms
minRTT: 52 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: none
Option Flags: higher precendence, nagle, path mtu capable

Datagrams (max data segment is 1460 bytes):
Rcvd: 6 (out of order: 0), with data: 4, total data bytes: 118
Sent: 7 (retransmit: 0 fastretransmit: 0),with data: 4, total data bytes: 118

************************END OF LAB***************************************