BGP TTL Security, Pt. 3 (IOS-XR)

TTL Security works slightly differently on IOS-XR, so it’s worth looking at it separately.

In IOS-XR, you cannot set a maximum number of hops when you use ttl-security. The eBGP neighbor can only be one hop away.

RP/0/0/CPU0:XR5(config-bgp)#neighbor 4.4.4.4 ttl-security ?
  inheritance-disable  Prevent ttl-security from being inherited from the parent
  <cr>

Let’s add a new router, XR5, to our topology and setup an eBGP session between R4 and XR5

Lab

R4#
int Gi2
 ip address 10.4.5.4 255.255.255.0
 no shutdown
!
router bgp 65001
 neighbor 10.4.5.5 remote-as 65002
 neighbor 10.4.5.5 ttl-security hops 1

XR5#
int Gi0/0/0/1
 ip address 10.4.5.5/24
 no shutdown
!
router bgp 65002
 bgp router-id 5.5.5.5
 address-family ipv4 unicast
 neighbor 10.4.5.4
  remote-as 65001
  ttl-security
	address-family ipv4 unicast

The TTL used by each router is 255 as we would expect

iBGP with ttl-security

ttl-security is only an eBGP feaure. You cannot use it on iBGP sessions.

If you try to use ttl-security on an iBGP peer in IOS-XR, it will not let you commit:

RP/0/0/CPU0:XR5(config)#router bgp 65002
RP/0/0/CPU0:XR5(config-bgp)#neighbor 1.1.1.1
RP/0/0/CPU0:XR5(config-bgp-nbr)#remote-as 65002
RP/0/0/CPU0:XR5(config-bgp-nbr)#ttl-security 
RP/0/0/CPU0:XR5(config-bgp-nbr)#commit
Mon Jul 11 19:13:23.453 UTC

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors
RP/0/0/CPU0:XR5(config-bgp-nbr)#show config failed
Mon Jul 11 19:13:27.593 UTC
!! SEMANTIC ERRORS: This configuration was rejected by 
!! the system due to semantic errors. The individual 
!! errors with each failed configuration command can be 
!! found below.


router bgp 65002
 neighbor 1.1.1.1
  ttl-security
!!% Change would result in internal neighbor (1.1.1.1) with external-only config
 !
!
end

On IOS-XE, it will reject the command:

R4(config)#router bgp 65001
R4(config-router)#neighbor 6.6.6.6 remote-as 65001
R4(config-router)#neighbor 6.6.6.6 ttl-security hops 4
ttl-security only allowed for EBGP peers

R4(config-router)#do sho run | sec 65001
router bgp 65001
 <snip>
 neighbor 6.6.6.6 remote-as 65001
 !The neighbor is still there, but ttl-security was rejeced
 <snip>

Summary

To re-iterate, there is no way to use ttl-security on IOS-XR with an eBGP neighbor that is multiple hops away. ttl-security on IOS-XR is always a maximum hop of 1.

I suppose Cisco believes that the more hops away you are, the less secure it is. As any attacker can theoretically compromise the session as long as they are within the TTL limits of the session. The most secure setup therefore, is when you run ttl-security on directly connected eBGP neighbors.

If you want to secure a multihop eBGP session on IOS-XR, your next best option is to use TCP MD5 Authentication, which we will look at next.