TTL Security works slightly differently on IOS-XR, so it’s worth looking at it separately.
In IOS-XR, you cannot set a maximum number of hops when you use ttl-security. The eBGP neighbor can only be one hop away.
RP/0/0/CPU0:XR5(config-bgp)#neighbor 4.4.4.4 ttl-security ?
inheritance-disable Prevent ttl-security from being inherited from the parent
<cr>
Let’s add a new router, XR5, to our topology and setup an eBGP session between R4 and XR5
Lab
R4#
int Gi2
ip address 10.4.5.4 255.255.255.0
no shutdown
!
router bgp 65001
neighbor 10.4.5.5 remote-as 65002
neighbor 10.4.5.5 ttl-security hops 1
XR5#
int Gi0/0/0/1
ip address 10.4.5.5/24
no shutdown
!
router bgp 65002
bgp router-id 5.5.5.5
address-family ipv4 unicast
neighbor 10.4.5.4
remote-as 65001
ttl-security
address-family ipv4 unicast
The TTL used by each router is 255 as we would expect
iBGP with ttl-security
ttl-security is only an eBGP feaure. You cannot use it on iBGP sessions.
If you try to use ttl-security on an iBGP peer in IOS-XR, it will not let you commit:
RP/0/0/CPU0:XR5(config)#router bgp 65002
RP/0/0/CPU0:XR5(config-bgp)#neighbor 1.1.1.1
RP/0/0/CPU0:XR5(config-bgp-nbr)#remote-as 65002
RP/0/0/CPU0:XR5(config-bgp-nbr)#ttl-security
RP/0/0/CPU0:XR5(config-bgp-nbr)#commit
Mon Jul 11 19:13:23.453 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors
RP/0/0/CPU0:XR5(config-bgp-nbr)#show config failed
Mon Jul 11 19:13:27.593 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
router bgp 65002
neighbor 1.1.1.1
ttl-security
!!% Change would result in internal neighbor (1.1.1.1) with external-only config
!
!
end
On IOS-XE, it will reject the command:
R4(config)#router bgp 65001
R4(config-router)#neighbor 6.6.6.6 remote-as 65001
R4(config-router)#neighbor 6.6.6.6 ttl-security hops 4
ttl-security only allowed for EBGP peers
R4(config-router)#do sho run | sec 65001
router bgp 65001
<snip>
neighbor 6.6.6.6 remote-as 65001
!The neighbor is still there, but ttl-security was rejeced
<snip>
Summary
To re-iterate, there is no way to use ttl-security on IOS-XR with an eBGP neighbor that is multiple hops away. ttl-security on IOS-XR is always a maximum hop of 1.
I suppose Cisco believes that the more hops away you are, the less secure it is. As any attacker can theoretically compromise the session as long as they are within the TTL limits of the session. The most secure setup therefore, is when you run ttl-security on directly connected eBGP neighbors.
If you want to secure a multihop eBGP session on IOS-XR, your next best option is to use TCP MD5 Authentication, which we will look at next.
