OSPF: TTL Security Check

Control plane attacks can occur when a compromised device sends unicast OSPF messages to a participating OSPF router, to combat these types of attacks, OSPF can use the TTL security check.

The idea is that if an IP packet is routed its TTL is reduced by one for each subsequent hop towards its destination.  If all OSPF routers sent their packets with a TTL of 255 it would be easy to differentiate packets originating from off net.  Since OSPF communication is always based on direct router to router communication (except for virtual and sham links) packets received with TTL less than 255 can be considered malicious traffic and can be dropped.

TTL security check can be activated per interface or globally, where interfaces can be turned off to participate in the security check as needed.

The TTL check can also be tuned to accept TTL values less than 255 by configuring an offset that subtracts its value from 255.  This may be useful as some Cisco platforms will sometimes decrements the TTL value of the packet before its handed off to the OSPF process and would otherwise cause a packet to be dropped when it shouldn’t be.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s