CiscoCCNPAdvanced RoutingIntermediate22 min read

What Is BGP TTL Security in Networking?

Also known as: BGP TTL security, BGP security, TTL security check, GTSM, BGP attack prevention

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

BGP TTL Security is a security feature for internet routing. It checks the Time-to-Live value in incoming BGP packets to confirm they came from a directly connected router, not from a faraway hacker. If the TTL is not exactly 255, the packet is dropped, blocking many spoofing attacks.

Must Know for Exams

BGP TTL Security is a specific exam objective in the Cisco CCNP Enterprise Advanced Routing (ENARSI) exam (350-401 ENCOR also touches on it). In these exams, candidates need to know not only what the feature does but also how to configure it, where to apply it, and how it interacts with other BGP security features.

The exam may present a scenario where a network engineer notices that BGP sessions are being disrupted due to spoofed packets from an unknown source. The correct solution is to enable BGP TTL Security on the eBGP sessions. Candidates must recognize that this feature only works for directly connected eBGP neighbors and that both sides must support it. The exam also tests the difference between BGP TTL Security and BGP authentication, as well as the limitations of each.

In the ENARSI exam, candidates might be asked to identify the correct configuration command, such as “neighbor 10.1.1.1 ttl-security hops 1”. They may need to understand that the hop count parameter specifies how many hops away the neighbor can be. For single-hop eBGP, the hops value is 1. For multi-hop eBGP, the value should be set appropriately. The exam may also include troubleshooting questions where a BGP session fails after enabling ttl-security because the neighbor is not directly connected or because the hop count is misconfigured.

Additionally, the exam may cover the relationship between BGP TTL Security and other security features like MD5 authentication and Generalized TTL Security Mechanism (GTSM). Candidates must know that BGP TTL Security is described in RFC 5082 and is sometimes called GTSM. Understanding these connections helps in scenario-based questions where multiple security options are available and the candidate must select the most appropriate one.

Simple Meaning

Imagine your home has a mailbox, and you only accept letters from people who walk up to your front door and drop them in. You know these letters are safe because no one from miles away can put a letter directly into your mailbox without coming to your house first. BGP TTL Security works in a similar way for internet routers.

Routers use a protocol called BGP to exchange routing information, kind of like exchanging letters. But sometimes, attackers try to send fake routing updates from far away, pretending to be a trusted neighbor. BGP TTL Security uses a field in the packet called Time-to-Live, or TTL.

The TTL is like a counter that decreases by one every time a packet passes through another router. Normally, a packet from a directly connected neighbor will have a TTL of 255 because it starts at 255 and has not passed through any other routers. With this security feature enabled, the receiving router will only accept BGP packets that arrive with a TTL of exactly 255.

Any packet from a remote attacker would have already passed through several routers, so its TTL would be less than 255, and the router will drop it. This simple check prevents a type of attack where someone on the internet tries to inject fake routing information, which could redirect traffic or cause network outages. The feature is lightweight, requires no cryptographic keys, and works alongside other security measures like MD5 authentication.

It is especially useful in large service provider networks where routers have many BGP neighbors and the risk of spoofed packets is high. By enforcing that BGP messages must come from a directly attached link, the feature dramatically reduces the attack surface for routing protocol attacks.

Full Technical Definition

BGP TTL Security, also known as BGP TTL Security Check or BGP TTL Security Mechanism (BTSH), is a defensive feature defined in RFC 5082. It is designed to protect eBGP (External Border Gateway Protocol) sessions from attacks that rely on forging or spoofing BGP packets, such as denial-of-service attacks or route injection attempts.

The core mechanism relies on the IP header's Time-to-Live (TTL) field. In IPv4, the TTL is an 8-bit field that starts at a value set by the sending host and is decremented by one by each router that forwards the packet. When the TTL reaches zero, the packet is discarded. Under normal circumstances, a router receiving BGP packets from a directly connected eBGP neighbor will see a TTL of 255 because no intermediate hops exist. The receiving router expects this value and uses it as a filter.

When BGP TTL Security is configured on a router, the router sets the TTL of all outgoing BGP packets to 255. On the receiving side, the router checks the TTL of every incoming BGP packet. If the TTL is less than 255, the packet is silently dropped. This means that an attacker located anywhere beyond the directly connected link cannot send a valid BGP packet to the router because any packet they send must travel through at least one other router, which will decrement the TTL below 255.

Implementation requires configuration on both ends of the BGP session. The command used on Cisco IOS routers is typically “neighbor {ip-address} ttl-security hops 1”. The “hops 1” parameter means that the expected TTL difference is at most 1 hop, which aligns with a directly connected single-hop eBGP session. For multi-hop eBGP sessions, the hop count can be increased accordingly. The feature is compatible with both IPv4 and IPv6 BGP sessions and works with standard BGP message types including OPEN, UPDATE, KEEPALIVE, and NOTIFICATION.

BGP TTL Security does not require any cryptographic keys, which simplifies deployment compared to MD5 authentication or TCP-AO. However, it is not a replacement for these authentication methods but rather a complementary defense. It is particularly effective against off-path attackers who are not directly connected but can send IP packets to the router. The feature is widely supported in Cisco IOS, IOS-XE, NX-OS, and other major router operating systems.

One important aspect is that BGP TTL Security only protects against attacks where the attacker sends packets with a TTL that is too low. It does not protect against on-path attackers who are directly connected to the same link, because such an attacker could send packets with TTL 255 just like the legitimate neighbor. In those scenarios, other security measures like BGP authentication or IPsec are required.

Real-Life Example

Think of a large office building with a secure mailroom. Only mail that comes through the main entrance on the ground floor is accepted by the mailroom staff. The building has a rule: all mail must have a special stamp that shows it was handed directly to the mailroom clerk, not passed through other departments. If a letter arrives at the mailroom with a stamp indicating it went through three different reception desks, the mailroom knows it did not come directly from the intended sender and throws it away.

Now, an employee named Alice works on the 10th floor. She needs to receive important documents from a partner company across the street. That partner company’s courier comes directly to the building’s main entrance and hands the document to the mailroom clerk. The clerk stamps the envelope with a “Direct Delivery” mark, which is like a TTL of 255. The mailroom then delivers it to Alice’s desk on the 10th floor. If a hacker from another city tries to send a fake document to Alice, that document would go through multiple post offices and sorting centers. When it arrives at the building’s mailroom, the envelope would not have the “Direct Delivery” stamp. The mailroom would see that the envelope has been handled by many people and would reject it.

In this analogy, the mailroom is the receiving router, the “Direct Delivery” stamp is the TTL value of 255, and the courier from across the street is the legitimate BGP neighbor router. The hacker is a remote attacker trying to inject fake routing information. BGP TTL Security works just like this mailroom rule: only packets that arrive with a TTL of 255 are accepted, ensuring they came from a directly connected neighbor and not from a distant attacker.

Why This Term Matters

In real IT networks, especially in service provider and large enterprise environments, BGP is the backbone of internet routing. If an attacker can inject a fake BGP route, they can redirect traffic meant for a legitimate website to a malicious server, intercept sensitive data, or cause a denial of service by blackholing traffic. BGP TTL Security is a low-cost, high-impact defense against such attacks.

Many networks do not have the resources or expertise to deploy full cryptographic authentication for every BGP session. BGP TTL Security offers a simple configuration that blocks a large class of attacks without the complexity of managing keys or certificates. It protects against off-path attackers who can spoof IP addresses but cannot control the TTL of packets that have traversed multiple hops. This is a common attack vector on the public internet.

Network engineers use this feature to harden BGP sessions, especially on border routers that connect to multiple ISPs or customer networks. It is often combined with other protection mechanisms like prefix filtering, route maps, and BGP authentication to create a defense-in-depth strategy. In cloud and data center environments, BGP TTL Security helps secure the control plane by ensuring that only directly connected neighbors can send routing updates.

Another practical reason is operational simplicity. Unlike ACLs that need constant updates, or authentication that requires key rotation, BGP TTL Security is configured once and rarely needs changes. It is also transparent to the routing protocol itself, so it does not affect BGP timers, attributes, or path selection. For network engineers preparing for CCNP or CCIE exams, understanding this feature is essential because it appears in troubleshooting scenarios, design questions, and configuration tasks.

How It Appears in Exam Questions

In exam questions, BGP TTL Security appears in several formats.

Scenario questions: The question describes a network where an attacker is sending fake BGP updates to a router from the internet. The candidate must choose the best security measure to block these attacks. The options may include BGP TTL Security, MD5 authentication, prefix filtering, or route maps. The correct choice is BGP TTL Security because it specifically blocks packets with incorrect TTL values.

Configuration questions: The candidate is asked to write or complete a configuration that enables BGP TTL Security on a specific BGP neighbor. For example, “Configure router R1 to use TTL security for its eBGP session with neighbor 192.168.1.2.” The correct answer includes the command “neighbor 192.168.1.2 ttl-security hops 1” under the BGP router configuration mode.

Troubleshooting questions: A show command output reveals that a BGP session is flapping or not establishing. The candidate must identify that BGP TTL Security is misconfigured. For example, if the hop count is set to 2 instead of 1 for a directly connected neighbor, the router expects a TTL of 254, but the neighbor sends packets with TTL 255, causing the session to fail. Alternatively, if BGP TTL Security is enabled on one side only, the session may not come up.

Multiple-choice questions: These ask about the characteristics of BGP TTL Security, such as “Which attack does BGP TTL Security prevent?” The answer is spoofed BGP packets from off-path attackers. Another question might ask “What is the default TTL expected by a router when ttl-security is enabled with hops 1?” The answer is 255.

Design questions: The candidate must recommend where to implement BGP TTL Security. For instance, in a BGP design with multiple eBGP peers, which peers should have TTL security enabled? The answer: all eBGP peers that are directly connected, especially those facing untrusted networks like the internet.

Study enarsi

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine a company called NetCorp that has two routers: Router A is in the company’s headquarters, and Router B is at a branch office located in a different city. They are connected through a single leased line, so from a BGP perspective, they are directly connected neighbors. They use eBGP to exchange routing information.

One day, a hacker on the internet tries to send a fake BGP update to Router A, pretending to be Router B. The hacker wants to make Router A think that the path to a major website goes through the hacker’s network, so that traffic is intercepted. The hacker sends packets with Router B’s IP address, but those packets must travel across multiple internet routers before reaching Router A. With each hop, the TTL decreases. By the time the packet reaches Router A, the TTL might be 249 or lower.

Before enabling BGP TTL Security, Router A would accept this fake packet because it checks only the source IP address, which appears correct. After enabling BGP TTL Security with the hop count set to 1, Router A will check the TTL. The legitimate Router B sends packets with TTL 255 because they are directly connected. The hacker’s packet arrives with a TTL far below 255, so Router A drops it. The attack fails, and NetCorp’s routing remains secure.

Common Mistakes

Thinking BGP TTL Security works for iBGP sessions the same way it works for eBGP.

iBGP sessions often require multiple hops because the two routers may not be directly connected. BGP TTL Security expects a TTL of 255, but if the iBGP neighbor is multiple hops away, the TTL will be less than 255, causing the session to fail. The feature is designed primarily for eBGP sessions where neighbors are directly connected.

Use BGP TTL Security only for eBGP sessions with directly connected neighbors. For multi-hop eBGP or iBGP, either use authentication or adjust the hop count carefully if the feature is supported.

Assuming BGP TTL Security replaces all other BGP security measures like authentication or prefix filtering.

BGP TTL Security only protects against off-path attackers who cannot set the TTL to 255. It does not protect against on-path attackers who are directly connected to the same link, nor does it verify the authenticity of the routing data itself. Other security measures are still needed.

Use BGP TTL Security as one layer of defense. Always combine it with route authentication (MD5 or TCP-AO) and prefix filtering to fully protect BGP sessions.

Forgetting to configure ttl-security on both ends of the BGP session.

If only one side has ttl-security enabled, that side expects TTL 255 from the neighbor, but the neighbor may be sending packets with a different TTL. This mismatch can cause the BGP session to fail to establish or flap intermittently.

Configure ttl-security on both BGP neighbors. Ensure the hop count matches the actual network topology. For directly connected eBGP, use “hops 1” on both routers.

Believing that BGP TTL Security prevents all types of BGP hijacking.

BGP hijacking can occur through compromised routers, misconfiguration, or malicious intent from within the network. BGP TTL Security only prevents a specific type of spoofing attack from off-path attackers. It does not stop a legitimate neighbor from advertising incorrect routes.

Understand that BGP TTL Security is a perimeter defense. For internal threats, use route validation mechanisms like RPKI, IRR filtering, and BGP origin validation.

Setting the hop count to a value higher than necessary, thinking it provides more security.

If the hop count is set too high, the router will accept packets with a TTL lower than 255, which defeats the purpose of the security check. For instance, setting hops 2 allows packets with TTL 254, which could come from an attacker one hop away.

Always set the hop count to the exact number of hops between the two BGP routers. For directly connected eBGP, use hops 1. Never increase the hop count unless the neighbor is actually multiple hops away.

Exam Trap — Don't Get Fooled

An exam question shows that after enabling BGP TTL Security with the command “neighbor 10.1.1.1 ttl-security hops 1”, the BGP session goes down. The candidate is asked why. A distractor option says “The neighbor router does not support BGP TTL Security.

” When troubleshooting a BGP session that fails after enabling ttl-security, first verify that the neighbor is directly connected. Check the topology. Then confirm that the hop count matches the actual number of hops.

Also check if the neighbor also has ttl-security enabled. If the neighbor does not support the feature at all, the session will not establish because the neighbor’s packets will have a TTL that is not 255. But the exam trap often involves a misconfigured hop count rather than lack of support.

Commonly Confused With

BGP TTL SecurityvsBGP MD5 Authentication

BGP MD5 authentication adds a cryptographic hash to each BGP packet to verify that it comes from a trusted source. BGP TTL Security does not use cryptography but relies on the TTL value. MD5 protects against both on-path and off-path attackers, while TTL security only protects against off-path attackers. They can be used together.

MD5 is like a secret password that only you and your friend know. TTL security is like checking that the letter came through your front door, not through the back alley.

BGP TTL SecurityvsBGP TCP-AO (TCP Authentication Option)

TCP-AO is a newer and more secure authentication method than MD5 for BGP sessions. It uses cryptographic algorithms and key management. BGP TTL Security is simpler and does not involve keys. TCP-AO provides integrity and authenticity, while TTL security provides only source locality.

TCP-AO is like using a digital signature on your letter that can be verified by a trusted authority. TTL security is like checking that the envelope has a local postmark.

BGP TTL SecurityvsGeneralized TTL Security Mechanism (GTSM)

GTSM is the broader concept defined in RFC 5082, and BGP TTL Security is a specific implementation of GTSM for BGP. GTSM can be used with other protocols like OSPF or EIGRP. The terms are often used interchangeably in BGP contexts.

GTSM is like a general rule for all types of mail, while BGP TTL security is the specific rule for BGP letters. They are essentially the same idea applied to different protocols.

BGP TTL SecurityvsBGP Prefix Filtering

Prefix filtering uses access lists or prefix lists to control which BGP routes are accepted or advertised. It focuses on the content of the route, not the source of the packet. BGP TTL Security addresses the source of the packet, not the content. Both are important for BGP security.

Prefix filtering is like checking what is written inside the letter. TTL security is like checking who delivered it.

Step-by-Step Breakdown

1

Identify the BGP session to protect

Determine which eBGP sessions are vulnerable to off-path spoofing attacks. Typically these are sessions between directly connected routers, such as border routers connecting to an ISP or customer. These sessions are most exposed to the internet.

2

Check that both routers are directly connected

BGP TTL Security with hops 1 requires that the two routers share a direct physical or logical link with no intermediate routers. If there is any hop between them, the TTL will be less than 255, and the session will fail. Verify the network topology.

3

Configure the hop count on the local router

On the local router, enter BGP configuration mode and use the command “neighbor [ip-address] ttl-security hops [number]”. For a directly connected neighbor, use hops 1. This tells the router to expect incoming BGP packets with TTL equal to 255 minus (hops minus 1), so hops 1 expects TTL 255.

4

Configure the hop count on the neighbor router

The same configuration must be applied on the remote router for the session to work. Both sides must agree on the hop count. If the remote router is not configured, the session may fail because the remote router’s outgoing packets may have a TTL less than 255.

5

Verify the BGP session state

Use commands like “show ip bgp summary” or “show bgp summary” to check if the session is established. If the state is ACTIVE or IDLE, check for TTL mismatch. Use “debug ip bgp” carefully to see packet drops. Also check the neighbor’s configuration.

6

Test the security by simulating an attack

In a lab environment, send a BGP packet from a non-directly connected source with a spoofed IP address of the legitimate neighbor. The router should drop it because the TTL will be less than 255. This confirms that the feature is working.

7

Combine with other security measures

After enabling BGP TTL Security, also configure BGP authentication (MD5 or TCP-AO) and prefix filtering to protect against on-path attacks and route hijacking. This creates a layered defense.

Practical Mini-Lesson

BGP TTL Security is one of the simplest yet most effective tools for protecting BGP sessions from remote spoofing attacks. As a network professional, you need to understand not only how to configure it but also when and why to use it.

First, let’s talk about the attack it prevents. Off-path attackers can send packets with a forged source IP address to a router. If that router believes the packet came from a trusted BGP neighbor, it will process the packet as a legitimate BGP update. The attacker can then inject false routing information, causing traffic to be misdirected. Before BGP TTL Security, the only ways to prevent this were IPsec, MD5 authentication, or complex ACLs. All of these have overhead.

BGP TTL Security solves this by leveraging the IP TTL field. Every IP packet has a TTL that decreases by one each time it passes through a router. A packet from a directly connected neighbor will have a TTL of 255 because it started at 255 and has not crossed any routers. By dropping any BGP packet that does not have a TTL of exactly 255, the router effectively blocks all packets that have traveled through at least one intermediate router.

Configuration is straightforward. On a Cisco router, you enter BGP router configuration mode and issue the command: “neighbor 192.168.1.2 ttl-security hops 1”. The “hops 1” parameter indicates that the neighbor is exactly one hop away. The router will then send all BGP packets to that neighbor with TTL set to 255, and will only accept BGP packets from that neighbor with TTL equal to 255. If the neighbor is a multi-hop eBGP peer, you increase the hops count accordingly.

What can go wrong? The most common issue is forgetting to configure both sides. If only one router is configured, the configured router will drop the neighbor’s packets if the neighbor sends them with TTL less than 255. The session will not establish. Another issue is incorrectly setting the hop count. For example, if you set hops 2 for a directly connected neighbor, the router expects TTL 254, but the neighbor sends TTL 255, causing a mismatch.

In practice, BGP TTL Security is widely deployed on internet exchange points and on customer-facing BGP sessions. It is also used in data center fabrics where spine and leaf switches exchange routes via eBGP. The feature is lightweight, requiring no additional CPU overhead for hashing or key management. It is also transparent to changes in routing policies.

For professionals, it is important to remember that BGP TTL Security is not a silver bullet. It does not protect against on-path attackers who are directly connected to the same network segment. Those attackers can send packets with TTL 255 just like the legitimate neighbor. In those cases, you need authentication or encryption. Also, the feature does not protect against misconfigurations or attacks from within the network. Always use a combination of security measures.

Memory Tip

Remember “TTL 255, neighbor alive.” If the TTL is not 255, the packet is not from a directly connected neighbor.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Does BGP TTL Security work with IPv6?

Yes, BGP TTL Security works with both IPv4 and IPv6 BGP sessions. In IPv6, the Hop Limit field is used instead of TTL, but the concept is identical. The configuration commands are the same.

Can I use BGP TTL Security with iBGP?

It is not recommended because iBGP peers are often not directly connected. However, if you have a directly connected iBGP peer, you can use it. For multi-hop iBGP, BGP TTL Security would block the session because the TTL will be less than 255.

What happens if only one router has ttl-security configured?

The session will likely fail because the configured router will drop packets from the neighbor if they do not have TTL 255. The neighbor may also drop packets if it expects a different TTL. Both sides should be configured.

Is BGP TTL Security the same as GTSM?

Yes, BGP TTL Security is an implementation of the Generalized TTL Security Mechanism (GTSM) defined in RFC 5082. The terms are often used interchangeably in the context of BGP.

Does BGP TTL Security protect against all BGP hijacking?

No. It only protects against spoofed BGP packets from off-path attackers. It does not prevent hijacking caused by compromised routers, misconfigurations, or attacks from directly connected neighbors.

What is the default TTL value for BGP packets?

The default TTL for BGP packets depends on the operating system. On Cisco routers, the default TTL for eBGP is 1, meaning packets are sent with TTL 1 unless ttl-security is enabled. With ttl-security, the TTL is set to 255.

Can BGP TTL Security be used with BGP authentication?

Yes, they can be used together. BGP TTL Security provides source locality, while authentication provides data integrity and authenticity. Using both gives stronger security.

Summary

BGP TTL Security is a simple but powerful defense mechanism for BGP sessions. It works by checking the Time-to-Live value in incoming BGP packets, allowing only those with a TTL of 255, which indicates the packet came from a directly connected neighbor. This blocks off-path attackers who try to spoof BGP updates from remote locations.

The feature is easy to configure, requires no cryptographic keys, and is widely supported on Cisco routers and other networking platforms. For certification exams like CCNP ENARSI, understanding the configuration, limitations, and troubleshooting of BGP TTL Security is essential. Remember that it is not a complete security solution and should be combined with authentication and filtering.

Use the memory hook “TTL 255, neighbor alive” to recall that only packets with TTL 255 are trusted from a directly connected peer. By mastering this feature, you add a valuable layer of protection to your network and demonstrate a strong grasp of routing protocol security.