The BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

Associated with: CCI-002385

SV-70023r2_rule The BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM).

Vulnerability discussion

As described in RFC 3682, GTSM is designed to protect a router's IP-based control plane from DoS attacks. Many attacks focused on CPU load and line-card overload can be prevented by implementing GTSM on all Exterior Border Gateway Protocol speaking routers. GTSM is based on the fact that the vast majority of control plane peering is established between adjacent routers; that is, the Exterior Border Gateway Protocol peers are either between connecting interfaces or between loopback interfaces. Since TTL spoofing is considered nearly impossible, a mechanism based on an expected TTL value provides a simple and reasonably robust defense from infrastructure attacks based on forged control plane traffic.

Check content

Review the router configuration. If the router is not configured to use GTSM for all Exterior Border Gateway Protocol peering sessions, this is a finding.

Fix text

Configure all Exterior Border Gateway Protocol peering sessions to use GTSM.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.