352-001 · Question #206
Your company's external routers BGP peer with multiple service providers and external organizations. In all cases, the external routers are peered with their BGP neighbors via directly- connected inte
The correct answer is A. GTSM prevents the processing of BGP packets from devices that are not on the directly-connected. GTSM uses IP TTL values to restrict BGP packet processing to directly-connected peers, preventing spoofed BGP packets from distant attackers from being processed.
Question
Your company's external routers BGP peer with multiple service providers and external organizations. In all cases, the external routers are peered with their BGP neighbors via directly- connected interfaces. How does GTSM provide additional security for your BGP speakers?
Options
- AGTSM prevents the processing of BGP packets from devices that are not on the directly-connected
- BGTSM prevents the formation of BGP adjacencies from unauthorized devices.
- CGTSM ensures that all BGP routing updates have been verified for secure origination.
- DGTSM replaces the TCP 3-way handshake between BGP speakers on directly connected interfaces.
- EGTSM prevents random TCP resets from being injected into the BGP data stream.
How the community answered
(55 responses)- A76% (42)
- B5% (3)
- C2% (1)
- D4% (2)
- E13% (7)
Why each option
GTSM uses IP TTL values to restrict BGP packet processing to directly-connected peers, preventing spoofed BGP packets from distant attackers from being processed.
GTSM (RFC 5082) configures BGP speakers to expect received packets with a TTL of 255 for directly-connected peers; any packet arriving with a TTL below the configured minimum is silently discarded. Because each router hop decrements the TTL by one, a packet from a non-adjacent device will have a TTL below the threshold and be dropped before processing. This effectively limits BGP session establishment and packet processing to only directly-connected neighbors.
GTSM does not operate at the BGP session or state-machine level to block adjacency formation - it works at the IP layer by discarding packets with insufficient TTL values before they reach the BGP process.
GTSM has no mechanism for verifying route origination or authenticating routing update content; that function requires RPKI (Resource Public Key Infrastructure) or BGP prefix origin validation.
GTSM does not modify or replace the TCP 3-way handshake; it only inspects the TTL field of incoming IP packets carrying BGP traffic.
Protection against TCP RST injection attacks is provided by TCP MD5 session authentication (RFC 2385) or TCP-AO (RFC 5925), not by GTSM, which only validates TTL values.
Concept tested: GTSM TTL security for BGP peers
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-ttl-security-check.html
Topics
Community Discussion
No community discussion yet for this question.