nerdexam
Cisco

352-001 · Question #206

Your company's external routers BGP peer with multiple service providers and external organizations. In all cases, the external routers are peered with their BGP neighbors via directly- connected inte

The correct answer is A. GTSM prevents the processing of BGP packets from devices that are not on the directly-connected. GTSM uses IP TTL values to restrict BGP packet processing to directly-connected peers, preventing spoofed BGP packets from distant attackers from being processed.

Designing Security

Question

Your company's external routers BGP peer with multiple service providers and external organizations. In all cases, the external routers are peered with their BGP neighbors via directly- connected interfaces. How does GTSM provide additional security for your BGP speakers?

Options

  • AGTSM prevents the processing of BGP packets from devices that are not on the directly-connected
  • BGTSM prevents the formation of BGP adjacencies from unauthorized devices.
  • CGTSM ensures that all BGP routing updates have been verified for secure origination.
  • DGTSM replaces the TCP 3-way handshake between BGP speakers on directly connected interfaces.
  • EGTSM prevents random TCP resets from being injected into the BGP data stream.

How the community answered

(55 responses)
  • A
    76% (42)
  • B
    5% (3)
  • C
    2% (1)
  • D
    4% (2)
  • E
    13% (7)

Why each option

GTSM uses IP TTL values to restrict BGP packet processing to directly-connected peers, preventing spoofed BGP packets from distant attackers from being processed.

AGTSM prevents the processing of BGP packets from devices that are not on the directly-connectedCorrect

GTSM (RFC 5082) configures BGP speakers to expect received packets with a TTL of 255 for directly-connected peers; any packet arriving with a TTL below the configured minimum is silently discarded. Because each router hop decrements the TTL by one, a packet from a non-adjacent device will have a TTL below the threshold and be dropped before processing. This effectively limits BGP session establishment and packet processing to only directly-connected neighbors.

BGTSM prevents the formation of BGP adjacencies from unauthorized devices.

GTSM does not operate at the BGP session or state-machine level to block adjacency formation - it works at the IP layer by discarding packets with insufficient TTL values before they reach the BGP process.

CGTSM ensures that all BGP routing updates have been verified for secure origination.

GTSM has no mechanism for verifying route origination or authenticating routing update content; that function requires RPKI (Resource Public Key Infrastructure) or BGP prefix origin validation.

DGTSM replaces the TCP 3-way handshake between BGP speakers on directly connected interfaces.

GTSM does not modify or replace the TCP 3-way handshake; it only inspects the TTL field of incoming IP packets carrying BGP traffic.

EGTSM prevents random TCP resets from being injected into the BGP data stream.

Protection against TCP RST injection attacks is provided by TCP MD5 session authentication (RFC 2385) or TCP-AO (RFC 5925), not by GTSM, which only validates TTL values.

Concept tested: GTSM TTL security for BGP peers

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-ttl-security-check.html

Topics

#GTSM#BGP security#TTL security#directly-connected peers

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice