OSPF TTL Security Check

OSPF TTL Security Check will cause OSPF packets exchanged between OSPF routers to use a TTL of 255, and to only accept a TTL of 255. This eliminates the possibility of having an attacker that is more than one hop away, from sending spoofed OSPF packets to create a bogus adjacency, since any such packets will have a TTL of less than 255 and will be rejected. This can be applied either globally:

R1(config-router)#ttl-security all-interfaces

or per interface:

R1(config-if)#ip ospf ttl-security

By default, 255 is the TTL setting of the command, but can be changed using the hops keyword like so:

R1(config-router)#ttl-security all-interfaces hops 100

The hops keyword should be used with caution, as it can open an attack vector that the command itself endeavours to close.


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/command/iro-cr-book/ospf-i1.html#wp1001106196 https://forum.networklessons.com/t/ospf-ttl-security-check/1941/16?u=lagapides

Links to this page: