Network Working Group V. Gill
Request for Comments: 3682 J. Heasley
Category: Experimental D. Meyer
February 2004
The Generalized TTL Security Mechanism (GTSM)
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6)
to protect a protocol stack from CPU-utilization based attacks has
been proposed in many settings (see for example, RFC 2461). This
document generalizes these techniques for use by other protocols such
as BGP (RFC 1771), Multicast Source Discovery Protocol (MSDP),
Bidirectional Forwarding Detection, and Label Distribution Protocol
(LDP) (RFC 3036). While the Generalized TTL Security Mechanism
(GTSM) is most effective in protecting directly connected protocol
peers, it can also provide a lower level of protection to multi-hop
sessions. GTSM is not directly applicable to protocols employing
flooding mechanisms (e.g., multicast), and use of multi-hop GTSM
should be considered on a case-by-case basis.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Assumptions Underlying GTSM. . . . . . . . . . . . . . . . . . 2
2.1. GTSM Negotiation . . . . . . . . . . . . . . . . . . . . 3
2.2. Assumptions on Attack Sophistication . . . . . . . . . . 3
3. GTSM Procedure . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Multi-hop Scenarios. . . . . . . . . . . . . . . . . . . 4
3.1.1. Intra-domain Protocol Handling . . . . . . . . . 5
4. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations. . . . . . . . . . . . . . . . . . . . 5
5.1. TTL (Hop Limit) Spoofing . . . . . . . . . . . . . . . . 5
5.2. Tunneled Packets . . . . . . . . . . . . . . . . . . . . 6
5.2.1. IP in IP . . . . . . . . . . . . . . . . . . . . 6
Gill, et al. Experimental [Page 1]
RFC 3682 Generalized TTL Security Mechanism February 2004
5.2.2. IP in MPLS . . . . . . . . . . . . . . . . . . . 7
5.3. Multi-Hop Protocol Sessions. . . . . . . . . . . . . . . 8
6. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 9
8. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 10
9. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 11
1. Introduction
The Generalized TTL Security Mechanism (GTSM) is designed to protect
a router's TCP/IP based control plane from CPU-utilization based
attacks. In particular, while cryptographic techniques can protect
the router-based infrastructure (e.g., BGP [RFC1771], [RFC1772]) from
a wide variety of attacks, many attacks based on CPU overload can be
prevented by the simple mechanism described in this document. Note
that the same technique protects against other scarce-resource
attacks involving a router's CPU, such as attacks against
processor-line card bandwidth.
GTSM is based on the fact that the vast majority of protocol peerings
are established between routers that are adjacent [PEERING]. Thus
most protocol peerings are either directly between connected
interfaces or at the worst case, are between loopback and loopback,
with static routes to loopbacks. Since TTL spoofing is considered
nearly impossible, a mechanism based on an expected TTL value can
provide a simple and reasonably robust defense from infrastructure
attacks based on forged protocol packets.
Finally, the GTSM mechanism is equally applicable to both TTL (IPv4)
and Hop Limit (IPv6), and from the perspective of GTSM, TTL and Hop
Limit have identical semantics. As a result, in the remainder of
this document the term "TTL" is used to refer to both TTL or Hop
Limit (as appropriate).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119].
2. Assumptions Underlying GTSM
GTSM is predicated upon the following assumptions:
(i) The vast majority of protocol peerings are between adjacent
routers [PEERING].
Gill, et al. Experimental [Page 2]
RFC 3682 Generalized TTL Security Mechanism February 2004
(ii) It is common practice for many service providers to ingress
filter (deny) packets that have the provider's loopback
addresses as the source IP address.
(iii) Use of GTSM is OPTIONAL, and can be configured on a per-peer
(group) basis.
(iv) The router supports a method of classifying traffic destined
for the route processor into interesting/control and
not-control queues.
(iv) The peer routers both implement GTSM.
2.1. GTSM Negotiation
This document assumes that GTSM will be manually configured between
protocol peers. That is, no automatic GTSM capability negotiation,
such as is envisioned by RFC 2842 [RFC2842] is assumed or defined.
2.2. Assumptions on Attack Sophistication
Throughout this document, we assume that potential attackers have
evolved in both sophistication and access to the point that they can
send control traffic to a protocol session, and that this traffic
appears to be valid control traffic (i.e., has the source/destination
of configured peer routers).
We also assume that each router in the path between the attacker and
the victim protocol speaker decrements TTL properly (clearly, if
either the path or the adjacent peer is compromised, then there are
worse problems to worry about).
Since the vast majority of our peerings are between adjacent routers,
we can set the TTL on the protocol packets to 255 (the maximum
possible for IP) and then reject any protocol packets that come in
from configured peers which do NOT have an inbound TTL of 255.
GTSM can be disabled for applications such as route-servers and other
large diameter multi-hop peerings. In the event that an the attack
comes in from a compromised multi-hop peering, that peering can be
shut down (a method to reduce exposure to multi-hop attacks is
outlined below).
3. GTSM Procedure
GTSM SHOULD NOT be enabled by default. The following process
describes the per-peer behavior:
Gill, et al. Experimental [Page 3]
RFC 3682 Generalized TTL Security Mechanism February 2004
(i) If GTSM is enabled, an implementation performs the following
procedure:
(a) For directly connected routers,
o Set the outbound TTL for the protocol connection to 255.
o For each configured protocol peer:
Update the receive path Access Control List (ACL) or
firewall to only allow protocol packets to pass onto the
Route Processor (RP) that have the correct