Overview
Describes BGP eBGP security using TTL Security Mechanism (GTSM) and provides step-by-step guidance to configure BGP eBGP security GTSM to protect against spoofed routing updates.
BGP eBGP security GTSM is a BGP security feature that
-
restricts accepted IP packets to those with a Time to Live (TTL) or Hop Limit equal to the maximum value for eBGP neighbors
-
protects a router's control plane from CPU-utilization attacks caused by forged protocol packets, and
-
applies robust session security for eBGP peerings, especially between directly connected or loopback-adjacent routers.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| BGP-eBGP Security GTSM |
Release 25.4.1 | Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*) *This feature is now supported on:
|
| BGP-eBGP Security GTSM |
Release 25.1.1 | Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*) *This feature is supported on Cisco 8011-4G24Y4H-I routers. |
| BGP-eBGP Security GTSM |
Release 24.4.1 | Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only*) *This feature is supported on:
|
| BGP-eBGP Security GTSM |
Release 7.3.1 | The Generalized TTL Security Mechanism (GTSM) is designed to protect a router's IP-based control plane from CPU-utilization based attacks. This feature enables the router to accept only IP packets with a TTL count that is equal to the maximum TTL value. New command introduced:
|
Generalized TTL Security Mechanism (GTSM)
GTSM leverages the fact that most protocol peerings occur between adjacent routers or loopback addresses. Since TTL spoofing is nearly impossible in these scenarios, enforcing maximum TTL value acceptance creates a simple and effective defense against infrastructure attacks using forged packets. GTSM applies to both IPv4 (TTL) and IPv6 (Hop Limit) sessions.
How GTSM Works
When GTSM is enabled, the router only accepts packets whose TTL equals the maximum value. Packets with lower TTL are discarded and do not generate ICMP responses, preventing feedback to attackers.