Overview
Details interface-based LPTS identifiers for controlling traffic destined to the local router and guides configuration of LPTS secure binding for directly connected eBGP neighbors.
An interface-based LPTS identifier is a network security feature that
-
associates each directly connected external BGP (eBGP) neighbor with a specific router interface
-
restricts inbound traffic so only packets originating from a designated eBGP neighbor can traverse through the mapped interface, and
-
prevents IP spoofing and session hijacking attempts by enforcing strict interface-level packet filtering and policing.
| Feature Name |
Release Name |
Description |
|---|---|---|
| Protection of Directly Connected EBGP Neighbors through Interface-Based LPTS Identifier |
Release 25.4.1 | Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*) *This feature is now supported on:
|
| Protection of Directly Connected EBGP Neighbors through Interface-Based LPTS Identifier |
Release 25.1.1 |
Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100])(select variants only*) *This feature is supported on:
|
| Protection of Directly Connected EBGP Neighbors through Interface-Based LPTS Identifier |
Release 24.4.1 |
Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*) *This feature is supported on:
|
| Protection of Directly Connected EBGP Neighbors through Interface-Based LPTS Identifier |
Release 7.10.1 | We have enhanced the network security for directly connected eBGP neighbors by ensuring that only packets originating from designated eBGP neighbors can traverse through a single interface, thus preventing IP spoofing. This is made possible because we've now added an interface identifier for Local Packet Transport Services (LPTS). LPTS filters and polices the packets based on the type of flow rate you configure. The feature introduces these changes: CLI: YANG Data Model:
|
Overview of Local Packet Transport Services (LPTS) in BGP
LPTS maintains tables describing all packet flows destined for the secure domain router (SDR), ensuring packets are delivered only to their intended destinations. In BGP sessions, LPTS entries are categorized as follows:
-
BGP known: Entries for established BGP neighbors.
-
BGP configured peer: Entries for initial packets (TCP SYN and 3rd ACK) from specifically configured BGP neighbors.
-
BGP default entries: Entries for all packets from unconfigured BGP neighbors.
Security enhancement with interface identifier
By adding an interface identifier to LPTS entries for directly connected eBGP neighbors, the router ensures that only traffic from the designated interface and neighbor IP can match the LPTS entry and reach the BGP session. Spoofed packets from other interfaces, even with correct IP/port/VRF combinations, only match the default LPTS entry where they are policed and forwarded to TCP for reset generation. This prevents attackers from exploiting established session entries by flooding from other interfaces.
Conditions for passing the interface identifier
The interface identifier is passed to LPTS and TCP only when all these conditions are met:
-
The BGP peer is configured as external (eBGP).
-
Fast External Failover (FEF) is not disabled.
-
The BGP peer is directly connected.
-
The BGP peer is not a dynamic peer.
-
eBGP multihop is not enabled.
-
Default eBGP TTL is used.
-
The "ignore connected" option is not configured.
-
A non-link local IPv6 neighbor address is configured.
Interface identifier binding during session establishment
During session establishment, both passive (received connections) and active (initiated connections) BGP bindings supply the interface identifier, so the LPTS entry for the connection is tightly bound to the specified interface.