Creating a TTL lt 6 ACL entry

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Trying to create an ACL entry that blocks IP TTL < 6 -

The 16.1 user guide offers the match condition "TTL number { mask number}"

I am new to doing acls on Extreme, and assume that the policy entry should look like this"

entry {

if {

ttl [number] mask [number];

} then {

deny;

}

}

However, I don't know what I should put for the number or mask to make the equation equal "less than 6"

As you may have guessed, I am trying to implement Cisco's hardening checklist equivalent on a Summit x460 that we are using as a border router, and I am guessing that most of the items listed such as blocking TTL less than six, blocking fragments, etc, have to be done using ACL.

Finally, whatever you provide as the answer for the match condition, can I use it in a dynamic acl entry as well?


Thanks,

Steve

Photo of Steve Robinson

Steve Robinson

  • 70 Points

Posted 3 years ago

  • 0
  • 1
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Steve,

This is a new feature of EXOS v16.1.1 and I don't have a physical switch to try it, so I don't know if this will work...

The documentation says:
"Time To Live with mask.The mask is optional, and it can be decimal value or a hexadecimal value.Only those bits of the ttl whose corresponding bit in the mask is set to 1 will be used as match criteria.This can be used to match IPv4 Time-To-Live and IPv6 Hop Limit."

So, if my undestanding of this is correct, if you were looking for 7 or less, it would be easy. Mask off the last three bits with 248 (1111 1000) and if the result is zero, you're in. It would look like
ttl 0 mask 248; # this should match 1 to 7

But "less than 6" means 5 (0101), 4 (0100), 3 (0011), 2 (0010) and 1 (0001) so you can't check that with a single mask. You have to use two, to check for 10x and 0xx.
entry test5-4_ttl_mask {
  if match any {
    ttl 4 mask 254; # this should match 4 and 5
} then {
    deny;
}
}
entry test3-2-1_ttl_mask {
  if match any {
    ttl 0 mask 252; # this should match 1 to 3
} then {
    deny;
}
}

Please, let me know if this works...