Errata

The accept-traceroute-tcp term can present a security risk. As written, it allows any TTL=1 TCP segment to be accepted. This could provide unintended access to the router for any TCP protocol, such as SSH or Telnet. As such it represents a security risk.

While TCP based traceroute is a valid tool, its use is rare in service provider networks. The suggested fix is to delete the term. If TCP traceroute is needed a set of internal IPs that are allowed to access the router along with a valid control plane service/port should be added.

Note from the Author or Editor:
Please add this credit when the errata is made official:

“Thanks to Gary Steers of GTT for reporting this issue.”

The accept-traceroute-tcp-v6 term can present a security risk. As written, it allows any TTL=1 TCP segment to be accepted. This could provide unintended access to the router for any TCP protocol, such as SSH or Telnet. As such it represents a security risk.

While TCP based traceroute is a valid tool, its use is rare in service provider networks. The suggested fix is to delete the term. If TCP traceroute is needed a set of internal IPV6 addresses that are allowed to access the router along with a valid control plane service/port should be added.

Note from the Author or Editor:
Please add this credit when the errata is made official:

“Thanks to Gary Steers of GTT for reporting this issue.”