my understanding is that md5 is still checked before the ttl-hack check takes place on cisco (and perhaps most router platforms). new attack vector for less security than you had before. oh well. ras: can you confirm that it is possible to implement ttl-hack and have it check *before* md5 signature checks?
You do not have a correct understanding of how GPTM is suppose to work. If you can, you need to do this check as close to the punt out of the data plane as possible. Optimally in the ASIC (if the ASIC can be coded to do a TTL check). On Cisco gear we're coding from inside out - doing GPTM in the routing code (BGP) - then in the receive path wrapper (rACL and CoPP) - then in the ASIC raw queue (if it can) - then in the ASIC's receive path primitives. The GPTM was all about dropping the packet before they got near the route process. If you want more details, let me know and I'll send them privately.