GTSM (TTL security)/RFC 5082 support?
Ondrej Zajicek
santiago at crfreenet.org
Sun Aug 14 21:16:31 CEST 2011
On Sun, Aug 14, 2011 at 07:26:36PM +0400, Alexander V. Chernikov wrote:
> >> + if (sk_set_min_ttl(s, p->cf->min_ttl) != 0)
> >> + {
> >> + log(L_ERR "TTL security configuration failed, closing session");
> >> + bgp_sock_err(s, 0);
> >> + return;
> >> + }
> >> + }
> >
> > Shouldn't be better to set min TTL before sk_open?
> Not sure. Not many callers need this, so adding another min_ttl field
> seems unnecessary IMHO. Anyway, you will need to specify minimum ttl
> directly in case of new connection from listening socket.
You are right.
> > Perhaps TTL SECURITY HOPS, or just MIN TTL?
> 'TTL SECURITY HOPS' sounds good and is at least used by cisco.
> >
> > (MIN TTL is probably much better name as we do not specify the number
> > of hops, but the complement (255 - hops), if i understand it correctly.)
> >
> Well, actually we're specifying minimal TTL packet needs to have in its
> packet header to be accepted. Packets with lower TTL are silently dropped.
>
> If we name this option 'min ttl' or 'min hops' it will:
>
> * be confised with 'multihop' option
> * not be associated with enabling TTL security
>
> We can also make 'TTL SECURITY' boolean option and use 'multihop' option
> value (like 255 - hops + 1)
This is probably the best alternative. Note that 'multihop' value is
an original TTL (i.e. a path length in number of networks/edges),
so it would be: multihop ? 256 - multihop : 255 .
> > The new config option should be also documented in doc/bird.sgml .
>
> Should I supply updated patch?
That would be great (esp. if it would contain updated documentation ;-) ).
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20110814/9c106186/attachment-0001.asc>
More information about the Bird-users
mailing list