GTSM (TTL security)/RFC 5082 support?

Henrique de Moraes Holschuh hmh at hmh.eng.br
Sun Aug 14 21:24:56 CEST 2011 

On Sun, 14 Aug 2011, Alexander V. Chernikov wrote:
> Henrique de Moraes Holschuh wrote:
> > Is anyone currently working on adding GTSM support to bird?
> > 
> > It should be possible to support it for both Linux and FreeBSD where
> > available as a kernel-level supported socket option, and I am considering
> > trying my hand at it as a way to get to know the bird codebase a bit better
> > before we decide to deploy it at work...
> > 
> 
> Review/comments are welcome

Thank you.  I will try to be useful with some testing and help a bit
writing up the documentation changes, then :-)

One thing I think is worth documenting is that at least Linux implements
full RFC5082 GTSM behaviour, i.e. it _also_ TTL-filters related ICMP
traffic.  It would be nice to know whether Cisco and FreeBSD do full
GTSM or just pre-RFC5082 GTSH (i.e. no ICMP protection).

Anyway, I think I found a problem in the patch:

> * new BGP (cisco-like) config option: ttl_secutity hops <value>

At least in Linux, and I believe BSD does it the same way (since Linux
is supposed to have copied the BSD behaviour), what the patch currently
does is "ttl_security min_ttl <value>", where "min_ttl = 255 - hops".

I assume that you wanted the ttl_security option to behave like it does
in Cisco, i.e. you'd use "ttl_security hops 1" to set outgoing TTL to
255 and accept inbound TTL >= 254.

I did check the Linux kernel implementation, and it expects the minimum
acceptable TTL in the setsockopt() call, not the hop count.  I've also
checked the IPv6 code, and it works exactly in the same way.

IMHO, it would be best to change the min_ttl parameter to max_hops, so
that you can convert it to whatever the underlying OS wants in sysdep/.
Alternatively, the conversion could be done in the parser.

We should probably range-check things in the parser as well...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

More information about the Bird-users mailing list