GTSM (TTL security)/RFC 5082 support?
Alexander V. Chernikov
melifaro at ipfw.ru
Sun Aug 14 22:43:08 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Henrique de Moraes Holschuh wrote:
> On Sun, 14 Aug 2011, Alexander V. Chernikov wrote:
>> Henrique de Moraes Holschuh wrote:
>>> Is anyone currently working on adding GTSM support to bird?
>>>
>>> It should be possible to support it for both Linux and FreeBSD where
>>> available as a kernel-level supported socket option, and I am considering
>>> trying my hand at it as a way to get to know the bird codebase a bit better
>>> before we decide to deploy it at work...
>>>
>> Review/comments are welcome
>
> Thank you. I will try to be useful with some testing and help a bit
> writing up the documentation changes, then :-)
>
> One thing I think is worth documenting is that at least Linux implements
> full RFC5082 GTSM behaviour, i.e. it _also_ TTL-filters related ICMP
> traffic. It would be nice to know whether Cisco and FreeBSD do full
> GTSM or just pre-RFC5082 GTSH (i.e. no ICMP protection).
Not sure about cisco (docs I'm aware of specify RFC 3682 as GTSM source).
FreeBSD does not (at the moment) provide ICMP protection. 9.1/8.3 will.
>
> Anyway, I think I found a problem in the patch:
>
>> * new BGP (cisco-like) config option: ttl_secutity hops <value>
>
> At least in Linux, and I believe BSD does it the same way (since Linux
> is supposed to have copied the BSD behaviour), what the patch currently
> does is "ttl_security min_ttl <value>", where "min_ttl = 255 - hops".
>
> I assume that you wanted the ttl_security option to behave like it does
> in Cisco, i.e. you'd use "ttl_security hops 1" to set outgoing TTL to
> 255 and accept inbound TTL >= 254.
Ups. Yes
>
> I did check the Linux kernel implementation, and it expects the minimum
> acceptable TTL in the setsockopt() call, not the hop count. I've also
> checked the IPv6 code, and it works exactly in the same way.
>
> IMHO, it would be best to change the min_ttl parameter to max_hops, so
> that you can convert it to whatever the underlying OS wants in sysdep/.
> Alternatively, the conversion could be done in the parser.
>
> We should probably range-check things in the parser as well...
Yes, thanks
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5IM1wACgkQwcJ4iSZ1q2mbqACglte9nz5tcwDj9hbyL1WeKll9
hm8An0Cl9XRCSnPj0IJ9GMFziqV4Awk6
=OyuY
-----END PGP SIGNATURE-----
More information about the Bird-users
mailing list