GTSM (TTL security)/RFC 5082 support?

Ondrej Zajicek santiago at crfreenet.org
Tue Aug 16 17:15:44 CEST 2011


On Tue, Aug 16, 2011 at 09:45:11AM +0400, Alexander V. Chernikov wrote:

> > This is probably the best alternative. Note that 'multihop' value is 
> > an original TTL (i.e. a path length in number of networks/edges),
> > so it would be: multihop ? 256 - multihop : 255 .
> Unfortunately, we can't distinguish between enabled/disabled multihop if
>  ttl security is on :(

I don't see why - the argument of multihop option is the same value
(number of hops - networks, not routers) as the the argument of 'ttl
security hops' option - see attached code, just the relevant part of
diff. Or i miss something?

Enabled/disabled multihop has many other implications than just
TTL, so even if TTL security is used, user have to set that
option if BGP session is multihop.

> I've also set listening socket TTL to 255 since it is required by RFC
> (from ttlsec-enabled neithbour SA received from bird can definitely be
> associated with protected session and dropped if its TTL is not within
> range).
> We can increase socket TTL conditionally though it will require a bit
> more code (initial configuration/reconfiguration) but I see no problem
> in increased (64->255) TTL.

OK

> There are some minor changes in bgp_open not directly related to RFC.

And one bug in these changes (errcause not filled in the second case)
;-)

> > 
> >>> The new config option should be also documented in doc/bird.sgml .
> >> Should I supply updated patch?
> > 
> > That would be great (esp. if it would contain updated documentation ;-) ).
> > 
> Done :)

Thanks, i will do some minor clean ups and merge it with
the boolean modification.

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ttlsec.patch
Type: text/x-diff
Size: 2344 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20110816/05556819/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20110816/05556819/attachment-0001.asc>


More information about the Bird-users mailing list