@@ -567,6 +569,7 @@ bgp_connect(struct bgp_proto *p)	/* Enter Connect state and start establishing c
 {
   sock *s;
   struct bgp_conn *conn = &p->outgoing_conn;
+  int hops = p->cf->multihop ? : 1;
 
   DBG("BGP: Connecting\n");
   s = sk_new(p->p.pool);
@@ -574,7 +577,7 @@ bgp_connect(struct bgp_proto *p)	/* Enter Connect state and start establishing c
   s->saddr = p->source_addr;
   s->daddr = p->cf->remote_ip;
   s->dport = BGP_PORT;
-  s->ttl = p->cf->multihop ? : 1;
+  s->ttl = p->cf->ttl_security ? 255 : hops;
   s->rbsize = BGP_RX_BUFFER_SIZE;
   s->tbsize = BGP_TX_BUFFER_SIZE;
   s->tos = IP_PREC_INTERNET_CONTROL;
@@ -589,6 +592,17 @@ bgp_connect(struct bgp_proto *p)	/* Enter Connect state and start establishing c
       bgp_sock_err(s, 0);
       return;
     }
+  /* Set minimal receive TTL if needed */
+  if (p->cf->ttl_security)
+  {
+    DBG("Setting minimum received TTL to %d", 256 - hops);
+    if (sk_set_min_ttl(s, 256 - hops) < 0)
+    {
+      log(L_ERR "TTL security configuration failed, closing session");
+      bgp_sock_err(s, 0);
+      return;
+    }
+  }
   DBG("BGP: Waiting for connect success\n");
   bgp_start_timer(conn->connect_retry_timer, p->cf->connect_retry_time);
 }
@@ -627,9 +641,21 @@ bgp_incoming_connection(sock *sk, int dummy UNUSED)
 	    if (!acc)
 	      goto err;
 
+	    int hops = p->cf->multihop ? : 1;
+	    if (p->cf->ttl_security)
+	    {
+	      /* TTL security support */
+	      if ((sk_set_ttl(sk, 255) < 0) || (sk_set_min_ttl(sk, 256 - hops) < 0))
+	      {
+		log(L_ERR "TTL security configuration failed, closing session");
+		goto err;
+	      }
+	    }
+	    else
+	      sk_set_ttl(sk, hops);
+
 	    bgp_setup_conn(p, &p->incoming_conn);
 	    bgp_setup_sk(&p->incoming_conn, sk);
-	    sk_set_ttl(sk, p->cf->multihop ? : 1);
 	    bgp_send_open(&p->incoming_conn);
 	    return 0;
 	  }
@@ -656,6 +682,7 @@ bgp_setup_listen_sk(ip_addr addr, unsigned port, u32 flags)
   sock *s = sk_new(&root_pool);
   DBG("BGP: Creating listening socket\n");
   s->type = SK_TCP_PASSIVE;
+  s->ttl = 255;
   s->saddr = addr;
   s->sport = port ? port : BGP_PORT;
   s->flags = flags ? 0 : SKF_V6ONLY;
@@ -670,8 +697,7 @@ bgp_setup_listen_sk(ip_addr addr, unsigned port, u32 flags)
       rfree(s);
       return NULL;
     }
-  else
-    return s;
+  return s;
 }
 
 static void