On Sun, Aug 14, 2011 at 07:26:36PM +0400, Alexander V. Chernikov wrote:
+ if (sk_set_min_ttl(s, p->cf->min_ttl) != 0) + { + log(L_ERR "TTL security configuration failed, closing session"); + bgp_sock_err(s, 0); + return; + } + }
Shouldn't be better to set min TTL before sk_open? Not sure. Not many callers need this, so adding another min_ttl field seems unnecessary IMHO. Anyway, you will need to specify minimum ttl directly in case of new connection from listening socket.
You are right.
Perhaps TTL SECURITY HOPS, or just MIN TTL? 'TTL SECURITY HOPS' sounds good and is at least used by cisco.
(MIN TTL is probably much better name as we do not specify the number of hops, but the complement (255 - hops), if i understand it correctly.)
Well, actually we're specifying minimal TTL packet needs to have in its packet header to be accepted. Packets with lower TTL are silently dropped.
If we name this option 'min ttl' or 'min hops' it will:
* be confised with 'multihop' option * not be associated with enabling TTL security
We can also make 'TTL SECURITY' boolean option and use 'multihop' option value (like 255 - hops + 1)
This is probably the best alternative. Note that 'multihop' value is an original TTL (i.e. a path length in number of networks/edges), so it would be: multihop ? 256 - multihop : 255 .
The new config option should be also documented in doc/bird.sgml .
Should I supply updated patch?
That would be great (esp. if it would contain updated documentation ;-) ). -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."