-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henrique de Moraes Holschuh wrote:
On Sun, 14 Aug 2011, Alexander V. Chernikov wrote:
Henrique de Moraes Holschuh wrote:
Is anyone currently working on adding GTSM support to bird?
It should be possible to support it for both Linux and FreeBSD where available as a kernel-level supported socket option, and I am considering trying my hand at it as a way to get to know the bird codebase a bit better before we decide to deploy it at work...
Review/comments are welcome
Thank you. I will try to be useful with some testing and help a bit writing up the documentation changes, then :-)
One thing I think is worth documenting is that at least Linux implements full RFC5082 GTSM behaviour, i.e. it _also_ TTL-filters related ICMP traffic. It would be nice to know whether Cisco and FreeBSD do full GTSM or just pre-RFC5082 GTSH (i.e. no ICMP protection). Not sure about cisco (docs I'm aware of specify RFC 3682 as GTSM source). FreeBSD does not (at the moment) provide ICMP protection. 9.1/8.3 will.
Anyway, I think I found a problem in the patch:
* new BGP (cisco-like) config option: ttl_secutity hops <value>
At least in Linux, and I believe BSD does it the same way (since Linux is supposed to have copied the BSD behaviour), what the patch currently does is "ttl_security min_ttl <value>", where "min_ttl = 255 - hops".
I assume that you wanted the ttl_security option to behave like it does in Cisco, i.e. you'd use "ttl_security hops 1" to set outgoing TTL to 255 and accept inbound TTL >= 254. Ups. Yes
I did check the Linux kernel implementation, and it expects the minimum acceptable TTL in the setsockopt() call, not the hop count. I've also checked the IPv6 code, and it works exactly in the same way.
IMHO, it would be best to change the min_ttl parameter to max_hops, so that you can convert it to whatever the underlying OS wants in sysdep/. Alternatively, the conversion could be done in the parser.
We should probably range-check things in the parser as well... Yes, thanks
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5IM1wACgkQwcJ4iSZ1q2mbqACglte9nz5tcwDj9hbyL1WeKll9 hm8An0Cl9XRCSnPj0IJ9GMFziqV4Awk6 =OyuY -----END PGP SIGNATURE-----