diff options
author | Ondrej Zajicek <santiago@crfreenet.org> | 2013-06-26 14:35:39 +0200 |
---|---|---|
committer | Ondrej Zajicek <santiago@crfreenet.org> | 2013-06-26 14:35:39 +0200 |
commit | 6ac4f87a2d661c739e55a63577e7bccf696c7abd (patch) | |
tree | 052f08f51809a0fb151ac42ed6381d2e2e15c49e | |
parent | 70e212f913b6ce9d343d6c401b4f1712986a5f8c (diff) |
Documentation for TTL security.
-rw-r--r-- | doc/bird.sgml | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml index 7277b2b9..aa8a53ec 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -470,7 +470,7 @@ to zero to disable it. An empty <cf><m/switch/</cf> is equivalent to <cf/on/ works in the direction from the routing table to the protocol. Default: <cf/none/. - <tag>import keep filtered <m/bool/</tag> + <tag>import keep filtered <m/switch/</tag> Usually, if an import filter rejects a route, the route is forgotten. When this option is active, these routes are kept in the routing table, but they are hidden and not @@ -1966,6 +1966,9 @@ protocol ospf <name> { ptp netmask <switch>; check link <switch>; ecmp weight <num>; + ttl security [<switch>; | tx only] + tx class|dscp <num>; + tx priority <num>; authentication [none|simple|cryptographic]; password "<text>"; password "<text>" { @@ -2236,6 +2239,20 @@ protocol ospf <name> { prefix) is propagated. It is possible that some hardware drivers or platforms do not implement this feature. Default value is no. + <tag>ttl security [<m/switch/ | tx only]</tag> + TTL security is a feature that protects routing protocols + from remote spoofed packets by using TTL 255 instead of TTL 1 + for protocol packets destined to neighbors. Because TTL is + decremented when packets are forwarded, it is non-trivial to + spoof packets with TTL 255 from remote locations. Note that + this option would interfere with OSPF virtual links. + + If this option is enabled, the router will send OSPF packets + with TTL 255 and drop received packets with TTL less than + 255. If this option si set to <cf/tx only/, TTL 255 is used + for sent packets, but is not checked for received + packets. Default value is no. + <tag>tx class|dscp|priority <m/num/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the outgoing OSPF packets. See <ref id="dsc-prio" name="tx @@ -2784,6 +2801,26 @@ makes it pretty much obsolete. (It is still usable on very small networks.) any periodic messages to this interface and <cf/nolisten/ means that RIP will send to this interface butnot listen to it. + <tag>ttl security [<m/switch/ | tx only]</tag> + TTL security is a feature that protects routing protocols + from remote spoofed packets by using TTL 255 instead of TTL 1 + for protocol packets destined to neighbors. Because TTL is + decremented when packets are forwarded, it is non-trivial to + spoof packets with TTL 255 from remote locations. + + If this option is enabled, the router will send RIP packets + with TTL 255 and drop received packets with TTL less than + 255. If this option si set to <cf/tx only/, TTL 255 is used + for sent packets, but is not checked for received + packets. Such setting does not offer protection, but offers + compatibility with neighbors regardless of whether they use + ttl security. + + Note that for RIPng, TTL security is a standard behavior + (required by RFC 2080), but BIRD uses <cf/tx only/ by + default, for compatibility with older versions. For IPv4 RIP, + default value is no. + <tag>tx class|dscp|priority <m/num/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the outgoing RIP packets. See <ref id="dsc-prio" name="tx |