summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorOndrej Zajicek <santiago@crfreenet.org>2011-08-16 23:05:35 +0200
committerOndrej Zajicek <santiago@crfreenet.org>2011-08-16 23:13:05 +0200
commitb1b19433602f2a2ff58cfe2c1858ff883eee7b20 (patch)
tree29e8961d52b59a6023f21bcdc70b7c1932428cd3 /doc
parenta52d52fa91ffcbcea58326fc2de476ce5644256f (diff)
The generalized TTL security mechanism (RFC 5082) support.
Thanks to Alexander V. Chernikov for the patch.
Diffstat (limited to 'doc')
-rw-r--r--doc/bird.sgml20
1 files changed, 17 insertions, 3 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml
index 406adc69..2435d1cb 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -1120,9 +1120,11 @@ for each neighbor using the following configuration parameters:
subnets. Such IP address have to be reachable through system
routing table. For multihop BGP it is recommended to
explicitly configure <cf/source address/ to have it
- stable. Optional <cf/number/ argument can be used to limit TTL
- (the number of hops).
- Default: switched off.
+ stable. Optional <cf/number/ argument can be used to specify
+ the number of hops (used for TTL). Note that the number of
+ networks (edges) in a path is counted, i.e. if two BGP
+ speakers are separated by one router, the number of hops is
+ 2. Default: switched off.
<tag>source address <m/ip/</tag> Define local address we
should use for next hop calculation and as a source address
@@ -1169,6 +1171,18 @@ for each neighbor using the following configuration parameters:
as an IGP routing table. Default: the same as the table BGP is
connected to.
+ <tag>ttl security <m/switch/</tag> Use GTSM (RFC 5082 - the
+ generalized TTL security mechanism). GTSM protects against
+ spoofed packets by ignoring received packets with a smaller
+ than expected TTL. To work properly, GTSM have to be enabled
+ on both sides of a BGP session. If both <cf/ttl security/ and
+ <cf/multihop/ options are enabled, <cf/multihop/ option should
+ specify proper hop value to compute expected TTL. Kernel
+ support required: Linux: 2.6.34+ (IPv4), 2.6.35+ (IPv6), BSD:
+ since long ago, IPv4 only. Note that full (ICMP protection,
+ for example) RFC 5082 support is provided by Linux
+ only. Default: disabled.
+
<tag>password <m/string/</tag> Use this password for MD5 authentication
of BGP sessions. Default: no authentication. Password has to be set by
external utility (e.g. setkey(8)) on BSD systems.