diff options
author | Ondrej Zajicek <santiago@crfreenet.org> | 2011-08-16 23:05:35 +0200 |
---|---|---|
committer | Ondrej Zajicek <santiago@crfreenet.org> | 2011-08-16 23:13:05 +0200 |
commit | b1b19433602f2a2ff58cfe2c1858ff883eee7b20 (patch) | |
tree | 29e8961d52b59a6023f21bcdc70b7c1932428cd3 /doc | |
parent | a52d52fa91ffcbcea58326fc2de476ce5644256f (diff) |
The generalized TTL security mechanism (RFC 5082) support.
Thanks to Alexander V. Chernikov for the patch.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/bird.sgml | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml index 406adc69..2435d1cb 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -1120,9 +1120,11 @@ for each neighbor using the following configuration parameters: subnets. Such IP address have to be reachable through system routing table. For multihop BGP it is recommended to explicitly configure <cf/source address/ to have it - stable. Optional <cf/number/ argument can be used to limit TTL - (the number of hops). - Default: switched off. + stable. Optional <cf/number/ argument can be used to specify + the number of hops (used for TTL). Note that the number of + networks (edges) in a path is counted, i.e. if two BGP + speakers are separated by one router, the number of hops is + 2. Default: switched off. <tag>source address <m/ip/</tag> Define local address we should use for next hop calculation and as a source address @@ -1169,6 +1171,18 @@ for each neighbor using the following configuration parameters: as an IGP routing table. Default: the same as the table BGP is connected to. + <tag>ttl security <m/switch/</tag> Use GTSM (RFC 5082 - the + generalized TTL security mechanism). GTSM protects against + spoofed packets by ignoring received packets with a smaller + than expected TTL. To work properly, GTSM have to be enabled + on both sides of a BGP session. If both <cf/ttl security/ and + <cf/multihop/ options are enabled, <cf/multihop/ option should + specify proper hop value to compute expected TTL. Kernel + support required: Linux: 2.6.34+ (IPv4), 2.6.35+ (IPv6), BSD: + since long ago, IPv4 only. Note that full (ICMP protection, + for example) RFC 5082 support is provided by Linux + only. Default: disabled. + <tag>password <m/string/</tag> Use this password for MD5 authentication of BGP sessions. Default: no authentication. Password has to be set by external utility (e.g. setkey(8)) on BSD systems. |