diff options
-rw-r--r-- | doc/bird.sgml | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml index 7277b2b9..aa8a53ec 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -470,7 +470,7 @@ to zero to disable it. An empty <cf><m/switch/</cf> is equivalent to <cf/on/ works in the direction from the routing table to the protocol. Default: <cf/none/. - <tag>import keep filtered <m/bool/</tag> + <tag>import keep filtered <m/switch/</tag> Usually, if an import filter rejects a route, the route is forgotten. When this option is active, these routes are kept in the routing table, but they are hidden and not @@ -1966,6 +1966,9 @@ protocol ospf <name> { ptp netmask <switch>; check link <switch>; ecmp weight <num>; + ttl security [<switch>; | tx only] + tx class|dscp <num>; + tx priority <num>; authentication [none|simple|cryptographic]; password "<text>"; password "<text>" { @@ -2236,6 +2239,20 @@ protocol ospf <name> { prefix) is propagated. It is possible that some hardware drivers or platforms do not implement this feature. Default value is no. + <tag>ttl security [<m/switch/ | tx only]</tag> + TTL security is a feature that protects routing protocols + from remote spoofed packets by using TTL 255 instead of TTL 1 + for protocol packets destined to neighbors. Because TTL is + decremented when packets are forwarded, it is non-trivial to + spoof packets with TTL 255 from remote locations. Note that + this option would interfere with OSPF virtual links. + + If this option is enabled, the router will send OSPF packets + with TTL 255 and drop received packets with TTL less than + 255. If this option si set to <cf/tx only/, TTL 255 is used + for sent packets, but is not checked for received + packets. Default value is no. + <tag>tx class|dscp|priority <m/num/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the outgoing OSPF packets. See <ref id="dsc-prio" name="tx @@ -2784,6 +2801,26 @@ makes it pretty much obsolete. (It is still usable on very small networks.) any periodic messages to this interface and <cf/nolisten/ means that RIP will send to this interface butnot listen to it. + <tag>ttl security [<m/switch/ | tx only]</tag> + TTL security is a feature that protects routing protocols + from remote spoofed packets by using TTL 255 instead of TTL 1 + for protocol packets destined to neighbors. Because TTL is + decremented when packets are forwarded, it is non-trivial to + spoof packets with TTL 255 from remote locations. + + If this option is enabled, the router will send RIP packets + with TTL 255 and drop received packets with TTL less than + 255. If this option si set to <cf/tx only/, TTL 255 is used + for sent packets, but is not checked for received + packets. Such setting does not offer protection, but offers + compatibility with neighbors regardless of whether they use + ttl security. + + Note that for RIPng, TTL security is a standard behavior + (required by RFC 2080), but BIRD uses <cf/tx only/ by + default, for compatibility with older versions. For IPv4 RIP, + default value is no. + <tag>tx class|dscp|priority <m/num/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the outgoing RIP packets. See <ref id="dsc-prio" name="tx |