summaryrefslogtreecommitdiffhomepage
path: root/docs/sources/ttl-security.md
diff options
context:
space:
mode:
authorIWASE Yusuke <iwase.yusuke0@gmail.com>2018-03-30 13:51:51 +0900
committerIWASE Yusuke <iwase.yusuke0@gmail.com>2018-04-02 16:16:01 +0900
commit008f34053c87650c83946874980fa97179267149 (patch)
tree436e7a1a0eb4208a845b9bc710253af16e344f15 /docs/sources/ttl-security.md
parent79d264bfb008370a6af7ff42dc3962d0bf1ddf63 (diff)
*.md: Improvements for markdownlint
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Diffstat (limited to 'docs/sources/ttl-security.md')
-rw-r--r--docs/sources/ttl-security.md64
1 files changed, 32 insertions, 32 deletions
diff --git a/docs/sources/ttl-security.md b/docs/sources/ttl-security.md
index 260886ff..b99979eb 100644
--- a/docs/sources/ttl-security.md
+++ b/docs/sources/ttl-security.md
@@ -6,14 +6,14 @@ Mechanism (GTSM).
## Prerequisites
-Assume you finished [Getting Started](https://github.com/osrg/gobgp/blob/master/docs/sources/getting-started.md).
+Assume you finished [Getting Started](getting-started.md).
## Contents
-- [Configuration](#section0)
-- [Verification](#section1)
+- [Configuration](#configuration)
+- [Verification](#verification)
-## <a name="section0"> Configuration
+## Configuration
If the BGP neighbor "10.0.0.2" is directly connected and the "malicious" BGP
router is 2 hops away, you can block the connection from the malicious BGP
@@ -34,10 +34,10 @@ router-id = "10.0.0.1"
```
**NOTE:** TTL Security feature is mututally exclusive with
-[eBGP Multihop](https://github.com/osrg/gobgp/blob/master/docs/sources/ebgp-multihop.md).
+[eBGP Multihop](ebgp-multihop.md).
These features cannot be configured for the same neighbor.
-## <a name="section1"> Verification
+## Verification
With TTL Security configuration, GoBGP will set TTL of all BGP messages to
255 and set the minimal acceptable TTL to the given `ttl-min` value.
@@ -46,7 +46,7 @@ Then, with the above configuration, only directly connected neighbor
For the connection from the proper neighbor:
-```
+```bash
$ gobgpd -f gobgpd.toml
{"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"}
{"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"}
@@ -56,7 +56,7 @@ $ gobgpd -f gobgpd.toml
...(snip)...
```
-```
+```bash
$ tcpdump -i ethXX tcp -v
tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes
hh:mm:ss IP (tos 0x0, ttl 255, id 51126, offset 0, flags [DF], proto TCP (6), length 60)
@@ -67,32 +67,32 @@ hh:mm:ss IP (tos 0x0, ttl 255, id 51127, offset 0, flags [DF], proto TCP (6), le
10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb260), ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0
hh:mm:ss IP (tos 0x0, ttl 255, id 51128, offset 0, flags [DF], proto TCP (6), length 103)
10.0.0.2.xxx > 10.0.0.1.bgp: Flags [P.], cksum 0x83ad (incorrect -> 0x8860), seq 1:52, ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP
- Open Message (1), length: 51
- Version 4, my AS 65002, Holdtime 90s, ID 2.2.2.2
- Optional parameters, length: 22
- Option Capabilities Advertisement (2), length: 20
- Route Refresh (2), length: 0
- Multiprotocol Extensions (1), length: 4
- AFI IPv4 (1), SAFI Unicast (1)
- Multiprotocol Extensions (1), length: 4
- AFI IPv6 (2), SAFI Unicast (1)
- 32-Bit AS Number (65), length: 4
- 4 Byte AS 65002
+ Open Message (1), length: 51
+ Version 4, my AS 65002, Holdtime 90s, ID 2.2.2.2
+ Optional parameters, length: 22
+ Option Capabilities Advertisement (2), length: 20
+ Route Refresh (2), length: 0
+ Multiprotocol Extensions (1), length: 4
+ AFI IPv4 (1), SAFI Unicast (1)
+ Multiprotocol Extensions (1), length: 4
+ AFI IPv6 (2), SAFI Unicast (1)
+ 32-Bit AS Number (65), length: 4
+ 4 Byte AS 65002
hh:mm:ss IP (tos 0x0, ttl 255, id 48934, offset 0, flags [DF], proto TCP (6), length 52)
10.0.0.1.bgp > 10.0.0.2.xxx: Flags [.], cksum 0x837a (incorrect -> 0xb22e), ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 0
hh:mm:ss IP (tos 0x0, ttl 255, id 48935, offset 0, flags [DF], proto TCP (6), length 103)
10.0.0.1.bgp > 10.0.0.2.xxx: Flags [P.], cksum 0x83ad (incorrect -> 0x8b31), seq 1:52, ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP
- Open Message (1), length: 51
- Version 4, my AS 65001, Holdtime 90s, ID 1.1.1.1
- Optional parameters, length: 22
- Option Capabilities Advertisement (2), length: 20
- Route Refresh (2), length: 0
- Multiprotocol Extensions (1), length: 4
- AFI IPv4 (1), SAFI Unicast (1)
- Multiprotocol Extensions (1), length: 4
- AFI IPv6 (2), SAFI Unicast (1)
- 32-Bit AS Number (65), length: 4
- 4 Byte AS 65001
+ Open Message (1), length: 51
+ Version 4, my AS 65001, Holdtime 90s, ID 1.1.1.1
+ Optional parameters, length: 22
+ Option Capabilities Advertisement (2), length: 20
+ Route Refresh (2), length: 0
+ Multiprotocol Extensions (1), length: 4
+ AFI IPv4 (1), SAFI Unicast (1)
+ Multiprotocol Extensions (1), length: 4
+ AFI IPv6 (2), SAFI Unicast (1)
+ 32-Bit AS Number (65), length: 4
+ 4 Byte AS 65001
hh:mm:ss IP (tos 0x0, ttl 255, id 51129, offset 0, flags [DF], proto TCP (6), length 52)
10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb1fa), ack 52, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0
hh:mm:ss IP (tos 0x0, ttl 255, id 51131, offset 0, flags [DF], proto TCP (6), length 52)
@@ -102,7 +102,7 @@ hh:mm:ss IP (tos 0x0, ttl 255, id 51131, offset 0, flags [DF], proto TCP (6), le
For the connection from the malicious BGP router:
-```
+```bash
$ gobgpd -f gobgpd.toml
{"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"}
{"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"}
@@ -111,7 +111,7 @@ $ gobgpd -f gobgpd.toml
...(No connection)...
```
-```
+```bash
$ tcpdump -i ethXX tcp -v
tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes
hh:mm:ss IP (tos 0x0, ttl 253, id 396, offset 0, flags [DF], proto TCP (6), length 60)