diff options
author | IWASE Yusuke <iwase.yusuke0@gmail.com> | 2017-09-11 14:29:36 +0900 |
---|---|---|
committer | IWASE Yusuke <iwase.yusuke0@gmail.com> | 2017-09-12 14:35:26 +0900 |
commit | 41627dafb032687823835f89cbfaa05d84ac51ce (patch) | |
tree | dfd602b9fcc69a0eff2f81323461a8451ddd2dec /docs/sources | |
parent | d36df99060ab8ca73559118929344f2e462b4f90 (diff) |
docs: Configuration guide for TTL Security
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Diffstat (limited to 'docs/sources')
-rw-r--r-- | docs/sources/ttl-security.md | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/docs/sources/ttl-security.md b/docs/sources/ttl-security.md new file mode 100644 index 00000000..260886ff --- /dev/null +++ b/docs/sources/ttl-security.md @@ -0,0 +1,132 @@ +# TTL Security + +This page explains how to configure TTL Security in accordance with +[RFC3682](https://tools.ietf.org/html/rfc3682): The Generalized TTL Security +Mechanism (GTSM). + +## Prerequisites + +Assume you finished [Getting Started](https://github.com/osrg/gobgp/blob/master/docs/sources/getting-started.md). + +## Contents + +- [Configuration](#section0) +- [Verification](#section1) + +## <a name="section0"> Configuration + +If the BGP neighbor "10.0.0.2" is directly connected and the "malicious" BGP +router is 2 hops away, you can block the connection from the malicious BGP +router with `ttl-min >= 254` in `[neighbors.ttl-security.config]` section. +If specify `ttl-min = 255`, this allows only directly connected neighbor, and +`ttl-min = 254` allows also the neighbor on 1 hop away. + +```toml +[global.config] +router-id = "10.0.0.1" + +[[neighbors]] + [neighbors.config] + neighbor-address = "10.0.0.2" + [neighbors.ttl-security.config] + enabled = true + ttl-min = 255 +``` + +**NOTE:** TTL Security feature is mututally exclusive with +[eBGP Multihop](https://github.com/osrg/gobgp/blob/master/docs/sources/ebgp-multihop.md). +These features cannot be configured for the same neighbor. + +## <a name="section1"> Verification + +With TTL Security configuration, GoBGP will set TTL of all BGP messages to +255 and set the minimal acceptable TTL to the given `ttl-min` value. +Then, with the above configuration, only directly connected neighbor +"10.0.0.2" is acceptable and the malicious BGP router will be blocked. + +For the connection from the proper neighbor: + +``` +$ gobgpd -f gobgpd.toml +{"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"level":"info","msg":"Peer 10.0.0.2 is added","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"Topic":"Peer","level":"info","msg":"Add a peer configuration for:10.0.0.2","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"Key":"10.0.0.2","State":"BGP_FSM_OPENCONFIRM","Topic":"Peer","level":"info","msg":"Peer Up","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +...(snip)... +``` + +``` +$ tcpdump -i ethXX tcp -v +tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes +hh:mm:ss IP (tos 0x0, ttl 255, id 51126, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0x7df2 (correct), seq 889149897, win 29200, options [mss 1460,sackOK,TS val 4431487 ecr 0,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x12ac), seq 2886345048, ack 889149898, win 28960, options [mss 1460,sackOK,TS val 4431487 ecr 4431487,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 51127, offset 0, flags [DF], proto TCP (6), length 52) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb260), ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 51128, offset 0, flags [DF], proto TCP (6), length 103) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [P.], cksum 0x83ad (incorrect -> 0x8860), seq 1:52, ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP + Open Message (1), length: 51 + Version 4, my AS 65002, Holdtime 90s, ID 2.2.2.2 + Optional parameters, length: 22 + Option Capabilities Advertisement (2), length: 20 + Route Refresh (2), length: 0 + Multiprotocol Extensions (1), length: 4 + AFI IPv4 (1), SAFI Unicast (1) + Multiprotocol Extensions (1), length: 4 + AFI IPv6 (2), SAFI Unicast (1) + 32-Bit AS Number (65), length: 4 + 4 Byte AS 65002 +hh:mm:ss IP (tos 0x0, ttl 255, id 48934, offset 0, flags [DF], proto TCP (6), length 52) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [.], cksum 0x837a (incorrect -> 0xb22e), ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 48935, offset 0, flags [DF], proto TCP (6), length 103) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [P.], cksum 0x83ad (incorrect -> 0x8b31), seq 1:52, ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP + Open Message (1), length: 51 + Version 4, my AS 65001, Holdtime 90s, ID 1.1.1.1 + Optional parameters, length: 22 + Option Capabilities Advertisement (2), length: 20 + Route Refresh (2), length: 0 + Multiprotocol Extensions (1), length: 4 + AFI IPv4 (1), SAFI Unicast (1) + Multiprotocol Extensions (1), length: 4 + AFI IPv6 (2), SAFI Unicast (1) + 32-Bit AS Number (65), length: 4 + 4 Byte AS 65001 +hh:mm:ss IP (tos 0x0, ttl 255, id 51129, offset 0, flags [DF], proto TCP (6), length 52) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb1fa), ack 52, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 51131, offset 0, flags [DF], proto TCP (6), length 52) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb1ca), ack 71, win 58, options [nop,nop,TS val 4431497 ecr 4431487], length 0 +...(snip)... +``` + +For the connection from the malicious BGP router: + +``` +$ gobgpd -f gobgpd.toml +{"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"level":"info","msg":"Peer 10.0.0.2 is added","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +{"Topic":"Peer","level":"info","msg":"Add a peer configuration for:10.0.0.2","time":"YYYY-MM-DDTHH:mm:ss+09:00"} +...(No connection)... +``` + +``` +$ tcpdump -i ethXX tcp -v +tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes +hh:mm:ss IP (tos 0x0, ttl 253, id 396, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0xf680 (correct), seq 1704340403, win 29200, options [mss 1460,sackOK,TS val 4270655 ecr 0,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1e1a), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4270656 ecr 4270655,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 253, id 397, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0x8382 (incorrect -> 0xf586), seq 1704340403, win 29200, options [mss 1460,sackOK,TS val 4270905 ecr 0,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1d21), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4270905 ecr 4270655,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1c27), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4271155 ecr 4270655,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 253, id 398, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [S], cksum 0x8382 (incorrect -> 0xf391), seq 1704340403, win 29200, options [mss 1460,sackOK,TS val 4271406 ecr 0,nop,wscale 9], length 0 +hh:mm:ss IP (tos 0x0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60) + 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [S.], cksum 0x8382 (incorrect -> 0x1b2c), seq 2916417775, ack 1704340404, win 28960, options [mss 1460,sackOK,TS val 4271406 ecr 4270655,nop,wscale 9], length 0 +...(snip)... +``` |