diff options
Diffstat (limited to 'docs/sources/ttl-security.md')
| -rw-r--r-- | docs/sources/ttl-security.md | 64 |
1 files changed, 32 insertions, 32 deletions
diff --git a/docs/sources/ttl-security.md b/docs/sources/ttl-security.md index 260886ff..b99979eb 100644 --- a/docs/sources/ttl-security.md +++ b/docs/sources/ttl-security.md @@ -6,14 +6,14 @@ Mechanism (GTSM). ## Prerequisites -Assume you finished [Getting Started](https://github.com/osrg/gobgp/blob/master/docs/sources/getting-started.md). +Assume you finished [Getting Started](getting-started.md). ## Contents -- [Configuration](#section0) -- [Verification](#section1) +- [Configuration](#configuration) +- [Verification](#verification) -## <a name="section0"> Configuration +## Configuration If the BGP neighbor "10.0.0.2" is directly connected and the "malicious" BGP router is 2 hops away, you can block the connection from the malicious BGP @@ -34,10 +34,10 @@ router-id = "10.0.0.1" ``` **NOTE:** TTL Security feature is mututally exclusive with -[eBGP Multihop](https://github.com/osrg/gobgp/blob/master/docs/sources/ebgp-multihop.md). +[eBGP Multihop](ebgp-multihop.md). These features cannot be configured for the same neighbor. -## <a name="section1"> Verification +## Verification With TTL Security configuration, GoBGP will set TTL of all BGP messages to 255 and set the minimal acceptable TTL to the given `ttl-min` value. @@ -46,7 +46,7 @@ Then, with the above configuration, only directly connected neighbor For the connection from the proper neighbor: -``` +```bash $ gobgpd -f gobgpd.toml {"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"} {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"} @@ -56,7 +56,7 @@ $ gobgpd -f gobgpd.toml ...(snip)... ``` -``` +```bash $ tcpdump -i ethXX tcp -v tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes hh:mm:ss IP (tos 0x0, ttl 255, id 51126, offset 0, flags [DF], proto TCP (6), length 60) @@ -67,32 +67,32 @@ hh:mm:ss IP (tos 0x0, ttl 255, id 51127, offset 0, flags [DF], proto TCP (6), le 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb260), ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0 hh:mm:ss IP (tos 0x0, ttl 255, id 51128, offset 0, flags [DF], proto TCP (6), length 103) 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [P.], cksum 0x83ad (incorrect -> 0x8860), seq 1:52, ack 1, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP - Open Message (1), length: 51 - Version 4, my AS 65002, Holdtime 90s, ID 2.2.2.2 - Optional parameters, length: 22 - Option Capabilities Advertisement (2), length: 20 - Route Refresh (2), length: 0 - Multiprotocol Extensions (1), length: 4 - AFI IPv4 (1), SAFI Unicast (1) - Multiprotocol Extensions (1), length: 4 - AFI IPv6 (2), SAFI Unicast (1) - 32-Bit AS Number (65), length: 4 - 4 Byte AS 65002 + Open Message (1), length: 51 + Version 4, my AS 65002, Holdtime 90s, ID 2.2.2.2 + Optional parameters, length: 22 + Option Capabilities Advertisement (2), length: 20 + Route Refresh (2), length: 0 + Multiprotocol Extensions (1), length: 4 + AFI IPv4 (1), SAFI Unicast (1) + Multiprotocol Extensions (1), length: 4 + AFI IPv6 (2), SAFI Unicast (1) + 32-Bit AS Number (65), length: 4 + 4 Byte AS 65002 hh:mm:ss IP (tos 0x0, ttl 255, id 48934, offset 0, flags [DF], proto TCP (6), length 52) 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [.], cksum 0x837a (incorrect -> 0xb22e), ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 0 hh:mm:ss IP (tos 0x0, ttl 255, id 48935, offset 0, flags [DF], proto TCP (6), length 103) 10.0.0.1.bgp > 10.0.0.2.xxx: Flags [P.], cksum 0x83ad (incorrect -> 0x8b31), seq 1:52, ack 52, win 57, options [nop,nop,TS val 4431487 ecr 4431487], length 51: BGP - Open Message (1), length: 51 - Version 4, my AS 65001, Holdtime 90s, ID 1.1.1.1 - Optional parameters, length: 22 - Option Capabilities Advertisement (2), length: 20 - Route Refresh (2), length: 0 - Multiprotocol Extensions (1), length: 4 - AFI IPv4 (1), SAFI Unicast (1) - Multiprotocol Extensions (1), length: 4 - AFI IPv6 (2), SAFI Unicast (1) - 32-Bit AS Number (65), length: 4 - 4 Byte AS 65001 + Open Message (1), length: 51 + Version 4, my AS 65001, Holdtime 90s, ID 1.1.1.1 + Optional parameters, length: 22 + Option Capabilities Advertisement (2), length: 20 + Route Refresh (2), length: 0 + Multiprotocol Extensions (1), length: 4 + AFI IPv4 (1), SAFI Unicast (1) + Multiprotocol Extensions (1), length: 4 + AFI IPv6 (2), SAFI Unicast (1) + 32-Bit AS Number (65), length: 4 + 4 Byte AS 65001 hh:mm:ss IP (tos 0x0, ttl 255, id 51129, offset 0, flags [DF], proto TCP (6), length 52) 10.0.0.2.xxx > 10.0.0.1.bgp: Flags [.], cksum 0x837a (incorrect -> 0xb1fa), ack 52, win 58, options [nop,nop,TS val 4431487 ecr 4431487], length 0 hh:mm:ss IP (tos 0x0, ttl 255, id 51131, offset 0, flags [DF], proto TCP (6), length 52) @@ -102,7 +102,7 @@ hh:mm:ss IP (tos 0x0, ttl 255, id 51131, offset 0, flags [DF], proto TCP (6), le For the connection from the malicious BGP router: -``` +```bash $ gobgpd -f gobgpd.toml {"level":"info","msg":"gobgpd started","time":"YYYY-MM-DDTHH:mm:ss+09:00"} {"Topic":"Config","level":"info","msg":"Finished reading the config file","time":"YYYY-MM-DDTHH:mm:ss+09:00"} @@ -111,7 +111,7 @@ $ gobgpd -f gobgpd.toml ...(No connection)... ``` -``` +```bash $ tcpdump -i ethXX tcp -v tcpdump: listening on ethXX, link-type EN10MB (Ethernet), capture size 262144 bytes hh:mm:ss IP (tos 0x0, ttl 253, id 396, offset 0, flags [DF], proto TCP (6), length 60) |