diff options
| author | Nick Hilliard <nick@inex.ie> | 2011-03-23 15:33:17 +0000 |
|---|---|---|
| committer | Paul Jakma <paul@quagga.net> | 2011-03-23 15:33:17 +0000 |
| commit | fa411a212b55bba650d68fd0456686f3e47b7395 (patch) | |
| tree | 4d7ef846c2cbc154631a5901747b3384854d497c /bgpd/bgp_network.c | |
| parent | db07ad7358cb5e26358326332629ffb658f5747a (diff) | |
bgpd: RFC 5082 Generalized TTL Security Mechanism support
* bgpd: Add support for RFC 5082 GTSM, which allows the TTL field to be used
to verify that incoming packets have been sent from neighbours no more
than X IP hops away. In other words, this allows packets that were sent from
further away (i.e. not by the neighbour with known distance, and so possibly
a miscreant) to be filtered out.
* lib/sockunion.{c,h}: (sockopt_minttl) new function, to set a minimum TTL
using the IP_MINTTL socket opt.
* bgpd.h: (BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK) define for command
error for minttl.
(struct peer) add a config variable, to store the configured minttl.
(peer_ttl_security_hops_{set,unset}) configuration handlers
* bgpd.c: (peer_group_get) init gtsm_hops
(peer_ebgp_multihop_{un,}set) check for conflicts with GTSM. Multihop and
GTSM can't both be active for a peer at the same time.
(peer_ttl_security_hops_set) set minttl, taking care to avoid conflicts with
ebgp_multihop.
(bgp_config_write_peer) write out minttl as "neighbor .. ttl-security hops X".
* bgp_vty.c: (bgp_vty_return) message for
BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK
(peer_ebgp_multihop_{un,}set_vty)
* bgp_network.c: (bgp_accept) set minttl on accepted sockets if appropriate.
(bgp_connect) ditto for outbound.
Diffstat (limited to 'bgpd/bgp_network.c')
| -rw-r--r-- | bgpd/bgp_network.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c index 4c79aa63..502f5679 100644 --- a/bgpd/bgp_network.c +++ b/bgpd/bgp_network.c @@ -173,8 +173,11 @@ bgp_accept (struct thread *thread) } /* In case of peer is EBGP, we should set TTL for this connection. */ - if (peer_sort (peer1) == BGP_PEER_EBGP) + if (peer_sort (peer1) == BGP_PEER_EBGP) { sockopt_ttl (peer1->su.sa.sa_family, bgp_sock, peer1->ttl); + if (peer1->gtsm_hops) + sockopt_minttl (peer1->su.sa.sa_family, bgp_sock, MAXTTL + 1 - peer1->gtsm_hops); + } /* Make dummy peer until read Open packet. */ if (BGP_DEBUG (events, EVENTS)) @@ -314,8 +317,11 @@ bgp_connect (struct peer *peer) return -1; /* If we can get socket for the peer, adjest TTL and make connection. */ - if (peer_sort (peer) == BGP_PEER_EBGP) + if (peer_sort (peer) == BGP_PEER_EBGP) { sockopt_ttl (peer->su.sa.sa_family, peer->fd, peer->ttl); + if (peer->gtsm_hops) + sockopt_minttl (peer->su.sa.sa_family, peer->fd, MAXTTL + 1 - peer->gtsm_hops); + } sockopt_reuseaddr (peer->fd); sockopt_reuseport (peer->fd); @@ -462,7 +468,10 @@ bgp_socket (unsigned short port, const char *address) zlog_err ("socket: %s", safe_strerror (errno)); continue; } - + + /* if we intend to implement ttl-security, this socket needs ttl=255 */ + sockopt_ttl (ainfo->ai_family, sock, MAXTTL); + ret = bgp_listener (sock, ainfo->ai_addr, ainfo->ai_addrlen); if (ret == 0) ++count; @@ -495,6 +504,9 @@ bgp_socket (unsigned short port, const char *address) return sock; } + /* if we intend to implement ttl-security, this socket needs ttl=255 */ + sockopt_ttl (AF_INET, sock, MAXTTL); + memset (&sin, 0, sizeof (struct sockaddr_in)); sin.sin_family = AF_INET; sin.sin_port = htons (port); |