Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
bgpd, partial support for ttl-security with v6
2 views
Skip to first unread message
Stuart Henderson
May 22, 2013, 3:09:58 PM5/22/13
to tech
this sets the outgoing hop limit correctly on v6 sessions so they should
come up when we've configured ttl-security and the other side is checking
ttls. I don't have anything handy to test against but things look good
with tcpdump.
we ought to check incoming packets too, but this at least is a step in
the right direction. ok for now?
Index: bgpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.conf.5,v
retrieving revision 1.124
diff -u -p -r1.124 bgpd.conf.5
--- bgpd.conf.5 2 Jan 2013 15:06:46 -0000 1.124
+++ bgpd.conf.5 22 May 2013 18:54:05 -0000
@@ -960,6 +960,10 @@ incoming packets are required to have a
ensuring they have not passed through more than the expected number of hops.
The default is
.Ic no .
+.Pp
+There is currently only partial support for ttl-security with IPv6;
+the TTL of outgoing packets is set,
+but no check is made for the TTL of incoming packets.
.El
.Sh FILTER
.Xr bgpd 8
Index: session.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
retrieving revision 1.329
diff -u -p -r1.329 session.c
--- session.c 20 Mar 2013 04:01:42 -0000 1.329
+++ session.c 22 May 2013 18:54:05 -0000
@@ -164,6 +164,11 @@ setup_listeners(u_int *la_cnt)
log_warn("setup_listeners setsockopt TTL");
continue;
}
+ if (la->sa.ss_family == AF_INET6 && setsockopt(la->fd,
+ IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)) == -1) {
+ log_warn("setup_listeners setsockopt hoplimit");
+ continue;
+ }
session_socket_blockmode(la->fd, BM_NONBLOCK);
@@ -1230,7 +1235,17 @@ session_setup_socket(struct peer *p)
break;
case AID_INET6:
if (p->conf.ebgp) {
- /* set hoplimit to foreign router's distance */
+ /* set hoplimit to foreign router's distance
+ 1=direct n=multihop with ttlsec, we always use 255 */
+ if (p->conf.ttlsec) {
+ /*
+ * XXX Kernel has no ip6 equivalent of IP_MINTTL yet so
+ * we can't check incoming packets, but we can at least
+ * set the outgoing TTL to allow sessions configured
+ * with ttl-security to come up.
+ */
+ ttl = 255;
+ }
if (setsockopt(p->fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
&ttl, sizeof(ttl)) == -1) {
log_peer_warn(&p->conf,
come up when we've configured ttl-security and the other side is checking
ttls. I don't have anything handy to test against but things look good
with tcpdump.
we ought to check incoming packets too, but this at least is a step in
the right direction. ok for now?
Index: bgpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.conf.5,v
retrieving revision 1.124
diff -u -p -r1.124 bgpd.conf.5
--- bgpd.conf.5 2 Jan 2013 15:06:46 -0000 1.124
+++ bgpd.conf.5 22 May 2013 18:54:05 -0000
@@ -960,6 +960,10 @@ incoming packets are required to have a
ensuring they have not passed through more than the expected number of hops.
The default is
.Ic no .
+.Pp
+There is currently only partial support for ttl-security with IPv6;
+the TTL of outgoing packets is set,
+but no check is made for the TTL of incoming packets.
.El
.Sh FILTER
.Xr bgpd 8
Index: session.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
retrieving revision 1.329
diff -u -p -r1.329 session.c
--- session.c 20 Mar 2013 04:01:42 -0000 1.329
+++ session.c 22 May 2013 18:54:05 -0000
@@ -164,6 +164,11 @@ setup_listeners(u_int *la_cnt)
log_warn("setup_listeners setsockopt TTL");
continue;
}
+ if (la->sa.ss_family == AF_INET6 && setsockopt(la->fd,
+ IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)) == -1) {
+ log_warn("setup_listeners setsockopt hoplimit");
+ continue;
+ }
session_socket_blockmode(la->fd, BM_NONBLOCK);
@@ -1230,7 +1235,17 @@ session_setup_socket(struct peer *p)
break;
case AID_INET6:
if (p->conf.ebgp) {
- /* set hoplimit to foreign router's distance */
+ /* set hoplimit to foreign router's distance
+ 1=direct n=multihop with ttlsec, we always use 255 */
+ if (p->conf.ttlsec) {
+ /*
+ * XXX Kernel has no ip6 equivalent of IP_MINTTL yet so
+ * we can't check incoming packets, but we can at least
+ * set the outgoing TTL to allow sessions configured
+ * with ttl-security to come up.
+ */
+ ttl = 255;
+ }
if (setsockopt(p->fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
&ttl, sizeof(ttl)) == -1) {
log_peer_warn(&p->conf,
0 new messages