The generalized TTL security mechanism (RFC 5082) support.

Thanks to Alexander V. Chernikov for the patch.

1 files changed, 17 insertions, 3 deletions

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 406adc6..2435d1c 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -1120,9 +1120,11 @@ for each neighbor using the following configuration parameters:
 	subnets. Such IP address have to be reachable through system
 	routing table. For multihop BGP it is recommended to
 	explicitly configure <cf/source address/ to have it
-	stable. Optional <cf/number/ argument can be used to limit TTL
-	(the number of hops).
-	Default: switched off.
+	stable. Optional <cf/number/ argument can be used to specify
+	the number of hops (used for TTL). Note that the number of
+	networks (edges) in a path is counted, i.e. if two BGP
+	speakers are separated by one router, the number of hops is
+	2. Default: switched off.
 
 	<tag>source address <m/ip/</tag> Define local address we
 	should use for next hop calculation and as a source address
@@ -1169,6 +1171,18 @@ for each neighbor using the following configuration parameters:
 	as an IGP routing table. Default: the same as the table BGP is
 	connected to.
 	
+	<tag>ttl security <m/switch/</tag> Use GTSM (RFC 5082 - the
+	generalized TTL security mechanism). GTSM protects against
+	spoofed packets by ignoring received packets with a smaller
+	than expected TTL. To work properly, GTSM have to be enabled
+	on both sides of a BGP session. If both <cf/ttl security/ and
+	<cf/multihop/ options are enabled, <cf/multihop/ option should
+	specify proper hop value to compute expected TTL. Kernel
+	support required: Linux: 2.6.34+ (IPv4), 2.6.35+ (IPv6), BSD:
+	since long ago, IPv4 only. Note that full (ICMP protection,
+	for example) RFC 5082 support is provided by Linux
+	only. Default: disabled.
+	
 	<tag>password <m/string/</tag> Use this password for MD5 authentication
 	of BGP sessions. Default: no authentication. Password has to be set by
 	external utility (e.g. setkey(8)) on BSD systems.