mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-22 09:41:54 +00:00
Documentation for TTL security.
This commit is contained in:
parent
70e212f913
commit
6ac4f87a2d
@ -470,7 +470,7 @@ to zero to disable it. An empty <cf><m/switch/</cf> is equivalent to <cf/on/
|
||||
works in the direction from the routing table to the protocol.
|
||||
Default: <cf/none/.
|
||||
|
||||
<tag>import keep filtered <m/bool/</tag>
|
||||
<tag>import keep filtered <m/switch/</tag>
|
||||
Usually, if an import filter rejects a route, the route is
|
||||
forgotten. When this option is active, these routes are
|
||||
kept in the routing table, but they are hidden and not
|
||||
@ -1966,6 +1966,9 @@ protocol ospf <name> {
|
||||
ptp netmask <switch>;
|
||||
check link <switch>;
|
||||
ecmp weight <num>;
|
||||
ttl security [<switch>; | tx only]
|
||||
tx class|dscp <num>;
|
||||
tx priority <num>;
|
||||
authentication [none|simple|cryptographic];
|
||||
password "<text>";
|
||||
password "<text>" {
|
||||
@ -2236,6 +2239,20 @@ protocol ospf <name> {
|
||||
prefix) is propagated. It is possible that some hardware
|
||||
drivers or platforms do not implement this feature. Default value is no.
|
||||
|
||||
<tag>ttl security [<m/switch/ | tx only]</tag>
|
||||
TTL security is a feature that protects routing protocols
|
||||
from remote spoofed packets by using TTL 255 instead of TTL 1
|
||||
for protocol packets destined to neighbors. Because TTL is
|
||||
decremented when packets are forwarded, it is non-trivial to
|
||||
spoof packets with TTL 255 from remote locations. Note that
|
||||
this option would interfere with OSPF virtual links.
|
||||
|
||||
If this option is enabled, the router will send OSPF packets
|
||||
with TTL 255 and drop received packets with TTL less than
|
||||
255. If this option si set to <cf/tx only/, TTL 255 is used
|
||||
for sent packets, but is not checked for received
|
||||
packets. Default value is no.
|
||||
|
||||
<tag>tx class|dscp|priority <m/num/</tag>
|
||||
These options specify the ToS/DiffServ/Traffic class/Priority
|
||||
of the outgoing OSPF packets. See <ref id="dsc-prio" name="tx
|
||||
@ -2784,6 +2801,26 @@ makes it pretty much obsolete. (It is still usable on very small networks.)
|
||||
any periodic messages to this interface and <cf/nolisten/
|
||||
means that RIP will send to this interface butnot listen to it.
|
||||
|
||||
<tag>ttl security [<m/switch/ | tx only]</tag>
|
||||
TTL security is a feature that protects routing protocols
|
||||
from remote spoofed packets by using TTL 255 instead of TTL 1
|
||||
for protocol packets destined to neighbors. Because TTL is
|
||||
decremented when packets are forwarded, it is non-trivial to
|
||||
spoof packets with TTL 255 from remote locations.
|
||||
|
||||
If this option is enabled, the router will send RIP packets
|
||||
with TTL 255 and drop received packets with TTL less than
|
||||
255. If this option si set to <cf/tx only/, TTL 255 is used
|
||||
for sent packets, but is not checked for received
|
||||
packets. Such setting does not offer protection, but offers
|
||||
compatibility with neighbors regardless of whether they use
|
||||
ttl security.
|
||||
|
||||
Note that for RIPng, TTL security is a standard behavior
|
||||
(required by RFC 2080), but BIRD uses <cf/tx only/ by
|
||||
default, for compatibility with older versions. For IPv4 RIP,
|
||||
default value is no.
|
||||
|
||||
<tag>tx class|dscp|priority <m/num/</tag>
|
||||
These options specify the ToS/DiffServ/Traffic class/Priority
|
||||
of the outgoing RIP packets. See <ref id="dsc-prio" name="tx
|
||||
|
Loading…
Reference in New Issue
Block a user