bgpd, partial support for ttl-security with v6

Wed, 22 May 2013 12:11:52 -0700 

this sets the outgoing hop limit correctly on v6 sessions so they should
come up when we've configured ttl-security and the other side is checking
ttls. I don't have anything handy to test against but things look good
with tcpdump.

we ought to check incoming packets too, but this at least is a step in
the right direction. ok for now?

Index: bgpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.conf.5,v
retrieving revision 1.124
diff -u -p -r1.124 bgpd.conf.5
--- bgpd.conf.5 2 Jan 2013 15:06:46 -0000       1.124
+++ bgpd.conf.5 22 May 2013 18:54:05 -0000
@@ -960,6 +960,10 @@ incoming packets are required to have a 
 ensuring they have not passed through more than the expected number of hops.
 The default is
 .Ic no .
+.Pp
+There is currently only partial support for ttl-security with IPv6;
+the TTL of outgoing packets is set,
+but no check is made for the TTL of incoming packets.
 .El
 .Sh FILTER
 .Xr bgpd 8
Index: session.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
retrieving revision 1.329
diff -u -p -r1.329 session.c
--- session.c   20 Mar 2013 04:01:42 -0000      1.329
+++ session.c   22 May 2013 18:54:05 -0000
@@ -164,6 +164,11 @@ setup_listeners(u_int *la_cnt)
                        log_warn("setup_listeners setsockopt TTL");
                        continue;
                }
+               if (la->sa.ss_family == AF_INET6 && setsockopt(la->fd,
+                   IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)) == -1) {
+                       log_warn("setup_listeners setsockopt hoplimit");
+                       continue;
+               }
 
                session_socket_blockmode(la->fd, BM_NONBLOCK);
 
@@ -1230,7 +1235,17 @@ session_setup_socket(struct peer *p)
                break;
        case AID_INET6:
                if (p->conf.ebgp) {
-                       /* set hoplimit to foreign router's distance */
+                       /* set hoplimit to foreign router's distance
+                          1=direct n=multihop with ttlsec, we always use 255 */
+                       if (p->conf.ttlsec) {
+                       /*
+                        * XXX Kernel has no ip6 equivalent of IP_MINTTL yet so
+                        * we can't check incoming packets, but we can at least
+                        * set the outgoing TTL to allow sessions configured
+                        * with ttl-security to come up.
+                        */
+                               ttl = 255;
+                       }
                        if (setsockopt(p->fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
                            &ttl, sizeof(ttl)) == -1) {
                                log_peer_warn(&p->conf,

Reply via email to