Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Quagga: Dev

RFC 5082 GTSM for quagga bgpd

 

 

Quagga dev RSS feed   Index | Next | Previous | View Threaded


nick at inex

Nov 11, 2008, 8:10 AM

Post #1 of 4 (5038 views)
Permalink
RFC 5082 GTSM for quagga bgpd

Hello,

I've attached a patch set to implement RFC 5082 GTSM for quagga. This
depends on the IP_MINTTL socket option which was implemented by Andre
Oppermann:

http://lists.quagga.net/pipermail/quagga-dev/2005-August/003607.html

Implementation
==============

The code is implemented using the "neighbor XXX ttl-security hops YYY"
command in the BGP router context. The configuration is fully compatible
with the equivalent Cisco IOS commands. Normally, YYY will be set to be
the number of hops between the two bgp neighbors. The process works as
follows:

- all outgoing packets are set up with TTL of "MAXTTL + 1 - gtsm_hops"
- all incoming packets are checked to ensure that the TTL falls within the
hop limit specified in the configuration

Internally, this is implemented by silently using the ebgp-multihop command
when ttl-security hops is configured on a neighbor, and by configuring the
master BGP listening socket to have a TTL of 255.

The code prohibits ebgp-multihop and ttl-security from being configured
together.

I've fixed a very minor bug in peer_ebgp_multihop_set_vty() and
peer_ebgp_multihop_unset_vty(). These commands should not return
CMD_SUCCESS by default.

If "ttl-security hops" is configured on an operating system which does not
support the IP_MINTTL socket option, or if ttl security is enabled on an
IPv6 socket, then a warning will be logged on the system log. However,
bgpd will accept the configuration.

ttl-security hops is fully peer-group aware (including checking for
conflicts with ebgp-multihop).

Usage
=====

Usage is described in the cisco documentation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html

Under normal circumstances the ttl-security hops parameter should be set to
the exact number of hops between the two BGP peers. So, for directly
connected peers, this will be "ttl-security hops 1".

Cisco have also implemented GTSM for OSPF. I haven't attempted that with
this patch, and don't have any plans to do so in future.

Caveats
=======

- Right now, this socket option is supported in FreeBSD >= 5.x, OpenBSD
>=4.1 and DragonflyBSD >= 2.0.0. There is a minor bug in all these
implementations which is addressed here:

http://www.freebsd.org/cgi/query-pr.cgi?pr=128790

- as there is no equivalent IP6_MINTTL socket option, this only works for
IPv4 sockets.

Enjoy,

Nick
Attachments: quagga-bgpd-gtsm-0-99-11.diffs (13.6 KB)


paul at jakma

Jun 2, 2009, 10:07 AM

Post #2 of 4 (4560 views)
Permalink
Re: RFC 5082 GTSM for quagga bgpd [In reply to]

Neat.

Is this the most recent version of the patch?

--paulj

On Tue, 11 Nov 2008, Nick Hilliard wrote:

> Hello,
>
> I've attached a patch set to implement RFC 5082 GTSM for quagga. This
> depends on the IP_MINTTL socket option which was implemented by Andre
> Oppermann:
>
> http://lists.quagga.net/pipermail/quagga-dev/2005-August/003607.html
>
> Implementation
> ==============
>
> The code is implemented using the "neighbor XXX ttl-security hops YYY"
> command in the BGP router context. The configuration is fully compatible
> with the equivalent Cisco IOS commands. Normally, YYY will be set to be the
> number of hops between the two bgp neighbors. The process works as follows:
>
> - all outgoing packets are set up with TTL of "MAXTTL + 1 - gtsm_hops"
> - all incoming packets are checked to ensure that the TTL falls within the
> hop limit specified in the configuration
>
> Internally, this is implemented by silently using the ebgp-multihop command
> when ttl-security hops is configured on a neighbor, and by configuring the
> master BGP listening socket to have a TTL of 255.
>
> The code prohibits ebgp-multihop and ttl-security from being configured
> together.
>
> I've fixed a very minor bug in peer_ebgp_multihop_set_vty() and
> peer_ebgp_multihop_unset_vty(). These commands should not return CMD_SUCCESS
> by default.
>
> If "ttl-security hops" is configured on an operating system which does not
> support the IP_MINTTL socket option, or if ttl security is enabled on an IPv6
> socket, then a warning will be logged on the system log. However, bgpd will
> accept the configuration.
>
> ttl-security hops is fully peer-group aware (including checking for conflicts
> with ebgp-multihop).
>
> Usage
> =====
>
> Usage is described in the cisco documentation:
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html
>
> Under normal circumstances the ttl-security hops parameter should be set to
> the exact number of hops between the two BGP peers. So, for directly
> connected peers, this will be "ttl-security hops 1".
>
> Cisco have also implemented GTSM for OSPF. I haven't attempted that with
> this patch, and don't have any plans to do so in future.
>
> Caveats
> =======
>
> - Right now, this socket option is supported in FreeBSD >= 5.x, OpenBSD
>> =4.1 and DragonflyBSD >= 2.0.0. There is a minor bug in all these
> implementations which is addressed here:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=128790
>
> - as there is no equivalent IP6_MINTTL socket option, this only works for
> IPv4 sockets.
>
> Enjoy,
>
> Nick
>

--
Paul Jakma paul [at] clubi paul [at] jakma Key ID: 64A2FF6A
Fortune:
Hard reality has a way of cramping your style.
-- Daniel Dennett
_______________________________________________
Quagga-dev mailing list
Quagga-dev [at] lists
http://lists.quagga.net/mailman/listinfo/quagga-dev


nick at inex

Jun 2, 2009, 10:10 AM

Post #3 of 4 (4562 views)
Permalink
Re: RFC 5082 GTSM for quagga bgpd [In reply to]

On 02/06/2009 18:07, paul [at] jakma wrote:
> Neat.
>
> Is this the most recent version of the patch?

It is - I'm running a patched 0.9.10 internally, but it shouldn't be too
much work to port to the latest git head.

Nick
_______________________________________________
Quagga-dev mailing list
Quagga-dev [at] lists
http://lists.quagga.net/mailman/listinfo/quagga-dev


shemminger at vyatta

Jan 12, 2010, 4:33 PM

Post #4 of 4 (4135 views)
Permalink
Re: RFC 5082 GTSM for quagga bgpd [In reply to]

On Tue, 02 Jun 2009 18:10:12 +0100
Nick Hilliard <nick [at] inex> wrote:

> On 02/06/2009 18:07, paul [at] jakma wrote:
> > Neat.
> >
> > Is this the most recent version of the patch?
>
> It is - I'm running a patched 0.9.10 internally, but it shouldn't be too
> much work to port to the latest git head.
>

I sent a patch to Linux kernel networking list to add compatible IP_MINTTL
option. It should be in 2.6.34 kernel. Still longer till it bubbles out
to distros, and glibc but it is a start.
_______________________________________________
Quagga-dev mailing list
Quagga-dev [at] lists
http://lists.quagga.net/mailman/listinfo/quagga-dev

Quagga dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.