implement the ttl security hack. since the pc slaves fear the word hack,

they call it "Generalized TTL Security Mechanism" officially, RFC 3682.
manpage with help from jmc

5 files changed, 61 insertions, 8 deletions

diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5
index b0bc750ca62..24af16e5858 100644
--- a/usr.sbin/bgpd/bgpd.conf.5
+++ b/usr.sbin/bgpd/bgpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bgpd.conf.5,v 1.77 2006/11/28 16:39:34 henning Exp $
+.\" $OpenBSD: bgpd.conf.5,v 1.78 2006/12/05 12:08:13 henning Exp $
 .\"
 .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -688,6 +688,23 @@ The shared secret can either be given as a password or hexadecimal key.
 tcp md5sig password mekmidasdigoat
 tcp md5sig key deadbeef
 .Ed
+.Pp
+.It Xo
+.Ic ttl-security
+.Pq Ic yes Ns \&| Ns Ic no
+.Xc
+Enable or disable ttl-security.
+When enabled,
+outgoing packets are sent using a TTL of 255
+and a check is made against an incoming packet's TTL.
+For directly connected peers,
+incoming packets are required to have a TTL of 255,
+ensuring they have not been routed.
+For multihop peers,
+incoming packets are required to have a TTL of 256 minus multihop distance,
+ensuring they have not passed through more than the expected number of hops.
+The default is
+.Ic no .
 .El
 .Sh FILTER
 .Xr bgpd 8
diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h
index 2ae63f4c90f..2f962bd7886 100644
--- a/usr.sbin/bgpd/bgpd.h
+++ b/usr.sbin/bgpd/bgpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bgpd.h,v 1.209 2006/11/28 16:39:34 henning Exp $ */
+/*	$OpenBSD: bgpd.h,v 1.210 2006/12/05 12:08:13 henning Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -247,6 +247,7 @@ struct peer_config {
 	u_int8_t		 reflector_client;
 	u_int8_t		 softreconfig_in;
 	u_int8_t		 softreconfig_out;
+	u_int8_t		 ttlsec;	/* TTL security hack */
 };
 
 struct network_config {
diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index 240b8d91459..4d5b93f9755 100644
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.197 2006/11/28 16:39:34 henning Exp $ */
+/*	$OpenBSD: parse.y,v 1.198 2006/12/05 12:08:13 henning Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -158,7 +158,7 @@ typedef struct {
 %token	ENFORCE NEIGHBORAS CAPABILITIES REFLECTOR DEPEND DOWN SOFTRECONFIG
 %token	DUMP IN OUT
 %token	LOG ROUTECOLL TRANSPARENT
-%token	TCP MD5SIG PASSWORD KEY
+%token	TCP MD5SIG PASSWORD KEY TTLSECURITY
 %token	ALLOW DENY MATCH
 %token	QUICK
 %token	FROM TO ANY
@@ -882,6 +882,9 @@ peeropts	: REMOTEAS asnumber	{
 			}
 			free($7);
 		}
+		| TTLSECURITY yesno	{
+			curpeer->conf.ttlsec = $2;
+		}
 		| SET filter_set_opt	{
 			struct filter_rule	*r;
 
@@ -1683,6 +1686,7 @@ lookup(char *s)
 		{ "to",			TO},
 		{ "transit-as",		TRANSITAS},
 		{ "transparent-as",	TRANSPARENT},
+		{ "ttl-security",	TTLSECURITY},
 		{ "via",		VIA},
 		{ "weight",		WEIGHT}
 	};
diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c
index 75c167299a3..19d22539b5b 100644
--- a/usr.sbin/bgpd/printconf.c
+++ b/usr.sbin/bgpd/printconf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: printconf.c,v 1.58 2006/11/28 16:39:34 henning Exp $	*/
+/*	$OpenBSD: printconf.c,v 1.59 2006/12/05 12:08:13 henning Exp $	*/
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -341,6 +341,9 @@ print_peer(struct peer_config *p, struct bgpd_config *conf, const char *c)
 	else if (p->auth.method == AUTH_IPSEC_IKE_ESP)
 		printf("%s\tipsec esp ike\n", c);
 
+	if (p->ttlsec)
+		printf("%s\tttl-security yes\n", c);
+
 	printf("%s\tannounce IPv4 %s\n", c, print_safi(p->capabilities.mp_v4));
 	printf("%s\tannounce IPv6 %s\n", c, print_safi(p->capabilities.mp_v6));
 
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index bab50fa616f..b38aa34380c 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: session.c,v 1.265 2006/11/28 19:21:15 reyk Exp $ */
+/*	$OpenBSD: session.c,v 1.266 2006/12/05 12:08:13 henning Exp $ */
 
 /*
  * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@@ -119,6 +119,7 @@ session_sighdlr(int sig)
 int
 setup_listeners(u_int *la_cnt)
 {
+	int			 ttl = 255;
 	int			 opt;
 	struct listen_addr	*la;
 	u_int			 cnt = 0;
@@ -146,6 +147,13 @@ setup_listeners(u_int *la_cnt)
 				fatal("setsockopt TCP_MD5SIG");
 		}
 
+		/* set ttl to 255 so that ttl-security works */
+		if (setsockopt(la->fd, IPPROTO_IP, IP_TTL, &ttl,
+		    sizeof(ttl)) == -1) {
+			log_warn("setup_listeners setsockopt TTL");
+			continue;
+		}
+
 		session_socket_blockmode(la->fd, BM_NONBLOCK);
 
 		if (listen(la->fd, MAX_BACKLOG)) {
@@ -1104,14 +1112,27 @@ session_setup_socket(struct peer *p)
 	int	nodelay = 1;
 	int	bsize;
 
-	if (p->conf.ebgp && p->conf.remote_addr.af == AF_INET)
-		/* set TTL to foreign router's distance - 1=direct n=multihop */
+	if (p->conf.ebgp && p->conf.remote_addr.af == AF_INET) {
+		/* set TTL to foreign router's distance - 1=direct n=multihop
+		   with ttlsec, we always use 255 */
+		if (p->conf.ttlsec) {
+			ttl = 256 - p->conf.distance;
+			if (setsockopt(p->fd, IPPROTO_IP, IP_MINTTL, &ttl,
+			    sizeof(ttl)) == -1) {
+				log_peer_warn(&p->conf,
+				    "session_setup_socket setsockopt MINTTL");
+				return (-1);
+			}
+			ttl = 255;
+		}
+
 		if (setsockopt(p->fd, IPPROTO_IP, IP_TTL, &ttl,
 		    sizeof(ttl)) == -1) {
 			log_peer_warn(&p->conf,
 			    "session_setup_socket setsockopt TTL");
 			return (-1);
 		}
+	}
 
 	if (p->conf.ebgp && p->conf.remote_addr.af == AF_INET6)
 		/* set hoplimit to foreign router's distance */
@@ -1122,6 +1143,13 @@ session_setup_socket(struct peer *p)
 			return (-1);
 		}
 
+	/* if ttlsec is in use, set minttl */
+	if (p->conf.ttlsec) {
+		ttl = 256 - p->conf.distance;
+		setsockopt(p->fd, IPPROTO_IP, IP_MINTTL, &ttl, sizeof(ttl));
+
+	}
+
 	/* set TCP_NODELAY */
 	if (setsockopt(p->fd, IPPROTO_TCP, TCP_NODELAY, &nodelay,
 	    sizeof(nodelay)) == -1) {