implement the ttl security hack. since the pc slaves fear the word hack,

they call it "Generalized TTL Security Mechanism" officially, RFC 3682.
manpage with help from jmc

1 files changed, 18 insertions, 1 deletions

diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5
index b0bc750ca62..24af16e5858 100644
--- a/usr.sbin/bgpd/bgpd.conf.5
+++ b/usr.sbin/bgpd/bgpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bgpd.conf.5,v 1.77 2006/11/28 16:39:34 henning Exp $
+.\" $OpenBSD: bgpd.conf.5,v 1.78 2006/12/05 12:08:13 henning Exp $
 .\"
 .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -688,6 +688,23 @@ The shared secret can either be given as a password or hexadecimal key.
 tcp md5sig password mekmidasdigoat
 tcp md5sig key deadbeef
 .Ed
+.Pp
+.It Xo
+.Ic ttl-security
+.Pq Ic yes Ns \&| Ns Ic no
+.Xc
+Enable or disable ttl-security.
+When enabled,
+outgoing packets are sent using a TTL of 255
+and a check is made against an incoming packet's TTL.
+For directly connected peers,
+incoming packets are required to have a TTL of 255,
+ensuring they have not been routed.
+For multihop peers,
+incoming packets are required to have a TTL of 256 minus multihop distance,
+ensuring they have not passed through more than the expected number of hops.
+The default is
+.Ic no .
 .El
 .Sh FILTER
 .Xr bgpd 8