diff options
| author | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-06-18 21:03:50 +0000 |
|---|---|---|
| committer | Asbjørn Sloth Tønnesen <asbjorn@labitat.dk> | 2021-06-18 22:00:32 +0000 |
| commit | b90e3611976192db56394b57c9527db7a58af62c (patch) | |
| tree | 320ae46748077c88f777d6db8f03e31268293e63 | |
| parent | 1a0e6180c199225b1790d74614a4c727cfec1f7d (diff) | |
| download | labitat-ansible-b90e3611976192db56394b57c9527db7a58af62c.tar.gz labitat-ansible-b90e3611976192db56394b57c9527db7a58af62c.tar.xz labitat-ansible-b90e3611976192db56394b57c9527db7a58af62c.zip | |
space_server: bird: fiberby: enable TTL security
This protects us amount otherthings against 3rd parties
resetting the TCP connection underneat our BGP sessions.
This has been enabled in both ends, and this
_MUST_ remain enabled, otherwise these sessions
will go down.
If this needs to be disabled for some reason
then it must be coordinated with Fiberby.
RFC 5082 - The Generalized TTL Security Mechanism
https://datatracker.ietf.org/doc/html/rfc5082
| -rw-r--r-- | roles/space_server/files/bird.conf | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/roles/space_server/files/bird.conf b/roles/space_server/files/bird.conf index 0c447ae..35698c6 100644 --- a/roles/space_server/files/bird.conf +++ b/roles/space_server/files/bird.conf @@ -204,21 +204,25 @@ template bgp bgp_transit_v6 { protocol bgp fiberby_tgc_v4 from bgp_transit_v4 { local 193.106.167.41 as local_asn; neighbor 193.106.167.40 as fiberby_asn; + ttl security; } protocol bgp fiberby_inx_v4 from bgp_transit_v4 { local 193.106.167.43 as local_asn; neighbor 193.106.167.42 as fiberby_asn; + ttl security; } protocol bgp fiberby_tgc_v6 from bgp_transit_v6 { local 2a03:5440:1:2935:1ab:1::2 as local_asn; neighbor 2a03:5440:1:2935:1ab:1::1 as fiberby_asn; + ttl security; } protocol bgp fiberby_inx_v6 from bgp_transit_v6 { local 2a03:5440:1:2935:1ab:2::2 as local_asn; neighbor 2a03:5440:1:2935:1ab:2::1 as fiberby_asn; + ttl security; } # BGP customer: asbjorn |