From b90e3611976192db56394b57c9527db7a58af62c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?= Date: Fri, 18 Jun 2021 21:03:50 +0000 Subject: space_server: bird: fiberby: enable TTL security This protects us amount otherthings against 3rd parties resetting the TCP connection underneat our BGP sessions. This has been enabled in both ends, and this _MUST_ remain enabled, otherwise these sessions will go down. If this needs to be disabled for some reason then it must be coordinated with Fiberby. RFC 5082 - The Generalized TTL Security Mechanism https://datatracker.ietf.org/doc/html/rfc5082 --- roles/space_server/files/bird.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/space_server/files/bird.conf b/roles/space_server/files/bird.conf index 0c447ae..35698c6 100644 --- a/roles/space_server/files/bird.conf +++ b/roles/space_server/files/bird.conf @@ -204,21 +204,25 @@ template bgp bgp_transit_v6 { protocol bgp fiberby_tgc_v4 from bgp_transit_v4 { local 193.106.167.41 as local_asn; neighbor 193.106.167.40 as fiberby_asn; + ttl security; } protocol bgp fiberby_inx_v4 from bgp_transit_v4 { local 193.106.167.43 as local_asn; neighbor 193.106.167.42 as fiberby_asn; + ttl security; } protocol bgp fiberby_tgc_v6 from bgp_transit_v6 { local 2a03:5440:1:2935:1ab:1::2 as local_asn; neighbor 2a03:5440:1:2935:1ab:1::1 as fiberby_asn; + ttl security; } protocol bgp fiberby_inx_v6 from bgp_transit_v6 { local 2a03:5440:1:2935:1ab:2::2 as local_asn; neighbor 2a03:5440:1:2935:1ab:2::1 as fiberby_asn; + ttl security; } # BGP customer: asbjorn -- cgit v1.2.1