Normative reference: https://datatracker.ietf.org/doc/html/rfc5082 This is not an immediate priority for me at the moment, however, it is probably out of scope for delegating to a GSoC student, and needs to be handled for IXP/route-reflector consumers in particular, as FRR/BIRD and others use this. It can be considered part of the minimum viable product (MVP) for a secure route reflector in that regard. Passing it back up the transport layer is another issue which I will raise a separate Bugzilla for to track the change. OpenBSD has this already, cherry-picking the change should be a drop-in: https://sourcegraph.com/r/github.com/openbsd/src/-/commit/e5ff19c718a7f8106479296f9aa531519e06c0f7 rwatson touched the IPv4 path for this, IP_MINTTL, a long long time ago: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=128790 Then IP_MINTTL broke in the 11-STABLE, 12-CURRENT lifetime, fixed by ae@: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239799 NOTE: As of writing, the svnweb links for the relevant commits are down. Here's the LLM prompt and output, good for a week from 2026-02-28: https://search.brave.com/ask?q=Do+FreeBSD+or+Linux+implement+RFC+5082%2C+The+Generalized+TTL+Security+Mechanism+%28GTSM%29+%3F&conversation=08caf132688a19b59df3fa68b90435890ead#TSdEZVG_Da_N9qbmjzDxylNgz3sKI0joIaDZDCBqdBY Parrot: "As noted in a 2011 mailing list discussion, ICMP packets are not passed with their TTL to upper-layer protocols, making it impossible to enforce GTSM on ICMP error messages without kernel modifications."
ache@ (and not ae@, who I got him mixed up with earlier on an ip6_src.c change) said he was sitting on a patch for this in the pre-history, but mentions the lack of full transport layer coupling, which is another issue to be Bugzilla triaged separately: https://freebsd-net.freebsd.narkive.com/xilxNZe4/ip-minttl-and-rfc5082-ttl-security-gtsm-support