[Xorp-users] BGP MD5
Bruce Simpson
bms at incunabulum.net
Mon Sep 21 07:38:47 PDT 2009
James Courtier-Dutton wrote:
> Hi,
>
> How do I configure MD5 authentication on BGP peer connections?
> It is not contained in the manual, but some release notes imply that
> it is supported.
>
It's a tricky one, and further work may be needed to make it useful
out-of-the-box, which is probably why it hasn't been documented in the
user manual.
Some background:
TCP-MD5 is a transport layer security mechanism specified by a
rather concise published RFC. It was originally developed to address
security concerns with TCP at a time when sequence numbers for TCP
sessions were easily guessable. BGP is the main consumer of this feature.
This feature is implemented within the BSDs as the TCP_MD5SIG option
(this is the socket option used to enable it for a new socket, before
connect() or bind() have been invoked).
I'm not up to date with how it's implemented within Linux, however,
I believe they have since taken the TCP_MD5SIG option.
Within XORP, the feature relies on support for TCP-MD5 within the
host's network stack, and there is a set of XRLs for setting it on a BGP
session -- but not the keys themselves.
In the template file, the md5-password field(s) are currently
commented out. I implemented the XORP kernel glue and BGP module changes
first thing when I was hired at ICSI, however, this was only grafting on
to what I'd implemented in the FreeBSD kernel.
The problem is that configuring the *session keys* requires platform
specific support. In FreeBSD, at least, a special SPI entry in the IPSEC
tables is used for BGP-MD5 sessions; the setkey(8) utility speaks PF_KEY
to get this done. I don't know what's required to configure the
kernel-side key in Linux. As far as I know, you still need to do this
outside of XORP configuration.
See here for information about configuring TCP-MD5 host keys in FreeBSD:
http://www.freebsd.org/cgi/man.cgi?query=setkey&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
If you feel up to making the required changes to implement the feature
fully, please do send a patch against SVN and we can try to incorporate
it. Hope this helps.
thanks,
BMS
More information about the Xorp-users
mailing list