[Xorp-users] BGP MD5

Bruce Simpson bms at incunabulum.net
Mon Sep 21 07:38:47 PDT 2009


James Courtier-Dutton wrote:
> Hi,
>
> How do I configure MD5 authentication on BGP peer connections?
> It is not contained in the manual, but some release notes imply that
> it is supported.
>   

It's a tricky one, and further work may be needed to make it useful 
out-of-the-box, which is probably why it hasn't been documented in the 
user manual.

Some background:
    TCP-MD5 is a transport layer security mechanism specified by a 
rather concise published RFC. It was originally developed to address 
security concerns with TCP at a time when sequence numbers for TCP 
sessions were easily guessable. BGP is the main consumer of this feature.
    This feature is implemented within the BSDs as the TCP_MD5SIG option 
(this is the socket option used to enable it for a new socket, before 
connect() or bind() have been invoked).
    I'm not up to date with how it's implemented within Linux, however, 
I believe they have since taken the TCP_MD5SIG option.

    Within XORP, the feature relies on support for TCP-MD5 within the 
host's network stack, and there is a set of XRLs for setting it on a BGP 
session -- but not the keys themselves.

    In the template file, the md5-password field(s) are currently 
commented out. I implemented the XORP kernel glue and BGP module changes 
first thing when I was hired at ICSI, however, this was only grafting on 
to what I'd implemented in the FreeBSD kernel.

    The problem is that configuring the *session keys* requires platform 
specific support. In FreeBSD, at least, a special SPI entry in the IPSEC 
tables is used for BGP-MD5 sessions; the setkey(8) utility speaks PF_KEY 
to get this done. I don't know what's required to configure the 
kernel-side key in Linux. As far as I know, you still need to do this 
outside of XORP configuration.

See here for information about configuring TCP-MD5 host keys in FreeBSD:
 http://www.freebsd.org/cgi/man.cgi?query=setkey&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html

If you feel up to making the required changes to implement the feature 
fully, please do send a patch against SVN and we can try to incorporate 
it. Hope this helps.

thanks,
BMS



More information about the Xorp-users mailing list