[Xorp-users] BGP MD5

James Courtier-Dutton james.dutton at gmail.com
Mon Sep 21 12:23:17 PDT 2009 

2009/9/21 Bruce Simpson <bms at incunabulum.net>:
> Some background:
>   TCP-MD5 is a transport layer security mechanism specified by a rather
> concise published RFC. It was originally developed to address security
> concerns with TCP at a time when sequence numbers for TCP sessions were
> easily guessable. BGP is the main consumer of this feature.
>   This feature is implemented within the BSDs as the TCP_MD5SIG option (this
> is the socket option used to enable it for a new socket, before connect() or
> bind() have been invoked).
>   I'm not up to date with how it's implemented within Linux, however, I
> believe they have since taken the TCP_MD5SIG option.
>
>   Within XORP, the feature relies on support for TCP-MD5 within the host's
> network stack, and there is a set of XRLs for setting it on a BGP session --
> but not the keys themselves.
>
>   In the template file, the md5-password field(s) are currently commented
> out. I implemented the XORP kernel glue and BGP module changes first thing
> when I was hired at ICSI, however, this was only grafting on to what I'd
> implemented in the FreeBSD kernel.
>
>   The problem is that configuring the *session keys* requires platform
> specific support. In FreeBSD, at least, a special SPI entry in the IPSEC
> tables is used for BGP-MD5 sessions; the setkey(8) utility speaks PF_KEY to
> get this done. I don't know what's required to configure the kernel-side key
> in Linux. As far as I know, you still need to do this outside of XORP
> configuration.
>
> See here for information about configuring TCP-MD5 host keys in FreeBSD:
> http://www.freebsd.org/cgi/man.cgi?query=setkey&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
>
> If you feel up to making the required changes to implement the feature
> fully, please do send a patch against SVN and we can try to incorporate it.
> Hope this helps.
>

In Linux, I think the password is set in the socket calls.
The api is along these lines (cut and pasted from quagga):

+/*
+ * Set MD5 key for the socket, for the given IPv4 peer address.
+ * If the password is NULL or zero-length, the option will be disabled.
+ */
+int
+bgp_md5_set (int sock, union sockunion *su, const char *password)
+{
+ int ret, en;
+
+ if ( bgpd_privs.change (ZPRIVS_RAISE) )
+ zlog_err ("bgp_md5_set: could not raise privs");
+
+ ret = sockopt_tcp_signature (sock, su, password);
+ en = errno;
+
+ if (bgpd_privs.change (ZPRIVS_LOWER) )
+ zlog_err ("bgp_md5_set: could not lower privs");
+
+ if (ret < 0)
+ zlog (NULL, LOG_WARNING, "can't set TCP_MD5SIG option on socket %d: %s",
+ sock, safe_strerror (en));
+
+ return ret;
+}

More information about the Xorp-users mailing list