Support for MD5 authentication in BGP

Ondrej Zajicek santiago at crfreenet.org
Tue Oct 7 14:33:59 CEST 2008 

On Tue, Oct 07, 2008 at 10:42:55AM +0200, Martin Mares wrote:
> Hi!
> 
> >  static void
> > -bgp_close(struct bgp_proto *p UNUSED)
> > +bgp_close(struct bgp_proto *p)
> >  {
> >    ASSERT(bgp_counter);
> >    bgp_counter--;
> > +
> > +  if (p->cf->password)
> > +    sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL);
> > +
> 
> I do not understand this: Why do you change the MD5 auth state on the
> listening socket?

AFAIK we have to set the (address, password) pairs even before new connection
is estabilished, othewise signed SYN packets are dropped and the connection
wouldn't estabilish.
 
> > diff -uprN bird-as4/sysdep/linux/sysio.h bird-as4-md5/sysdep/linux/sysio.h
> > --- bird-as4/sysdep/linux/sysio.h	2000-05-11 18:30:56.000000000 +0200
> > +++ bird-as4-md5/sysdep/linux/sysio.h	2008-10-06 23:24:45.000000000 +0200
> > @@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(soc
> >  #endif
> >  
> >  #endif
> > +
> > +#include <linux/socket.h>
> > +#include <linux/tcp.h>
> > +
> > +/* For the case that we have older kernel headers */
> > +/* Copied from Linux kernel file include/linux/tcp.h */
> > +
> > +#ifndef TCP_MD5SIG
> 
> Do we want to support so old kernel headers?

Kernel headers in current Debian don't contain TCP_MD5SIG,
so i need it to compile Bird on my computer.

> > + * FIXME: check portability
> 
> Probably none ;)

I tried to google it and it seems to me that FreeBSD uses the same
setsockopt() optval name, but i don't know details yet.

> > +int
> > +sk_set_md5_auth(sock *s, ip_addr a, char *passwd)
> > +{
> > +  sockaddr sa;
> > +  fill_in_sockaddr(&sa, a, 0);
> > +  return sk_set_md5_auth_int(s, &sa, passwd);
> > +}
> 
> Please add a documentation comment for this function.

OK
 
> > +  if (s->password != NULL)
> 
> `if (s->password)' is enough :)  [and consistent with the rest of the code]

I personally prefer != NULL variant as more readable, but consistency is
stronger argument :-) .

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20081007/a3b43b91/attachment-0001.asc>

More information about the Bird-users mailing list