Fwd: Bird / OpenBSD / BGP MD5 authentication walkthrough

Stuart Henderson stu at spacehopper.org
Wed Feb 22 13:41:57 CET 2017


On 2017/02/21 16:01, Darren Marshall wrote:
> 
> I'm googling like crazy and can't seem to find an example of how to
> configure MD5 authentication between BGP peers using Bird running on
> OpenBSD,  does someone out there have a guide for this? The Bird config
> is straightforward but I'm missing the 'glue' at the OS level! Also
> does anyone know if the stock Generic kernel supports TCP MD5
> signatures out of the box (OpenBSD 6.0) , looking at the kernel config
> file it would appear it has the option compiled in , anyone know how to
> check?.
> 
> Many thanks in advance!
> 
> daz
> 

Some general information about TCP MD5 on OpenBSD:

- The stock kernel _does_ have this compiled in.

- The listening socket needs to use setsockopt TCP_MD5SIG.

- SAs should be setup for peers with whom you want to use MD5. If an
incoming connection matches an SA but does not have valid MD5 it will be
rejected. Connections from other addresses will be allowed. OpenBGPd does
this automatically.

Regarding BIRD:

- The relevant setsockopt TCP_MD5SIG bits are already present in sysio.h
(including for OpenBSD) so in theory it would be possible to configure
TCPMD5 SAs outside of BIRD (using isakmpd+ipsecctl with config in
/etc/ipsec.conf), but it's inconvenient to configure this separately.
Also it appears that it wants a raw key (so the usual "md5 password"
would need to be converted manually for this).

- BIRD has code in sysdep/bsd/setkey.h to configure SAs automatically on
FreeBSD so it wouldn't be a huge stretch to adapt that for OpenBSD
(it might be helpful to xref with OpenBGP's pfkey.c) and there's an
#ifdef in sysdep/bsd/sysio.h that would need changing.

Having just had a quick play with the ipsecctl bits and not getting it
to work that way, adapting setkey.h definitely has to be the saner route.



More information about the Bird-users mailing list