Fwd: Bird / OpenBSD / BGP MD5 authentication walkthrough

Darren Marshall darren at tuff.org.uk
Wed Feb 22 15:10:11 CET 2017


Hi Stuart,

Thanks for the info, not exactly what I was hoping to hear!. I wonder why
your tests configuring outside of Bird didn't work?, would you mind sharing
your sample /etc/ipsec.conf file ?.

You are right , it is inconvenient having to configure the keys outside of
Bird, but right now I'd settle for that if I can get a working neighborship
using MD5 auth!

Thanks Darren

On 22 February 2017 at 12:41, Stuart Henderson <stu at spacehopper.org> wrote:

> On 2017/02/21 16:01, Darren Marshall wrote:
> >
> > I'm googling like crazy and can't seem to find an example of how to
> > configure MD5 authentication between BGP peers using Bird running on
> > OpenBSD,  does someone out there have a guide for this? The Bird config
> > is straightforward but I'm missing the 'glue' at the OS level! Also
> > does anyone know if the stock Generic kernel supports TCP MD5
> > signatures out of the box (OpenBSD 6.0) , looking at the kernel config
> > file it would appear it has the option compiled in , anyone know how to
> > check?.
> >
> > Many thanks in advance!
> >
> > daz
> >
>
> Some general information about TCP MD5 on OpenBSD:
>
> - The stock kernel _does_ have this compiled in.
>
> - The listening socket needs to use setsockopt TCP_MD5SIG.
>
> - SAs should be setup for peers with whom you want to use MD5. If an
> incoming connection matches an SA but does not have valid MD5 it will be
> rejected. Connections from other addresses will be allowed. OpenBGPd does
> this automatically.
>
> Regarding BIRD:
>
> - The relevant setsockopt TCP_MD5SIG bits are already present in sysio.h
> (including for OpenBSD) so in theory it would be possible to configure
> TCPMD5 SAs outside of BIRD (using isakmpd+ipsecctl with config in
> /etc/ipsec.conf), but it's inconvenient to configure this separately.
> Also it appears that it wants a raw key (so the usual "md5 password"
> would need to be converted manually for this).
>
> - BIRD has code in sysdep/bsd/setkey.h to configure SAs automatically on
> FreeBSD so it wouldn't be a huge stretch to adapt that for OpenBSD
> (it might be helpful to xref with OpenBGP's pfkey.c) and there's an
> #ifdef in sysdep/bsd/sysio.h that would need changing.
>
> Having just had a quick play with the ipsecctl bits and not getting it
> to work that way, adapting setkey.h definitely has to be the saner route.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20170222/77d7682c/attachment.html>


More information about the Bird-users mailing list