diff -uprN bird-as4/lib/socket.h bird-as4-md5/lib/socket.h
--- bird-as4/lib/socket.h	2004-06-04 20:51:29.000000000 +0200
+++ bird-as4-md5/lib/socket.h	2008-10-15 15:15:58.000000000 +0200
@@ -39,6 +39,7 @@ typedef struct birdsock {
   int fd;				/* System-dependent data */
   node n;
   void *rbuf_alloc, *tbuf_alloc;
+  char *password;				/* Password for MD5 authentication */
 } sock;
 
 sock *sk_new(pool *);			/* Allocate new socket */
@@ -47,6 +48,7 @@ int sk_send(sock *, unsigned len);	/* Se
 int sk_send_to(sock *, unsigned len, ip_addr to, unsigned port); /* sk_send to given destination */
 void sk_reallocate(sock *);		/* Free and allocate tbuf & rbuf */
 void sk_dump_all(void);
+int sk_set_md5_auth(sock *s, ip_addr a, char *passwd);	/* Add or remove security associations for given passive socket */
 
 static inline int
 sk_send_buffer_empty(sock *sk)
diff -uprN bird-as4/proto/bgp/bgp.c bird-as4-md5/proto/bgp/bgp.c
--- bird-as4/proto/bgp/bgp.c	2008-10-15 15:14:13.000000000 +0200
+++ bird-as4-md5/proto/bgp/bgp.c	2008-10-15 15:15:58.000000000 +0200
@@ -78,10 +78,14 @@ static void bgp_setup_listen_sk(void);
 
 
 static void
-bgp_close(struct bgp_proto *p UNUSED)
+bgp_close(struct bgp_proto *p)
 {
   ASSERT(bgp_counter);
   bgp_counter--;
+
+  if (p->cf->password)
+    sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL);
+
   if (!bgp_counter)
     {
       rfree(bgp_listen_sk);
@@ -330,6 +334,7 @@ bgp_connect(struct bgp_proto *p)	/* Ente
   bgp_setup_conn(p, conn);
   bgp_setup_sk(p, conn, s);
   s->tx_hook = bgp_connected;
+  s->password = p->cf->password;
   conn->state = BS_CONNECT;
   if (sk_open(s))
     {
@@ -506,6 +511,7 @@ bgp_start(struct proto *P)
 
   bgp_counter++;
   bgp_setup_listen_sk();
+
   if (!bgp_linpool)
     bgp_linpool = lp_new(&root_pool, 4080);
 
@@ -523,6 +529,17 @@ bgp_start(struct proto *P)
   lock->hook = bgp_start_locked;
   lock->data = p;
   olock_acquire(lock);
+
+  /* We should create security association after we get a lock not to 
+   * break existing connections.
+   */
+  if (p->cf->password)
+    {
+      int rv = sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, p->cf->password);
+      if (rv < 0)
+	return PS_STOP;
+    }
+
   return PS_START;
 }
 
diff -uprN bird-as4/proto/bgp/bgp.h bird-as4-md5/proto/bgp/bgp.h
--- bird-as4/proto/bgp/bgp.h	2008-10-15 15:14:13.000000000 +0200
+++ bird-as4-md5/proto/bgp/bgp.h	2008-10-15 15:15:58.000000000 +0200
@@ -33,6 +33,7 @@ struct bgp_config {
   unsigned error_delay_time_min;	/* Time to wait after an error is detected */
   unsigned error_delay_time_max;
   unsigned disable_after_error;		/* Disable the protocol when error is detected */
+  char *password;			/* Password used for MD5 authentication */
 };
 
 struct bgp_conn {
diff -uprN bird-as4/proto/bgp/config.Y bird-as4-md5/proto/bgp/config.Y
--- bird-as4/proto/bgp/config.Y	2008-10-15 15:14:13.000000000 +0200
+++ bird-as4-md5/proto/bgp/config.Y	2008-10-15 15:15:58.000000000 +0200
@@ -20,7 +20,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HO
 	MULTIHOP, STARTUP, VIA, NEXT, HOP, SELF, DEFAULT, PATH, METRIC,
 	ERROR, START, DELAY, FORGET, WAIT, DISABLE, AFTER,
 	BGP_PATH, BGP_LOCAL_PREF, BGP_MED, BGP_ORIGIN, BGP_NEXT_HOP,
-	BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS)
+	BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS, PASSWORD)
 
 CF_GRAMMAR
 
@@ -38,6 +38,7 @@ bgp_proto_start: proto_start BGP {
      BGP_CFG->error_amnesia_time = 300;
      BGP_CFG->error_delay_time_min = 60;
      BGP_CFG->error_delay_time_max = 300;
+     BGP_CFG->password = NULL;
  }
  ;
 
@@ -65,6 +66,7 @@ bgp_proto:
  | bgp_proto ERROR FORGET TIME expr ';' { BGP_CFG->error_amnesia_time = $5; } 
  | bgp_proto ERROR WAIT TIME expr ',' expr ';' { BGP_CFG->error_delay_time_min = $5; BGP_CFG->error_delay_time_max = $7; }
  | bgp_proto DISABLE AFTER ERROR bool ';' { BGP_CFG->disable_after_error = $5; }
+ | bgp_proto PASSWORD TEXT ';' { BGP_CFG->password = $3; }
  ;
 
 CF_ADDTO(dynamic_attr, BGP_PATH
diff -uprN bird-as4/sysdep/linux/sysio.h bird-as4-md5/sysdep/linux/sysio.h
--- bird-as4/sysdep/linux/sysio.h	2000-05-11 18:30:56.000000000 +0200
+++ bird-as4-md5/sysdep/linux/sysio.h	2008-10-15 15:15:58.000000000 +0200
@@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(soc
 #endif
 
 #endif
+
+#include <linux/socket.h>
+#include <linux/tcp.h>
+
+/* For the case that we have older kernel headers */
+/* Copied from Linux kernel file include/linux/tcp.h */
+
+#ifndef TCP_MD5SIG
+
+#define TCP_MD5SIG  14
+#define TCP_MD5SIG_MAXKEYLEN 80
+
+struct tcp_md5sig {
+  struct __kernel_sockaddr_storage tcpm_addr;     /* address associated */
+  __u16   __tcpm_pad1;                            /* zero */
+  __u16   tcpm_keylen;                            /* key length */
+  __u32   __tcpm_pad2;                            /* zero */
+  __u8    tcpm_key[TCP_MD5SIG_MAXKEYLEN];         /* key (binary) */
+};
+
+#endif
diff -uprN bird-as4/sysdep/unix/io.c bird-as4-md5/sysdep/unix/io.c
--- bird-as4/sysdep/unix/io.c	2008-08-25 14:05:36.000000000 +0200
+++ bird-as4-md5/sysdep/unix/io.c	2008-10-15 15:16:59.000000000 +0200
@@ -546,6 +546,7 @@ sk_new(pool *p)
   s->err_hook = NULL;
   s->fd = -1;
   s->rbuf_alloc = s->tbuf_alloc = NULL;
+  s->password = NULL;
   return s;
 }
 
@@ -642,6 +643,71 @@ bad:
   return err;
 }
 
+
+/* FIXME: check portability  */
+
+static int
+sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
+{
+  struct tcp_md5sig md5;
+
+  memset(&md5, 0, sizeof(md5));
+  memcpy(&md5.tcpm_addr, (struct sockaddr *) sa, sizeof(*sa));
+
+  if (passwd)
+    {
+      int len = strlen(passwd);
+
+      if (len > TCP_MD5SIG_MAXKEYLEN)
+	{
+	  log(L_ERR "MD5 password too long");
+	  return -1;
+	}
+
+      md5.tcpm_keylen = len;
+      memcpy(&md5.tcpm_key, passwd, len);
+    }
+
+  int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));
+
+  if (rv < 0) 
+    {
+      if (errno == ENOPROTOOPT)
+	log(L_ERR "Kernel does not support TCP MD5 signatures");
+      else
+	log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
+    }
+
+  return rv;
+}
+
+/**
+ * sk_set_md5_auth - add / remove MD5 security association for given socket.
+ * @s: socket
+ * @a: IP address of the other side
+ * @passwd: password used for MD5 authentication
+ *
+ * In TCP MD5 handling code in kernel, there is a set of pairs
+ * (address, password) used to choose password according to
+ * address of the other side. This function is useful for
+ * listening socket, for active sockets it is enough to set
+ * s->password field.
+ *
+ * When called with passwd != NULL, the new pair is added,
+ * When called with passwd == NULL, the existing pair is removed.
+ *
+ * Result: 0 for success, -1 for an error.
+ */
+
+int
+sk_set_md5_auth(sock *s, ip_addr a, char *passwd)
+{
+  sockaddr sa;
+  fill_in_sockaddr(&sa, a, 0);
+  return sk_set_md5_auth_int(s, &sa, passwd);
+}
+
+
 static void
 sk_tcp_connected(sock *s)
 {
@@ -805,6 +871,14 @@ sk_open(sock *s)
 	ERR("bind");
     }
   fill_in_sockaddr(&sa, s->daddr, s->dport);
+
+  if (s->password)
+    {
+      int rv = sk_set_md5_auth_int(s, &sa, s->password);
+      if (rv < 0)
+	goto bad_no_log;
+    }
+
   switch (type)
     {
     case SK_TCP_ACTIVE:
@@ -846,6 +920,7 @@ sk_open(sock *s)
 
 bad:
   log(L_ERR "sk_open: %s: %m", err);
+bad_no_log:
   close(fd);
   s->fd = -1;
   return -1;