<div dir="ltr">Hi Stuart,<div><br></div><div>Thanks for the info, not exactly what I was hoping to hear!. I wonder why your tests configuring outside of Bird didn't work?, would you mind sharing your sample /etc/ipsec.conf file ?. </div><div><br></div><div>You are right , it is inconvenient having to configure the keys outside of Bird, but right now I'd settle for that if I can get a working neighborship using MD5 auth!</div><div><br></div><div>Thanks Darren</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 22 February 2017 at 12:41, Stuart Henderson <span dir="ltr"><<a href="mailto:stu@spacehopper.org" target="_blank">stu@spacehopper.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2017/02/21 16:01, Darren Marshall wrote:<br>
><br>
> I'm googling like crazy and can't seem to find an example of how to<br>
> configure MD5 authentication between BGP peers using Bird running on<br>
> OpenBSD, does someone out there have a guide for this? The Bird config<br>
> is straightforward but I'm missing the 'glue' at the OS level! Also<br>
> does anyone know if the stock Generic kernel supports TCP MD5<br>
> signatures out of the box (OpenBSD 6.0) , looking at the kernel config<br>
> file it would appear it has the option compiled in , anyone know how to<br>
> check?.<br>
><br>
> Many thanks in advance!<br>
><br>
> daz<br>
><br>
<br>
Some general information about TCP MD5 on OpenBSD:<br>
<br>
- The stock kernel _does_ have this compiled in.<br>
<br>
- The listening socket needs to use setsockopt TCP_MD5SIG.<br>
<br>
- SAs should be setup for peers with whom you want to use MD5. If an<br>
incoming connection matches an SA but does not have valid MD5 it will be<br>
rejected. Connections from other addresses will be allowed. OpenBGPd does<br>
this automatically.<br>
<br>
Regarding BIRD:<br>
<br>
- The relevant setsockopt TCP_MD5SIG bits are already present in sysio.h<br>
(including for OpenBSD) so in theory it would be possible to configure<br>
TCPMD5 SAs outside of BIRD (using isakmpd+ipsecctl with config in<br>
/etc/ipsec.conf), but it's inconvenient to configure this separately.<br>
Also it appears that it wants a raw key (so the usual "md5 password"<br>
would need to be converted manually for this).<br>
<br>
- BIRD has code in sysdep/bsd/setkey.h to configure SAs automatically on<br>
FreeBSD so it wouldn't be a huge stretch to adapt that for OpenBSD<br>
(it might be helpful to xref with OpenBGP's pfkey.c) and there's an<br>
#ifdef in sysdep/bsd/sysio.h that would need changing.<br>
<br>
Having just had a quick play with the ipsecctl bits and not getting it<br>
to work that way, adapting setkey.h definitely has to be the saner route.<br>
<br>
</blockquote></div><br></div>