<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">
<div class="moz-cite-prefix">Hi, <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I allow myself to jump on this
discussion.<br>
</div>
<div class="moz-cite-prefix">That CVE report is about attacking a
kubernetes cluster running Calico (see the link in the
`References to Advisories, Solutions, and Tools` section in the
NIST CVE). By default, calico doesn't require password
authentication for BGP connections. However, that can be enabled
using the `<span style="color: rgb(20, 20, 20); font-family:
Poppins; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration-thickness:
initial; text-decoration-style: initial;
text-decoration-color: initial; display: inline !important;
float: none;">nodeMeshPassword` on the `BGPConfiguration`
resource. It can also be enabled on peers outside the cluster
using the `password` field of the `BGPPeer` custom resource.
I'm not sure if it's possible to enable it globally for the
listening socket though. Moreover, Calico uses a self-patched,
old, version of Bird. I believe 1.6.8. <br>
</span></div>
<div class="moz-cite-prefix"><span style="color: rgb(20, 20, 20);
font-family: Poppins; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration-thickness:
initial; text-decoration-style: initial;
text-decoration-color: initial; display: inline !important;
float: none;"><br>
</span></div>
<div class="moz-cite-prefix"><span style="color: rgb(20, 20, 20);
font-family: Poppins; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration-thickness:
initial; text-decoration-style: initial;
text-decoration-color: initial; display: inline !important;
float: none;">I "think" that CVE was miss-labeled and
shouldn't refer to bird as the source of the problem. <br>
</span></div>
<div class="moz-cite-prefix"><span style="color: rgb(20, 20, 20);
font-family: Poppins; font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration-thickness:
initial; text-decoration-style: initial;
text-decoration-color: initial; display: inline !important;
float: none;">I personally use Password authentication with
bird without issues. <br>
</span></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Regard,</div>
<div class="moz-cite-prefix">Radu</div>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 3/9/23 08:15, Ondrej Filip wrote:<br>
</div>
<blockquote type="cite"
cite="mid:66a9f866-840d-1795-111a-8381fc31ec82@network.cz">On 09.
03. 23 5:14, William wrote:
<br>
<blockquote type="cite">On 09/03/2023 13:41, Robert Scheck wrote:
<br>
<blockquote type="cite">Hello,
<br>
</blockquote>
</blockquote>
<br>
Hi!
<br>
<br>
<blockquote type="cite">
<blockquote type="cite">
<br>
with <a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=2176483">https://bugzilla.redhat.com/show_bug.cgi?id=2176483</a>, Red
Hat pointed
<br>
me today to CVE-2021-26928.
<a class="moz-txt-link-freetext" href="https://nvd.nist.gov/vuln/detail/CVE-2021-26928">https://nvd.nist.gov/vuln/detail/CVE-2021-26928</a>
<br>
contains a reference to BIRD 2.0.7, but no link related to
BIRD upstream.
<br>
<br>
Do you see any chance for some comments on it (at least here)?
Not sure if
<br>
MITRE adds it then as references at CVE-2021-26928.
<br>
</blockquote>
<br>
I have a PDF of the Bird help documentation that I saved in 2019
(Fossies) that lists password authentication mechanisms as per
RFC2385 with extra options for BSD systems. I'll defer to the
Dev team on this for the final word, but someone has some
crossed wires here.
<br>
</blockquote>
<br>
Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do
not understand this CVE.
<br>
<br>
Ondrej
<br>
<br>
<blockquote type="cite">
<br>
<blockquote type="cite">
<br>
Thank you.
<br>
<br>
<br>
Regards,
<br>
Robert
<br>
</blockquote>
<br>
Regards,
<br>
William
<br>
</blockquote>
<br>
</blockquote>
<p><br>
</p>
</body>
</html>