On Tue, Oct 01, 2024 at 03:27:19PM +0000, Job Snijders via Bird-users wrote:
Dear BIRD community,
I think many of us use good ole' TCP-MD5 to authenticate IBGP sessions, even if TCP-MD5 is imperfect from key rolling perspective. TCP-MD5 is easy to configure, and supported on a broad range of platforms, and beats doing nothing.
RPKI-To-Router (RTR) sessions seem to be similar security-sensitivity as IBGP sessions, but at the moment of writing BIRD offers a choice of either "plain TCP" (meh) or "SSH" (secure, albeit a bit more hassle to set up than TCP-MD5). I'd like to add TCP-MD5 as another option. TCP-MD5 for RTR is specified through RFC 6810 section 7.3 and RFC 8210 section 9.3.
Hi Thanks for the patch. Adding TCP-MD5 support makes sense.
Minimal bird.conf:
router id 10.0.0.1; roa4 table r4; roa6 table r6; protocol rpki rpki1 { roa4 { table r4; }; roa6 { table r6; }; remote 165.254.255.17 port 8282; transport tcp password "test"; /* password keyword is new here! */
Please, use sub-block here: transport tcp { authentication md5; password "test"; };
+ if (old->password != new->password) + { + CACHE_TRACE(D_EVENTS, cache, "MD5 authentication changed"); + return NEED_RESTART; + }
I think you need bstrcmp(old->password, new->password) here. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) "To err is human -- to blame it on a computer is even more so."