Support for MD5 authentication in BGP
Hello Here is a patch adding MD5 authentication to BGP. It is not tested yet. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi!
static void -bgp_close(struct bgp_proto *p UNUSED) +bgp_close(struct bgp_proto *p) { ASSERT(bgp_counter); bgp_counter--; + + if (p->cf->password) + sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL); +
I do not understand this: Why do you change the MD5 auth state on the listening socket?
diff -uprN bird-as4/sysdep/linux/sysio.h bird-as4-md5/sysdep/linux/sysio.h --- bird-as4/sysdep/linux/sysio.h 2000-05-11 18:30:56.000000000 +0200 +++ bird-as4-md5/sysdep/linux/sysio.h 2008-10-06 23:24:45.000000000 +0200 @@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(soc #endif
#endif + +#include <linux/socket.h> +#include <linux/tcp.h> + +/* For the case that we have older kernel headers */ +/* Copied from Linux kernel file include/linux/tcp.h */ + +#ifndef TCP_MD5SIG
Do we want to support so old kernel headers?
+ * FIXME: check portability
Probably none ;)
+int +sk_set_md5_auth(sock *s, ip_addr a, char *passwd) +{ + sockaddr sa; + fill_in_sockaddr(&sa, a, 0); + return sk_set_md5_auth_int(s, &sa, passwd); +}
Please add a documentation comment for this function.
+ if (s->password != NULL)
`if (s->password)' is enough :) [and consistent with the rest of the code] Have a nice fortnight -- Martin `MJ' Mares <mj@ucw.cz> http://mj.ucw.cz/ Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth "Anyone can build a fast CPU. The trick is to build a fast system." -- S. Cray
On Tue, Oct 07, 2008 at 10:42:55AM +0200, Martin Mares wrote:
Hi!
static void -bgp_close(struct bgp_proto *p UNUSED) +bgp_close(struct bgp_proto *p) { ASSERT(bgp_counter); bgp_counter--; + + if (p->cf->password) + sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL); +
I do not understand this: Why do you change the MD5 auth state on the listening socket?
AFAIK we have to set the (address, password) pairs even before new connection is estabilished, othewise signed SYN packets are dropped and the connection wouldn't estabilish.
diff -uprN bird-as4/sysdep/linux/sysio.h bird-as4-md5/sysdep/linux/sysio.h --- bird-as4/sysdep/linux/sysio.h 2000-05-11 18:30:56.000000000 +0200 +++ bird-as4-md5/sysdep/linux/sysio.h 2008-10-06 23:24:45.000000000 +0200 @@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(soc #endif
#endif + +#include <linux/socket.h> +#include <linux/tcp.h> + +/* For the case that we have older kernel headers */ +/* Copied from Linux kernel file include/linux/tcp.h */ + +#ifndef TCP_MD5SIG
Do we want to support so old kernel headers?
Kernel headers in current Debian don't contain TCP_MD5SIG, so i need it to compile Bird on my computer.
+ * FIXME: check portability
Probably none ;)
I tried to google it and it seems to me that FreeBSD uses the same setsockopt() optval name, but i don't know details yet.
+int +sk_set_md5_auth(sock *s, ip_addr a, char *passwd) +{ + sockaddr sa; + fill_in_sockaddr(&sa, a, 0); + return sk_set_md5_auth_int(s, &sa, passwd); +}
Please add a documentation comment for this function.
OK
+ if (s->password != NULL)
`if (s->password)' is enough :) [and consistent with the rest of the code]
I personally prefer != NULL variant as more readable, but consistency is stronger argument :-) . -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi!
AFAIK we have to set the (address, password) pairs even before new connection is estabilished, othewise signed SYN packets are dropped and the connection wouldn't estabilish.
OK. I did mistakenly believe that the kernel remembers only a single password per socket, but apparently it keeps a list of (peer address, password) pairs, so it should work even with the single listening socket we have.
Kernel headers in current Debian don't contain TCP_MD5SIG, so i need it to compile Bird on my computer.
OK.
Probably none ;)
I tried to google it and it seems to me that FreeBSD uses the same setsockopt() optval name, but i don't know details yet.
It is probably not necessary at this moment as we do not have a BSD port yet anyway. Have a nice fortnight -- Martin `MJ' Mares <mj@ucw.cz> http://mj.ucw.cz/ Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth Air conditioned environment -- Do not open Windows.
Martin Mares wrote:
Hi!
Probably none ;) I tried to google it and it seems to me that FreeBSD uses the same setsockopt() optval name, but i don't know details yet.
It is probably not necessary at this moment as we do not have a BSD port yet anyway.
??? I wrote BSD port 2 years ago. I will test it. Ondrej
Have a nice fortnight
Hi!
It is probably not necessary at this moment as we do not have a BSD port yet anyway.
??? I wrote BSD port 2 years ago. I will test it.
I completely forgot that :-) Have a nice fortnight -- Martin `MJ' Mares <mj@ucw.cz> http://mj.ucw.cz/ Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth main(){char *s="main(){char *s=%c%s%c;printf(s,34,s,34);}";printf(s,34,s,34);}
participants (3)
-
Martin Mares -
Ondrej Filip -
Ondrej Zajicek