Fwd: Bird / OpenBSD / BGP MD5 authentication walkthrough
I'm googling like crazy and can't seem to find an example of how to configure MD5 authentication between BGP peers using Bird running on OpenBSD, does someone out there have a guide for this? The Bird config is straightforward but I'm missing the 'glue' at the OS level! Also does anyone know if the stock Generic kernel supports TCP MD5 signatures out of the box (OpenBSD 6.0) , looking at the kernel config file it would appear it has the option compiled in , anyone know how to check?. Many thanks in advance! daz
On 2017/02/21 16:01, Darren Marshall wrote:
I'm googling like crazy and can't seem to find an example of how to configure MD5 authentication between BGP peers using Bird running on OpenBSD, does someone out there have a guide for this? The Bird config is straightforward but I'm missing the 'glue' at the OS level! Also does anyone know if the stock Generic kernel supports TCP MD5 signatures out of the box (OpenBSD 6.0) , looking at the kernel config file it would appear it has the option compiled in , anyone know how to check?.
Many thanks in advance!
daz
Some general information about TCP MD5 on OpenBSD: - The stock kernel _does_ have this compiled in. - The listening socket needs to use setsockopt TCP_MD5SIG. - SAs should be setup for peers with whom you want to use MD5. If an incoming connection matches an SA but does not have valid MD5 it will be rejected. Connections from other addresses will be allowed. OpenBGPd does this automatically. Regarding BIRD: - The relevant setsockopt TCP_MD5SIG bits are already present in sysio.h (including for OpenBSD) so in theory it would be possible to configure TCPMD5 SAs outside of BIRD (using isakmpd+ipsecctl with config in /etc/ipsec.conf), but it's inconvenient to configure this separately. Also it appears that it wants a raw key (so the usual "md5 password" would need to be converted manually for this). - BIRD has code in sysdep/bsd/setkey.h to configure SAs automatically on FreeBSD so it wouldn't be a huge stretch to adapt that for OpenBSD (it might be helpful to xref with OpenBGP's pfkey.c) and there's an #ifdef in sysdep/bsd/sysio.h that would need changing. Having just had a quick play with the ipsecctl bits and not getting it to work that way, adapting setkey.h definitely has to be the saner route.
Hi Stuart, Thanks for the info, not exactly what I was hoping to hear!. I wonder why your tests configuring outside of Bird didn't work?, would you mind sharing your sample /etc/ipsec.conf file ?. You are right , it is inconvenient having to configure the keys outside of Bird, but right now I'd settle for that if I can get a working neighborship using MD5 auth! Thanks Darren On 22 February 2017 at 12:41, Stuart Henderson <stu@spacehopper.org> wrote:
On 2017/02/21 16:01, Darren Marshall wrote:
I'm googling like crazy and can't seem to find an example of how to configure MD5 authentication between BGP peers using Bird running on OpenBSD, does someone out there have a guide for this? The Bird config is straightforward but I'm missing the 'glue' at the OS level! Also does anyone know if the stock Generic kernel supports TCP MD5 signatures out of the box (OpenBSD 6.0) , looking at the kernel config file it would appear it has the option compiled in , anyone know how to check?.
Many thanks in advance!
daz
Some general information about TCP MD5 on OpenBSD:
- The stock kernel _does_ have this compiled in.
- The listening socket needs to use setsockopt TCP_MD5SIG.
- SAs should be setup for peers with whom you want to use MD5. If an incoming connection matches an SA but does not have valid MD5 it will be rejected. Connections from other addresses will be allowed. OpenBGPd does this automatically.
Regarding BIRD:
- The relevant setsockopt TCP_MD5SIG bits are already present in sysio.h (including for OpenBSD) so in theory it would be possible to configure TCPMD5 SAs outside of BIRD (using isakmpd+ipsecctl with config in /etc/ipsec.conf), but it's inconvenient to configure this separately. Also it appears that it wants a raw key (so the usual "md5 password" would need to be converted manually for this).
- BIRD has code in sysdep/bsd/setkey.h to configure SAs automatically on FreeBSD so it wouldn't be a huge stretch to adapt that for OpenBSD (it might be helpful to xref with OpenBGP's pfkey.c) and there's an #ifdef in sysdep/bsd/sysio.h that would need changing.
Having just had a quick play with the ipsecctl bits and not getting it to work that way, adapting setkey.h definitely has to be the saner route.
On 2017/02/22 14:10, Darren Marshall wrote:
Hi Stuart,
Thanks for the info, not exactly what I was hoping to hear!. I wonder why your tests configuring outside of Bird didn't work?, would you mind sharing your sample /etc/ipsec.conf file ?.
You are right , it is inconvenient having to configure the keys outside of Bird, but right now I'd settle for that if I can get a working neighborship using MD5 auth!
Aha: I've figured out a bit more, and got it to actually connect. The bit I was missing: bird.conf still needs to have "password" set in the config, though the actual value isn't used. ipsec.conf format is like this: tcpmd5 from 192.0.2.1 to 192.0.2.2 spi 0xe1234567:0xf1234567 \ authkey 6d656b6d697461736469676f6174:6d656b6d697461736469676f6174 The SPI numbers need to be unique on the system, two different ones need to be given, one for each direction. The key also needs to be repeated for both directions. (So, 2x different values for SPI, 2x same for key). As I mentioned ipsecctl only allows setting a hex key. this is just the ascii characters converted to hex, you can convert like this: $ echo -n mekmitasdigoat | hexdump -e '/1 "%02x"'; echo 6d6b656d736174696f6769647461
Stuart, Brilliant , many thanks for your support , really appreciate it, as soon as I am able (busy racking kit today), I'll give it a shot and let you know the outcome. Cheers daz On 22 February 2017 at 14:47, Stuart Henderson <stu@spacehopper.org> wrote:
On 2017/02/22 14:10, Darren Marshall wrote:
Hi Stuart,
Thanks for the info, not exactly what I was hoping to hear!. I wonder why your tests configuring outside of Bird didn't work?, would you mind sharing your sample /etc/ipsec.conf file ?.
You are right , it is inconvenient having to configure the keys outside of Bird, but right now I'd settle for that if I can get a working neighborship using MD5 auth!
Aha: I've figured out a bit more, and got it to actually connect. The bit I was missing: bird.conf still needs to have "password" set in the config, though the actual value isn't used.
ipsec.conf format is like this:
tcpmd5 from 192.0.2.1 to 192.0.2.2 spi 0xe1234567:0xf1234567 \ authkey 6d656b6d697461736469676f6174:6d656b6d697461736469676f6174
The SPI numbers need to be unique on the system, two different ones need to be given, one for each direction. The key also needs to be repeated for both directions. (So, 2x different values for SPI, 2x same for key).
As I mentioned ipsecctl only allows setting a hex key. this is just the ascii characters converted to hex, you can convert like this:
$ echo -n mekmitasdigoat | hexdump -e '/1 "%02x"'; echo 6d6b656d736174696f6769647461
Stuart, I can confirm this is now working, once again thanks for your help. Cheers daz On 22 February 2017 at 15:37, Darren Marshall <darren@tuff.org.uk> wrote:
Stuart,
Brilliant , many thanks for your support , really appreciate it, as soon as I am able (busy racking kit today), I'll give it a shot and let you know the outcome.
Cheers daz
On 22 February 2017 at 14:47, Stuart Henderson <stu@spacehopper.org> wrote:
On 2017/02/22 14:10, Darren Marshall wrote:
Hi Stuart,
Thanks for the info, not exactly what I was hoping to hear!. I wonder why your tests configuring outside of Bird didn't work?, would you mind sharing your sample /etc/ipsec.conf file ?.
You are right , it is inconvenient having to configure the keys outside of Bird, but right now I'd settle for that if I can get a working neighborship using MD5 auth!
Aha: I've figured out a bit more, and got it to actually connect. The bit I was missing: bird.conf still needs to have "password" set in the config, though the actual value isn't used.
ipsec.conf format is like this:
tcpmd5 from 192.0.2.1 to 192.0.2.2 spi 0xe1234567:0xf1234567 \ authkey 6d656b6d697461736469676f6174:6d656b6d697461736469676f6174
The SPI numbers need to be unique on the system, two different ones need to be given, one for each direction. The key also needs to be repeated for both directions. (So, 2x different values for SPI, 2x same for key).
As I mentioned ipsecctl only allows setting a hex key. this is just the ascii characters converted to hex, you can convert like this:
$ echo -n mekmitasdigoat | hexdump -e '/1 "%02x"'; echo 6d6b656d736174696f6769647461
participants (2)
-
Darren Marshall -
Stuart Henderson