password for BGP in clear-text in bird.conf file?
Hi, I am not sure if this has been brought up before, but it is very sad that the password for BGP AUTH is in clear-text. Is there anything in progress to rectify or discussion about this? Encoding or encryption of the password would be a very welcome thing. Thanks! Christopher
On Thu, Apr 23, 2015 at 10:05:21AM -0700, Christopher Jay Manders wrote:
Hi,
I am not sure if this has been brought up before, but it is very sad that the password for BGP AUTH is in clear-text.
Is there anything in progress to rectify or discussion about this?
Hi There is not much to discuss. Because the way how it is used, the password must be in clear-text-recoverable form. The bird.conf could be protected by unix access rights if necessary. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi, I disagree. It is a security issue to have a password stored in clear-text. I think the way to do it is to use birdcl to enter the password but then store it in some type of encrypted form. Perhaps separately from the bird.conf. Even loose encryption like XORing or something would be better than storing a password in clear-text. For real production deployments of bird this needs to be a consideration. That is my feeling. Thanks! Christopher On 4/23/15 10:23, Ondrej Zajicek wrote:
On Thu, Apr 23, 2015 at 10:05:21AM -0700, Christopher Jay Manders wrote:
Hi,
I am not sure if this has been brought up before, but it is very sad that the password for BGP AUTH is in clear-text.
Is there anything in progress to rectify or discussion about this?
Hi
There is not much to discuss. Because the way how it is used, the password must be in clear-text-recoverable form. The bird.conf could be protected by unix access rights if necessary.
On 25 Apr 2015, at 17:25, Christopher Jay Manders <cjmanders@gmail.com> wrote:
It is a security issue to have a password stored in clear-text.
bird needs to obtain the password in plain text. If bird can decrypt the stored value, so can anything else with file permissions to read the file. -- Alex Bligh
There is nothing to discuss: as BIRD needs access to the plain-text password, best way is to store it in plain-text. If BIRD would encrypt passwords, in any case it will store key in local filesystem, or it will be hardcoded in its sources. Cisco, for example, stores that passwords in so-called "type 7" passphrases. Go to Google, type "cisco type 7 password decrypt" and volia - you can easily get password from cisco's running-config: just type encrypted one into the form. 2015-04-25 20:04 GMT+03:00 Alex Bligh <alex@alex.org.uk>:
On 25 Apr 2015, at 17:25, Christopher Jay Manders <cjmanders@gmail.com> wrote:
It is a security issue to have a password stored in clear-text.
bird needs to obtain the password in plain text.
If bird can decrypt the stored value, so can anything else with file permissions to read the file.
-- Alex Bligh
On 2015-04-25 18:25, Christopher Jay Manders wrote:
Even loose encryption like XORing or something would be better than storing a password in clear-text.
It would not be better, as any kind of reversible encryption will give a false sense of security, while security will not be improved at all. If you leave your bird.conf open to anyone untrusted (and in general, allow anyone to read it, or even connect to the system where bird is running), then you are asking for troubles anyway.
For real production deployments of bird this needs to be a consideration.
Real production deployments must never be done on multi-user unsecured systems. Protect the system from snooping, restrict access exactly like you would do in case of "traditional" router (cisco, juniper) - and you will be fine. And finally, if the system is compromised - then you have to change *all* your passwords (referenced or used on this system) anyway, regardless of encryption. Best regards, Alexander.
participants (5)
-
Alex Bligh -
Alexander Demenshin -
Christopher Jay Manders -
Ondrej Zajicek -
Stanislav Datskevich