Bird2: BGP password & setkey

Leo Vandewoestijne bird at unicycle.net
Thu Mar 8 23:02:32 CET 2018 

Hello,


The setkey option caught my attention when reading the 2.x manual...

I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 checksum),
which I've succesfully done already in OpenBGPd before NIC.CZ picked up the Bird project.
So I have a number of upstream pears that have it enabled.
When the password option arrived in Bird I still used setkey,
but in the later 1.x releases I needed to use only the 'password' option in bird.conf,
and had to drop my IPSEC settings at the OS level.

When I now -using bird 2.0.1- put in a BGP protocol block:

	password "bla";
	setkey enabled;

I get returned:

	bird: /usr/local/etc/bird.conf, line 42: Number expected

So therefor (after `enabled/disabled`) I tried `1/0`, and then `yes/no`, even `true/false`.
But nothing seems make the behaviour different. What was allowed was:

	password "bla";
	setkey;

But... having `setkey` in bird.conf -or not- doesn't seem to make any difference.
Meaning I still need to define the password both my regular IPSEC settings AND those in Bird.
So yes, I got it working, but -reading the manual- I highly doubt double config was intented.

What is the correct/simple/efficient method to do this?


FYI in /etc/rc.conf I still have:

	ipsec_enable="YES"
	ipsec_program="/sbin/setkey"
	ipsec_file="/etc/setkey.conf"

The double config also makes me wonder if I might be confusing things;
I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity of a transport,
where "BGP password" -to me- sounds like authentication.
But reading both the Bird manual as well as the setkey manual it looks like that's the same thing.




Anyway, I also discovered you can set a password in a template (which I use in a cascading way),
and further on can overwrite/reset it for particular sessions using `password "";`.
As the manual doesn't mention it, I'm unsure if that's a bug or a feature, but that's very nice!

Another nice new behaviour I discovered is that now you can have mixed (enabled/disabled) sessions
on the same interface (which -in my case- is having multiple IP's). In 1.6 I never got that working.


-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>
<www.dns.company>

More information about the Bird-users mailing list