Bird2: BGP password & setkey

Ondrej Zajicek santiago at crfreenet.org
Thu Mar 8 23:57:43 CET 2018


On Thu, Mar 08, 2018 at 10:02:32PM +0000, Leo Vandewoestijne wrote:
> Hello,
> 
> 
> The setkey option caught my attention when reading the 2.x manual...
> 
> I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 checksum),
> which I've succesfully done already in OpenBGPd before NIC.CZ picked up the Bird project.
> So I have a number of upstream pears that have it enabled.
> When the password option arrived in Bird I still used setkey,
> but in the later 1.x releases I needed to use only the 'password' option in bird.conf,
> and had to drop my IPSEC settings at the OS level.
> 
> When I now -using bird 2.0.1- put in a BGP protocol block:
> 
> 	password "bla";
> 	setkey enabled;

Hello

Correct values are yes/no/on/off and nothing (means yes). But 'yes' is
the default value, so you do not need to use 'setkey' option. It is
supposed to work in the same way like in BIRD 1.6.x and there are almost
no related changes between 1.6.x and 2.0.x.

Aren't there any errors in logs? Could you verify that you have different
behavior in plain 1.6.3 and 2.0.1 without IPSEC settings at the OS level?


> But... having `setkey` in bird.conf -or not- doesn't seem to make any difference.
> Meaning I still need to define the password both my regular IPSEC settings AND those in Bird.
> So yes, I got it working, but -reading the manual- I highly doubt double config was intented.
> 
> What is the correct/simple/efficient method to do this?

Just use 'password'.

> FYI in /etc/rc.conf I still have:
> 
> 	ipsec_enable="YES"
> 	ipsec_program="/sbin/setkey"
> 	ipsec_file="/etc/setkey.conf"
> 
> The double config also makes me wonder if I might be confusing things;
> I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity of a transport,
> where "BGP password" -to me- sounds like authentication.
> But reading both the Bird manual as well as the setkey manual it looks like that's the same thing.
> 
> 
> 
> 
> Anyway, I also discovered you can set a password in a template (which I use in a cascading way),
> and further on can overwrite/reset it for particular sessions using `password "";`.
> As the manual doesn't mention it, I'm unsure if that's a bug or a feature, but that's very nice!

Well, i am unsure too ;-). Using `password "";` to disable inherited
password seems to work on BSD, but not on Linux.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."


More information about the Bird-users mailing list