Support for MD5 authentication in BGP
Ondrej Zajicek
santiago at crfreenet.org
Tue Oct 7 14:33:59 CEST 2008
On Tue, Oct 07, 2008 at 10:42:55AM +0200, Martin Mares wrote:
> Hi!
>
> > static void
> > -bgp_close(struct bgp_proto *p UNUSED)
> > +bgp_close(struct bgp_proto *p)
> > {
> > ASSERT(bgp_counter);
> > bgp_counter--;
> > +
> > + if (p->cf->password)
> > + sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL);
> > +
>
> I do not understand this: Why do you change the MD5 auth state on the
> listening socket?
AFAIK we have to set the (address, password) pairs even before new connection
is estabilished, othewise signed SYN packets are dropped and the connection
wouldn't estabilish.
> > diff -uprN bird-as4/sysdep/linux/sysio.h bird-as4-md5/sysdep/linux/sysio.h
> > --- bird-as4/sysdep/linux/sysio.h 2000-05-11 18:30:56.000000000 +0200
> > +++ bird-as4-md5/sysdep/linux/sysio.h 2008-10-06 23:24:45.000000000 +0200
> > @@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(soc
> > #endif
> >
> > #endif
> > +
> > +#include <linux/socket.h>
> > +#include <linux/tcp.h>
> > +
> > +/* For the case that we have older kernel headers */
> > +/* Copied from Linux kernel file include/linux/tcp.h */
> > +
> > +#ifndef TCP_MD5SIG
>
> Do we want to support so old kernel headers?
Kernel headers in current Debian don't contain TCP_MD5SIG,
so i need it to compile Bird on my computer.
> > + * FIXME: check portability
>
> Probably none ;)
I tried to google it and it seems to me that FreeBSD uses the same
setsockopt() optval name, but i don't know details yet.
> > +int
> > +sk_set_md5_auth(sock *s, ip_addr a, char *passwd)
> > +{
> > + sockaddr sa;
> > + fill_in_sockaddr(&sa, a, 0);
> > + return sk_set_md5_auth_int(s, &sa, passwd);
> > +}
>
> Please add a documentation comment for this function.
OK
> > + if (s->password != NULL)
>
> `if (s->password)' is enough :) [and consistent with the rest of the code]
I personally prefer != NULL variant as more readable, but consistency is
stronger argument :-) .
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20081007/a3b43b91/attachment-0001.asc>
More information about the Bird-users
mailing list