possible bug: bgp md5 authentication and multiple source ip addresses

Fri Apr 23 13:17:03 CEST 2010

On Apr 23, 2010, at 11:39 , Ondrej Zajicek wrote:

> On Fri, Apr 23, 2010 at 10:13:32AM +0200, Wolfgang Hennerbichler wrote:
>> now I've setup BIRD to peer on the different source interfaces and from different ASes to simulate productive routers: 
>> 
>> protocol bgp R1 {
>>  debug all;
>>  local as 1120;
>>  neighbor 193.203.0.3 as 1267;     
>>  import all;
>>  export none;     
>>  table T1;
>>  password "xyz";
>>  source address 193.203.0.1;     
>>  route limit 15000;
>>  start delay time 1;   
>> }
>> 
>> protocol bgp R2 {
>>  debug all;
>>  local as 1121;
>>  neighbor 193.203.0.3 as 1267;     
>>  import all;
>>  export none;     
>>  table T2;
>>  password "xyz";
>>  source address 193.203.0.2;     
>>  route limit 15000;
>>  start delay time 1;   
>> }
>> 
>> ...
>> 
>> nevertheless only the peering with source 193.203.0.1 - the primary IP - comes up, source 193.203.0.2 stays down, I see in the tcpdump log that MD5 can't be checked. 
>> This works on IPv6, but it seems that IPv4 somehow doesn't honour the source address field when generating the md5 hashes. Can you confirm this is a bug? Am I overseeing something? I am using linux 2.6.33.2
> 
> These two procool sections are a part of one BIRD config?

yes. 

> Regardless of MD5 password, such config would not probably work as
> intended, 'source address' is used for source address of outgoing
> connections and for next-hops, but it is not used for a separation
> of incoming connections. (The neighbor IP is the same in both
> cases, which is a problem.)

oh. maybe I misunderstood it in this case. thank you for the clarification. 

> One possibility is to run two BIRD instances and use 'listen bgp
> address' global option to bind them to different addresses, but such
> configuration is probably a can of worms.

well, it's just a quarantine-setup, it could break without destroying anything. it could be a can of worms. I will think about it... or maybe I'll do some more virtualization, don't know. 

> For experiments, i would
> suggest virtual networks using Netkit software. Unfortunately, their
> kernel does not contain MD5 support, but it would be possible to build
> another with MD5 support enabled.

thanks. the route servers are virtualized anyways. 

> Another problem is that the kernel interface for MD5 checksum does not
> specify local address, only remote address and remote port. Therefore it
> is not possible to set two such sessions with a different MD5 password.

I thought so :( 
thanks a lot. 

Wolfgang

> -- 
> Elen sila lumenn' omentielvo
> 
> Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."

-- 
www.vix.at | www.aco.net
wh at univie.ac.at | WH844-RIPE
Vienna University Computer Center