On the possibility of updating BGP passwords without network disruption.
Bernd Naumann
bernd at kr217.de
Mon Aug 8 20:31:32 CEST 2022
On 08.08.22 16:58, Calvin Zachman wrote:
> Hi BIRD users,
>
> Does anyone know whether a BGP shared secret can be rotated without
> incurring any network downtime? I did some testing with the BGP password
> functionality offered and it appears that any update to the BGP password
> configuration incurs a brief network outage with both existing/new
> connections. It seems like something about the way BIRD is restarting is
> leading to it pulling down learned routes immediately as opposed to
> letting them live according to the timeout setting. Does BIRD flush all
> routes it has learned when this configuration changes? Here is a brief
> excerpt to demonstrate the outage. Take note that the network disruption
> precisely matches the timestamp at which BIRD is reconfigured:
>
Hey Calvin,
It is not explicit mentioned in the user documentation but for babel,
bfd, ospf, and others, you can do something like:
```
password "<text>";
password "<text>" {
id <num>;
generate from "<date>";
generate to "<date>";
accept from "<date>";
accept to "<date>";
from "<date>";
to "<date>";
};
```
The ospf sections contains the following example:
```
password "abc" {
id 1;
generate to "22-04-2003 11:00:06";
accept from "17-01-2001 12:01:05";
};
password "def" {
id 2;
generate to "22-07-2005 17:03:21";
accept from "22-02-2001 11:34:06";
};
```
A while ago I tested it with OSPF and BFD, and used `include` statements
for the passwords, and used `birdc configure` for a "soft" reload. As
far as I remember, this just worked(tm).
But no warranties that this is implemented for BGP, too. It's just wild
guessing.
Best and good luck,
Bernd
More information about the Bird-users
mailing list