On the possibility of updating BGP passwords without network disruption.
ch at ntrv.dk
ch at ntrv.dk
Mon Aug 8 22:22:05 CEST 2022
On Mon, 8 Aug 2022, 16:58 Calvin Zachman, <calvin.zachman at ibm.com> wrote:
> Hi BIRD users,
>
>
>
> Does anyone know whether a BGP shared secret can be rotated without
> incurring any network downtime? I did some testing with the BGP password
> functionality offered and it appears that any update to the BGP password
> configuration incurs a brief network outage with both existing/new
> connections. It seems like something about the way BIRD is restarting is
> leading to it pulling down learned routes immediately as opposed to letting
> them live according to the timeout setting. Does BIRD flush all routes it
> has learned when this configuration changes? Here is a brief excerpt to
> demonstrate the outage. Take note that the network disruption precisely
> matches the timestamp at which BIRD is reconfigured
>
Rotating MD5 passwords for bgp sessions has _never_ been hitless. And
_will_ force the session down. For it to be reestablish. Due to changing
the session parameters. Requiring a full session negotiation from scratch.
What you are looking for is TCP-AO support.
https://tcp-ao.net/
https://duckduckgo.com/?q=tcp-ao
https://blog.apnic.net/2021/07/28/its-time-to-replace-md5-with-tcp-ao/
TCP-AO implements logic (in simple terms) similar to what you are used to
with key chains when configuring e.g. RIP, OSPF, BABEL on most routing
platforms. Where a key has a specified lifetime. And one key is used. But
multiple is allowed to permit for key rotation.
Both bird (on the mailing list, see list archives) and FRRouting (see the
projects github issue tracker) have open questions regarding when this
feature is ready. Both projects are thou dependent on a Linux kernel
implementation being mainlined before they can support this feature.
If you have ever used one of the bigger players NOS releases. Juniper,
Cisco, and Nokia (what I know of) has been shipping support for TCP-AO in
their newer releases.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20220808/e9c47016/attachment.htm>
More information about the Bird-users
mailing list