[patch] Add TCP-MD5 authentication option for RPKI protocol
Ondrej Zajicek
santiago at crfreenet.org
Wed Oct 2 03:40:11 CEST 2024
On Tue, Oct 01, 2024 at 03:27:19PM +0000, Job Snijders via Bird-users wrote:
> Dear BIRD community,
>
> I think many of us use good ole' TCP-MD5 to authenticate IBGP sessions,
> even if TCP-MD5 is imperfect from key rolling perspective. TCP-MD5 is
> easy to configure, and supported on a broad range of platforms, and
> beats doing nothing.
>
> RPKI-To-Router (RTR) sessions seem to be similar security-sensitivity as
> IBGP sessions, but at the moment of writing BIRD offers a choice of
> either "plain TCP" (meh) or "SSH" (secure, albeit a bit more hassle to
> set up than TCP-MD5). I'd like to add TCP-MD5 as another option.
> TCP-MD5 for RTR is specified through RFC 6810 section 7.3 and RFC 8210
> section 9.3.
Hi
Thanks for the patch. Adding TCP-MD5 support makes sense.
> Minimal bird.conf:
>
> router id 10.0.0.1;
> roa4 table r4;
> roa6 table r6;
> protocol rpki rpki1 {
> roa4 { table r4; };
> roa6 { table r6; };
> remote 165.254.255.17 port 8282;
> transport tcp password "test"; /* password keyword is new here! */
Please, use sub-block here:
transport tcp {
authentication md5;
password "test";
};
> + if (old->password != new->password)
> + {
> + CACHE_TRACE(D_EVENTS, cache, "MD5 authentication changed");
> + return NEED_RESTART;
> + }
I think you need bstrcmp(old->password, new->password) here.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list