[patch] Add TCP-MD5 authentication option for RPKI protocol
Job Snijders
job at fastly.com
Thu Oct 3 16:38:11 CEST 2024
On Thu, Oct 03, 2024 at 04:31:46PM +0200, Ondrej Zajicek wrote:
> On Tue, Oct 01, 2024 at 03:27:19PM +0000, Job Snijders via Bird-users wrote:
> > ps. It seems TCP-MD5 for BGP doesn't work out-of-the-box on OpenBSD,
> > downstream porters apply a few minimal patches:
> > https://github.com/openbsd/ports/tree/master/net/bird/2/patches
> > perhaps these can be upstreamed so that we can work towards TCP-MD5 RTR
> > support in BIRD on OpenBSD as well? :-)
>
> Missed that from your mail. Will look at these OpenBSD patches, but
> sometime later.
>
> BTW, the RPKI TCP-MD5 will not work on BSD as-is, because setkey call is
> done as a part of sk_set_md5_auth() on the listening socket and not done
> on the outgoing socket. That is not an issue in BGP, where a protocol
> always have a listening socket. This issue would require some refactoring
> for later.
Yup, I noticed the same, but figured that landing Linux support first
already is a good step forward.
If those OpenBSD patches are merged, I'd happy to take a look what's
needed to get RPKI TCP-MD5 in working order on *BSD.
Kind regards,
Job
More information about the Bird-users
mailing list