Mailing List Archive: Re: TCP MD5 option for BGP

Re: TCP MD5 option for BGP

Jun 11, 2004, 10:29 AM

Post #1 of 4 (510 views)

I was wondering if quagga has support for enabling TCP MD5
authentication option for BGP TCP sessions as per RFC 2385 or has plans
for supporting it in the future.

A cursory examination of slightly dated source code seems to indicate
that it does not support TCP MD5 authentication. It also seems like this
is more a question of whether the target OS/Socket API will support the
corresponding TCP options.

Is this an important option for users of BGP? I would think that people
who use BGP a lot might be concerned about securing their TCP sessions.

Thanks for any input.

Vik

Re: TCP MD5 option for BGP [ In reply to ]

Vincent.Jardin at 6wind

Jun 11, 2004, 10:38 AM

Post #2 of 4 (510 views)

Permalink

Enclosed a previous email that describes how to configure TCP/MD5 with
BGP on FreeBSD 4.10

--
Hi,
Dont know about Zebra, but with FreeBSD 4.10 and Quagga (in the
ports) its pretty easy. Just add
options FAST_IPSEC
options TCP_SIGNATURE

to your kernel.

cd /usr/ports/net/quagga/
make install

In the config menu, enable MD5 sigs

given 2 BGP peers, whose update sources are 192.168.1.1 and 10.0.0.2, and
your IP is 10.0.0.1 with the passwd of HelloFreeBSD and GTSMIsBetter, add
the following to /etc/ipsec.conf

add 10.0.0.1 192.168.1.1 tcp 0x1000 -A tcp-md5 "HelloFreeBSD" ;
add 10.0.0.1 10.0.0.2 tcp 0x1000 -A tcp-md5 "GTSMIsBetter" ;

Then setkey -f /etc/ipsec.conf

---Mike

--

Regards,
Vincent

Anantha, Vik wrote:

>I was wondering if quagga has support for enabling TCP MD5
>authentication option for BGP TCP sessions as per RFC 2385 or has plans
>for supporting it in the future.
>
>A cursory examination of slightly dated source code seems to indicate
>that it does not support TCP MD5 authentication. It also seems like this
>is more a question of whether the target OS/Socket API will support the
>corresponding TCP options.
>
>Is this an important option for users of BGP? I would think that people
>who use BGP a lot might be concerned about securing their TCP sessions.
>
>Thanks for any input.
>
>Vik
>
>
>_______________________________________________
>Quagga-dev mailing list
>Quagga-dev@lists.quagga.net
>http://lists.quagga.net/mailman/listinfo/quagga-dev
>
>

Re: TCP MD5 option for BGP [ In reply to ]

trygve at sdconsult

Jun 11, 2004, 3:54 PM

Post #3 of 4 (506 views)

Permalink

Vincent Jardin wrote:
> Enclosed a previous email that describes how to configure TCP/MD5 with
> BGP on FreeBSD 4.10

Hi Hasso (and the rest of the team).

Any HOWTO for Linux 2.4.26?

I've checked your website, but your 2.4.26 patch are marked obsolete
refering to Sourceforge with a 2.4.24 patch as the only option. Is this
the same, or prefered, patch for MD5 on Linux 2.4.26?

Regards,

Trygve Selmer

Re: TCP MD5 option for BGP [ In reply to ]

hasso at estpak

Jun 11, 2004, 11:06 PM

Post #4 of 4 (505 views)

Permalink

Trygve Selmer wrote:
> Vincent Jardin wrote:
> > Enclosed a previous email that describes how to configure TCP/MD5
> > with BGP on FreeBSD 4.10
>
> Hi Hasso (and the rest of the team).
>
> Any HOWTO for Linux 2.4.26?
>
> I've checked your website, but your 2.4.26 patch are marked
> obsolete refering to Sourceforge with a 2.4.24 patch as the only
> option.

2.4.24 patch from sourceforge applies to 2.4.26 without problems.

--
Hasso Tepper
Elion Enterprises Ltd.
WAN administrator