MD5 authentication in quagga
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Wed Apr 15 14:55:07 UTC 2009
On Wed, 15 Apr 2009, wrote:
> Hi. I have a problem with Subj. In mailing list quagga me say for
> mailing to frebsd list.
>
> Quote:
>
> It is well documented that md5 'password' authentication for bgpd works,
> but only for outgoing packets... there is no way for FreeBSD (to my
> knowledge) to actually verify packets inbound.
>
> ...it's better than nothing ;)
>
>
> First one. My configuration in FreeBSD 7.1
>
> /etc/rc.conf
>
> ipsec_enable="YES"
> ipsec_file="/etc/ipsec.conf"
>
> /etc/ipsec.conf
>
> flush;
> add x.x.x.x y.y.y.y tcp 0x1000 -A tcp-md5 "*********";
>
> where:
>
> x.x.x.x - IP local side
> y.y.y.y - IP remote side
> ******** - password
>
> Next. My kernel was rebuilded with next options:
>
> options TCP_SIGNATURE
> options IPSEC
> device crypto
> device cryptodev
> device cryptodev
>
> Now i set password to bgp neighbor
>
> quagga-router(config router)# neighbor y.y.y.y password ********
>
> And clear session
>
> quagga-router(config router)# do clear ip bgp y.y.y.y
>
> In remote side PASSWORD NOT SET YET, but bgp session passes to state
> UP, and network prefixes sending from local to remote side and vice
> versa.
>
> But neigborship must no upping if password not coincide...
And what's the peer? If it's another FreeBSD box uon't check incoming
packets either and thus it won't make a difference to when it's not
there.
/bz
--
Bjoern A. Zeeb The greatest risk is not taking one.
More information about the freebsd-net
mailing list