On 08.08.22 16:58, Calvin Zachman wrote:
Hi BIRD users,
Does anyone know whether a BGP shared secret can be rotated without
incurring any network downtime? I did some testing with the BGP password
functionality offered and it appears that any update to the BGP password
configuration incurs a brief network outage with both existing/new
connections. It seems like something about the way BIRD is restarting is
leading to it pulling down learned routes immediately as opposed to
letting them live according to the timeout setting. Does BIRD flush all
routes it has learned when this configuration changes? Here is a brief
excerpt to demonstrate the outage. Take note that the network disruption
precisely matches the timestamp at which BIRD is reconfigured:
Hey Calvin,
It is not explicit mentioned in the user documentation but for babel,
bfd, ospf, and others, you can do something like:
```
password "<text>";
password "<text>" {
id <num>;
generate from "<date>";
generate to "<date>";
accept from "<date>";
accept to "<date>";
from "<date>";
to "<date>";
};
```
The ospf sections contains the following example:
```
password "abc" {
id 1;
generate to "22-04-2003 11:00:06";
accept from "17-01-2001 12:01:05";
};
password "def" {
id 2;
generate to "22-07-2005 17:03:21";
accept from "22-02-2001 11:34:06";
};
```
A while ago I tested it with OSPF and BFD, and used `include` statements
for the passwords, and used `birdc configure` for a "soft" reload. As
far as I remember, this just worked(tm).
But no warranties that this is implemented for BGP, too. It's just wild
guessing.
Best and good luck,
Bernd
