Re: Bird2: BGP password & setkey

[Leo Vandewoestijne]

On Fri, 09 Mar 2018, Ondrej Zajicek wrote:

> And if you try BIRD 1.6.3, it works without /etc/setkey.conf?
> 
That's correct;

Early 1.x I used setkey.conf without password,
and in final releases the opposite seemed the only possible way:
so in deed password without setkey.conf

Without changes to the OS'es I went to 2.0.1 and now need both.


--

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

Re: Bird2: BGP password & setkey

[Ondrej Zajicek]

On Thu, Mar 08, 2018 at 10:02:32PM +, Leo Vandewoestijne wrote:
> Hello,
> 
> 
> The setkey option caught my attention when reading the 2.x manual...
> 
> I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 
> checksum),
> which I've succesfully done already in OpenBGPd before NIC.CZ picked up the 
> Bird project.
> So I have a number of upstream pears that have it enabled.
> When the password option arrived in Bird I still used setkey,
> but in the later 1.x releases I needed to use only the 'password' option in 
> bird.conf,
> and had to drop my IPSEC settings at the OS level.
> 
> When I now -using bird 2.0.1- put in a BGP protocol block:
> 
>   password "bla";
>   setkey enabled;

Hello

Correct values are yes/no/on/off and nothing (means yes). But 'yes' is
the default value, so you do not need to use 'setkey' option. It is
supposed to work in the same way like in BIRD 1.6.x and there are almost
no related changes between 1.6.x and 2.0.x.

Aren't there any errors in logs? Could you verify that you have different
behavior in plain 1.6.3 and 2.0.1 without IPSEC settings at the OS level?


> But... having `setkey` in bird.conf -or not- doesn't seem to make any 
> difference.
> Meaning I still need to define the password both my regular IPSEC settings 
> AND those in Bird.
> So yes, I got it working, but -reading the manual- I highly doubt double 
> config was intented.
> 
> What is the correct/simple/efficient method to do this?

Just use 'password'.

> FYI in /etc/rc.conf I still have:
> 
>   ipsec_enable="YES"
>   ipsec_program="/sbin/setkey"
>   ipsec_file="/etc/setkey.conf"
> 
> The double config also makes me wonder if I might be confusing things;
> I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity 
> of a transport,
> where "BGP password" -to me- sounds like authentication.
> But reading both the Bird manual as well as the setkey manual it looks like 
> that's the same thing.
> 
> 
> 
> 
> Anyway, I also discovered you can set a password in a template (which I use 
> in a cascading way),
> and further on can overwrite/reset it for particular sessions using `password 
> "";`.
> As the manual doesn't mention it, I'm unsure if that's a bug or a feature, 
> but that's very nice!

Well, i am unsure too ;-). Using `password "";` to disable inherited
password seems to work on BSD, but not on Linux.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."