Date: Wed, 15 Apr 2009 14:50:56 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: alexey.blinkov@gmail.com Cc: freebsd-net@freebsd.org Subject: Re: MD5 authentication in quagga Message-ID: <20090415144956.T15361@maildrop.int.zabbadoz.net> In-Reply-To: <2d934d80904150642r585049b4wadfdfc82a3d8c7fc@mail.gmail.com> References: <2d934d80904150642r585049b4wadfdfc82a3d8c7fc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 15 Apr 2009, wrote: > Hi. I have a problem with Subj. In mailing list quagga me say for > mailing to frebsd list. > > Quote: > > It is well documented that md5 'password' authentication for bgpd works, > but only for outgoing packets... there is no way for FreeBSD (to my > knowledge) to actually verify packets inbound. > > ...it's better than nothing ;) > > > First one. My configuration in FreeBSD 7.1 > > /etc/rc.conf > > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > > /etc/ipsec.conf > > flush; > add x.x.x.x y.y.y.y tcp 0x1000 -A tcp-md5 "*********"; > > where: > > x.x.x.x - IP local side > y.y.y.y - IP remote side > ******** - password > > Next. My kernel was rebuilded with next options: > > options TCP_SIGNATURE > options IPSEC > device crypto > device cryptodev > device cryptodev > > Now i set password to bgp neighbor > > quagga-router(config router)# neighbor y.y.y.y password ******** > > And clear session > > quagga-router(config router)# do clear ip bgp y.y.y.y > > In remote side PASSWORD NOT SET YET, but bgp session passes to state > UP, and network prefixes sending from local to remote side and vice > versa. > > But neigborship must no upping if password not coincide... And what's the peer? If it's another FreeBSD box uon't check incoming packets either and thus it won't make a difference to when it's not there. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090415144956.T15361>