Networking
Quagga routing suite
Openbgpd
RFC 2385 (TCP MD5) for Linux
Linux MPLS Debian packages
Linux kernel 2.4 patches
Essays
Varia
Quagga + TCP MD5 for BGP (RFC 2385) in Linux
Some time ago (15.04.2004) many big providers started to require using md5 passwords for peerings. Linux users were without working solution. I picked up old (for kernel 2.4.16) patch written by Rick Payne and updated it to apply to recent (2.4.26) kernel. I also wrote intial patch for Quagga stealing most of code from patch written by Bruce M. Simpson for FreeBSD. Later Quagga patch was updated to code from GNU Zebra cvs repository. Credits are going to Kunihiro, I just ported this patch to the Quagga codebase. Rick Payne updated kernel patch later to use md5 from cryptoapi in the kernel (initial patch had own md5 implementation) and released patch for 2.6 kernel as well.
Quagga patch will not be in the main distribution for now. Kernel developers plan to go to the different path and write their own TCP MD5 implementation with different API. So, at the moment you have to patch both - kernel and Quagga. Official Debian Quagga packages have patch applied already. Maybe there is others, but I haven’t info about that.
Please, don’t mail me “please provide patch for new 2.6.x kernel”. I don’t have any intention to use 2.6 kernels in production yet and don’t have any time to work on stuff I don’t use myself. You can send me the patches you made for new kernels. I will put them here.
Instructions
Download kernel patch from either from here or from here:
Patch for Debian 3.1 (Sarge) kernel:
Apply it, configure kernel with CONFIG_TCP_RFC2385=y (you have to enable CONFIG_CRYPTO=y and CONFIG_CRYPTO_MD5=y as well) and compile.
Patch may cause crashes with several kernel versions. It might be good idea to apply patch you can get from here as well. It’s not tested by me, but author of patch said it fixes problem for him.
Download patch for Quagga, run ./update-autotools or autoreconf -i –force, configure with –enable-tcp-md5, compile and install:
If you are using Quagga on machine with IPv6 support, this patch will not work with older kernels than 2.4.21. You have to have newer kernel headers installed while compiling as well. Those with glibc-2.2.x (Debian Woody for example) will not work. Reason behind this is that RFC2385 is IPv4 only and requires AF_INET socket. So, to make this work IPV6_V6ONLY socket option is required.
Configuration is obvious:
router bgp 111 neighbor 10.0.0.2 remote-as 222 neighbor 10.0.0.2 password foobar
Enjoy!
One more implementation
If you can’t or don’t want recompile kernel nor Quagga, you can use userspace implementation written in Perl - see this letter for details.
Thanks
Many thanks to Rick Payne and David Schwartz. Also many thanks to Bruce M. Simpson who wrote RFC2385 support for FreeBSD (see this mail). I used his Quagga patch as template. Pavel Rause and Miroslav Marek who updated kernel patches to the newer 2.6.9 and 2.6.10 kernels. Jens Ott provided patch for 2.6.12.5 kernel. Adam Hill ported patch to 2.6.17 kernel and fixed some bugs. Florian Füessl ported patch to 2.6.8 kernel used in Debian 3.1 (Sarge). And of course many thanks to Kunihiro for GNU Zebra. Quagga wouldn’t exists without Zebra.
