Juniper Openstack

Implement MD5 authentication option for BGP peering

Bug #1383393 reported by Nischal Sheth on 2014-10-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	Fix Committed	Wishlist	Tapan Karwa	Juniper Openstack r2.20-fcs

Bug Description

Implement MD5 authentication for BGP peering based on RFC 2385.

Following requirements need to be supported:

- Implementation must interoperate with other RFC 2385 based BGPs
- Implementation should be extensible to support RFC 5925 in future
- Shared secret must be configurable per bgp-peering in the schema
- Shared secret should also be configurable per bgp-router in the schema
- UI must make the shared secret configurable per bgp-peering object
- UI should also make the shared secret configurable per bgp-router
- Key rollover should be supported by using notion of key-chain

Proposal is to do the following:

- Use setsockopt with TCP_MD5 option to enable TCP MD5 in the kernel
- Schema supports a key-chain per bgp-peering and bgp-router
- Each element of key-chain contains key-id, shared secret and start time
- Start time determines which key-chain element is used at a given time
- CN implements rollover by choosing active element based on start time
- Rollover must not cause flap of underlying TCP session
- Active element has highest start time that's smaller than current time
- Assumption is that clocks on all BGP speakers are synchronized

References:

https://tools.ietf.org/html/rfc2385
https://tools.ietf.org/html/rfc5925
http://www.juniper.net/techpubs/en_US/junos14.1/topics/task/configuration/security-authentication-key-updates-bgp-ldp-configuring.html

Tags:

Nischal Sheth (nsheth) on 2014-10-20

Changed in juniperopenstack:
assignee:	nobody → Tapan Karwa (tkarwa)
importance:	Undecided → High

Nischal Sheth (nsheth) on 2014-12-26

no longer affects:

opencontrail

Revision history for this message

Nischal Sheth (nsheth) wrote on 2015-02-10:

UI change is tracked by bug 1420416.

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-02-13: A change has been merged

Reviewed: https://review.opencontrail.org/7362
Committed: http://github.org/Juniper/contrail-controller/commit/44246fbf855815c53ca9bc0d8e40605cf41bddec
Submitter: Zuul
Branch: master

commit 44246fbf855815c53ca9bc0d8e40605cf41bddec
Author: Tapan Karwa <email address hidden>
Date: Wed Feb 11 16:26:19 2015 -0800

First set of changes for bgp authentication via tcp-md5.

Changes to process the auth-key config. Changes to set up the keys in the
kernel for the peer's sockets. APIs to add/delete keys into kernel. A few
tests. New code in auth_keychain.cc/h manages the keys in a vector.

Change-Id: I2488b135d44c0454d367cc9b34a570c77ffd4992
Partial-Bug: 1383393

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-02-16:

Reviewed: https://review.opencontrail.org/7434
Committed: http://github.org/Juniper/contrail-controller/commit/de9f1bba1c6824d7a120ca6b15acdabdbaecdb1f
Submitter: Zuul
Branch: master

commit de9f1bba1c6824d7a120ca6b15acdabdbaecdb1f
Author: Tapan Karwa <email address hidden>
Date: Fri Feb 13 14:17:52 2015 -0800

Second set of changes for bgp authentication via tcp-md5.

Take care of review comments regarding const and static. Some modularization.
Code to clear the listen socket when the peer is going away or peer address is
changing. Check for non-zero IP before setsockopt. Check if acceptor is present
before using it. Break up the code doing the setsockopt into one for the
session and one for the listen socket.

Change-Id: I72aa07e052c8905b5d6696040c4810bb8d8d5a4d
Partial-Bug: 1383393

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-05: master

Review in progress for https://review.opencontrail.org/8111
Submitter: Tapan Karwa (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-07: A change has been merged

Reviewed: https://review.opencontrail.org/8111
Committed: http://github.org/Juniper/contrail-controller/commit/4757675817b150b42faf17fd3167d178c5cba371
Submitter: Zuul
Branch: master

commit 4757675817b150b42faf17fd3167d178c5cba371
Author: Tapan Karwa <email address hidden>
Date: Thu Mar 5 13:47:52 2015 -0800

Add testcases for bgp md5.

Change-Id: Id4eb4cf5c4f4725d5c2c409ed2c390f80c53eba7
Partial-Bug: 1383393

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-10: master

Review in progress for https://review.opencontrail.org/8225
Submitter: Tapan Karwa (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-12: A change has been merged

Reviewed: https://review.opencontrail.org/8225
Committed: http://github.org/Juniper/contrail-controller/commit/115d8c8f3c639185f576a596f470a4ebb481ca9e
Submitter: Zuul
Branch: master

commit 115d8c8f3c639185f576a596f470a4ebb481ca9e
Author: Tapan Karwa <email address hidden>
Date: Tue Mar 10 14:56:45 2015 -0700

Add more test cases for bgp md5

Add tests that configure md5 entries via BgpRouter configurations.
Partial-Bug:1383393

Change-Id: I3f8acc6759475c4c81ca988aaa2545875e47e47a

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-13: master

Review in progress for https://review.opencontrail.org/8329
Submitter: Tapan Karwa (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-16: A change has been merged

#11

Reviewed: https://review.opencontrail.org/8329
Committed: http://github.org/Juniper/contrail-controller/commit/5194e5c17ea6e16b8b3f28756649081f50377ff1
Submitter: Zuul
Branch: master

commit 5194e5c17ea6e16b8b3f28756649081f50377ff1
Author: Tapan Karwa <email address hidden>
Date: Fri Mar 13 08:43:12 2015 -0700

Dont clear the bgp session if we go from no-key to key and vice versa.

Fix test cases to reflect this change. The sessions should not flap on any key
change.
Partial-Bug: 1383393

Change-Id: Ie906aa5e5e5625db7a38b7cd76258e974ba26462

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-17: master

#12

Review in progress for https://review.opencontrail.org/8413
Submitter: Tapan Karwa (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-03-18: A change has been merged

#13

Reviewed: https://review.opencontrail.org/8413
Committed: http://github.org/Juniper/contrail-controller/commit/ab4014db03f74cf34229443e701056e638c1869f
Submitter: Zuul
Branch: master

commit ab4014db03f74cf34229443e701056e638c1869f
Author: Tapan Karwa <email address hidden>
Date: Tue Mar 17 14:51:52 2015 -0700

Change schema for md5 keys and all code/tests dependent on the data-structures

1. Remove files auth_keychain.[cc/h] and move all their functionality to
bgp_config.[cc/h] since there is no benefit in having another data-structure in
the middle. This is done via class AuthenticationData.
2. Use AuthenticationData in each bgp peer.
3. Config input will come in via autogen::AuthenticationData and get converted
to class AuthenticationData defined in bgp_config.h
4. Change all tests to reflect the above and use the new auto-generated
data-structures.

Partial-Bug: 1383393

Change-Id: Ice596d2028891e4322912e25fbc1b63d760ad1b3

Nischal Sheth (nsheth) on 2015-04-28

information type:

Private → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.