Implement MD5 authentication option for BGP peering
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
Trunk |
Fix Committed
|
Wishlist
|
Tapan Karwa |
Bug Description
Implement MD5 authentication for BGP peering based on RFC 2385.
Following requirements need to be supported:
- Implementation must interoperate with other RFC 2385 based BGPs
- Implementation should be extensible to support RFC 5925 in future
- Shared secret must be configurable per bgp-peering in the schema
- Shared secret should also be configurable per bgp-router in the schema
- UI must make the shared secret configurable per bgp-peering object
- UI should also make the shared secret configurable per bgp-router
- Key rollover should be supported by using notion of key-chain
Proposal is to do the following:
- Use setsockopt with TCP_MD5 option to enable TCP MD5 in the kernel
- Schema supports a key-chain per bgp-peering and bgp-router
- Each element of key-chain contains key-id, shared secret and start time
- Start time determines which key-chain element is used at a given time
- CN implements rollover by choosing active element based on start time
- Rollover must not cause flap of underlying TCP session
- Active element has highest start time that's smaller than current time
- Assumption is that clocks on all BGP speakers are synchronized
References:
https:/
https:/
http://
Changed in juniperopenstack: | |
assignee: | nobody → Tapan Karwa (tkarwa) |
importance: | Undecided → High |
no longer affects: | opencontrail |
information type: | Private → Public |
UI change is tracked by bug 1420416.