From: Job Snijders <job@openbsd.org>
Subject: Re: bgpd: add tcp md5sum and ipsec support for rtr sessions
To: tech@openbsd.org
Date: Sun, 13 Oct 2024 16:18:19 +0000

On Wed, Oct 09, 2024 at 10:34:20AM +0200, Claudio Jeker wrote:
> This adds the parse.y and printconf.c bits to configure tcp md5sum and
> ipsec for rtr sessions.
> 
> I tested that this does not break tcp md5 for BGP sessions but I have
> no rtr cache that supports tcp md5 at hand so that part is untested.

I have an publicly available stayrtr instance, patch for TCP-MD5 support over
IPv4; seems to work for both OpenBGPD and BIRD:

  # cat /etc/bgpd.conf
  AS 15562
  rtr 165.254.255.17 {
          port 8282
          tcp md5sig password "test"
  }
  
  # rcctl -f start bgpd
  bgpd(ok)
  
  # bgpctl show rtr
  RTR neighbor is 165.254.255.17, port 8282
   State: established
   Description: 165.254.255.17
   Version: 1 min 0 Session ID: 33413 Serial #: 1586
   Refresh: 3600, Retry: 600, Expire: 7200
  
    RTR RefreshTimer     due in 00:59:51
    RTR ExpireTimer      due in 01:59:51
  
  # bgpctl show sets
  Type   Name                  #IPv4   #IPv6 #ASnum Last Change
  ROA    RPKI ROA             445112  110818      -    00:00:07
  ASPA   RPKI ASPA                 -       -      0       Never
  
Anyway, TCP-MD5 also OK job@
  
> Also ipsec is untested.

not 100% sure how to go about testing that one

Kind regards,

Job