diff options
author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2016-04-13 14:30:28 +0200 |
---|---|---|
committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2016-04-13 14:37:09 +0200 |
commit | a7baa09862e6b4856cd66197c6bd74c7df336b8f (patch) | |
tree | 323e453c150273bb6d15bb19881affc8b43b6edf /doc/bird.sgml | |
parent | 43fc6bb0fb720762f12124076e2241855741ceb5 (diff) |
BSD: Add the IPsec SA/SP database entries control
Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database
at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are
handled automatically on both Linux and FreeBSD.
Based on patches from Pavel Tvrdik.
Diffstat (limited to 'doc/bird.sgml')
-rw-r--r-- | doc/bird.sgml | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml index 653e0bb5..1a5fbaff 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -1764,9 +1764,20 @@ using the following configuration parameters: only. Default: disabled. <tag>password <m/string/</tag> - Use this password for MD5 authentication of BGP sessions. Default: no - authentication. Password has to be set by external utility - (e.g. setkey(8)) on BSD systems. + Use this password for MD5 authentication of BGP sessions (RFC 2385). + When used on BSD systems, see also <cf/setkey/ option below. Default: + no authentication. + + <tag>setkey <m/switch/</tag> + On BSD systems, keys for TCP MD5 authentication are stored in the global + SA/SP database, which can be accessed by external utilities (e.g. + setkey(8)). BIRD configures security associations in the SA/SP database + automatically based on <cf/password/ options (see above), this option + allows to disable automatic updates by BIRD when manual configuration by + external utilities is preferred. Note that automatic SA/SP database + updates are currently implemented only for FreeBSD. Passwords have to be + set manually by an external utility on NetBSD and OpenBSD. Default: + enabled (ignored on non-FreeBSD). <tag>passive <m/switch/</tag> Standard BGP behavior is both initiating outgoing connections and |