summaryrefslogtreecommitdiff
path: root/doc/bird.sgml
diff options
context:
space:
mode:
authorOndrej Zajicek (work) <santiago@crfreenet.org>2016-04-13 14:30:28 +0200
committerOndrej Zajicek (work) <santiago@crfreenet.org>2016-04-13 14:37:09 +0200
commita7baa09862e6b4856cd66197c6bd74c7df336b8f (patch)
tree323e453c150273bb6d15bb19881affc8b43b6edf /doc/bird.sgml
parent43fc6bb0fb720762f12124076e2241855741ceb5 (diff)
BSD: Add the IPsec SA/SP database entries control
Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are handled automatically on both Linux and FreeBSD. Based on patches from Pavel Tvrdik.
Diffstat (limited to 'doc/bird.sgml')
-rw-r--r--doc/bird.sgml17
1 files changed, 14 insertions, 3 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml
index 653e0bb5..1a5fbaff 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -1764,9 +1764,20 @@ using the following configuration parameters:
only. Default: disabled.
<tag>password <m/string/</tag>
- Use this password for MD5 authentication of BGP sessions. Default: no
- authentication. Password has to be set by external utility
- (e.g. setkey(8)) on BSD systems.
+ Use this password for MD5 authentication of BGP sessions (RFC 2385).
+ When used on BSD systems, see also <cf/setkey/ option below. Default:
+ no authentication.
+
+ <tag>setkey <m/switch/</tag>
+ On BSD systems, keys for TCP MD5 authentication are stored in the global
+ SA/SP database, which can be accessed by external utilities (e.g.
+ setkey(8)). BIRD configures security associations in the SA/SP database
+ automatically based on <cf/password/ options (see above), this option
+ allows to disable automatic updates by BIRD when manual configuration by
+ external utilities is preferred. Note that automatic SA/SP database
+ updates are currently implemented only for FreeBSD. Passwords have to be
+ set manually by an external utility on NetBSD and OpenBSD. Default:
+ enabled (ignored on non-FreeBSD).
<tag>passive <m/switch/</tag>
Standard BGP behavior is both initiating outgoing connections and