diff options
author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2016-10-30 23:51:23 +0100 |
---|---|---|
committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2016-11-02 17:53:22 +0100 |
commit | e03dc6a984555e3c943735d50376cada2220bac8 (patch) | |
tree | 7f0c54682b71200d8db1390caeb09b2056ba2853 /doc | |
parent | 29239ba2bbee3e9ec7d17793b25936a1bfc795ca (diff) |
BFD: Authentication
Implement BFD authentication (part of RFC 5880). Supports plaintext
passwords and cryptographic MD5 / SHA-1 authentication.
Based on former commit from Pavel Tvrdik
Diffstat (limited to 'doc')
-rw-r--r-- | doc/bird.sgml | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml index 7c34c208..6af0e0f6 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -672,7 +672,7 @@ agreement"). authentication is enabled, authentication can be enabled by separate, protocol-dependent <cf/authentication/ option. - This option is allowed in OSPF and RIP protocols. BGP has also + This option is allowed in BFD, OSPF and RIP protocols. BGP has also <cf/password/ option, but it is slightly different and described separately. Default: none. @@ -1637,6 +1637,19 @@ protocol bfd [<name>] { idle tx interval <time>; multiplier <num>; passive <switch>; + authentication none; + authentication simple; + authentication [meticulous] keyed md5|sha1; + password "<text>"; + password "<text>" { + id <num>; + generate from "<date>"; + generate to "<date>"; + accept from "<date>"; + accept to "<date>"; + from "<date>"; + to "<date>"; + }; }; multihop { interval <time>; @@ -1720,6 +1733,32 @@ protocol bfd [<name>] { sending control packets to the other side. This option allows to enable passive mode, which means that the router does not send BFD packets until it has received one from the other side. Default: disabled. + + <tag>authentication none</tag> + No passwords are sent in BFD packets. This is the default value. + + <tag>authentication simple</tag> + Every packet carries 16 bytes of password. Received packets lacking this + password are ignored. This authentication mechanism is very weak. + + <tag>authentication [meticulous] keyed md5|sha1</tag> + An authentication code is appended to each packet. The cryptographic + algorithm is keyed MD5 or keyed SHA-1. Note that the algorithm is common + for all keys (on one interface), in contrast to OSPF or RIP, where it + is a per-key option. Passwords (keys) are not sent open via network. + + The <cf/meticulous/ variant means that cryptographic sequence numbers + are increased for each sent packet, while in the basic variant they are + increased about once per second. Generally, the <cf/meticulous/ variant + offers better resistance to replay attacks but may require more + computation. + + <tag>password "<M>text</M>"</tag> + Specifies a password used for authentication. See <ref id="dsc-pass" + name="password"> common option for detailed description. Note that + password option <cf/algorithm/ is not available in BFD protocol. The + algorithm is selected by <cf/authentication/ option for all passwords. + </descrip> <sect1>Example |