BSD: Add the IPsec SA/SP database entries control

Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database
at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are
handled automatically on both Linux and FreeBSD.

Based on patches from Pavel Tvrdik.

1 files changed, 14 insertions, 3 deletions

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 653e0bb5..1a5fbaff 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -1764,9 +1764,20 @@ using the following configuration parameters:
 	only. Default: disabled.
 
 	<tag>password <m/string/</tag>
-	Use this password for MD5 authentication of BGP sessions. Default: no
-	authentication. Password has to be set by external utility
-	(e.g. setkey(8)) on BSD systems.
+	Use this password for MD5 authentication of BGP sessions (RFC 2385).
+	When used on BSD systems, see also <cf/setkey/ option below. Default:
+	no authentication.
+
+	<tag>setkey <m/switch/</tag>
+	On BSD systems, keys for TCP MD5 authentication are stored in the global
+	SA/SP database, which can be accessed by external utilities (e.g.
+	setkey(8)). BIRD configures security associations in the SA/SP database
+	automatically based on <cf/password/ options (see above), this option
+	allows to disable automatic updates by BIRD when manual configuration by
+	external utilities is preferred. Note that automatic SA/SP database
+	updates are currently implemented only for FreeBSD. Passwords have to be
+	set manually by an external utility on NetBSD and OpenBSD. Default:
+	enabled (ignored on non-FreeBSD).
 
 	<tag>passive <m/switch/</tag>
 	Standard BGP behavior is both initiating outgoing connections and