mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-22 09:41:54 +00:00
DOC: Password algorithm option
This commit is contained in:
parent
56cb3bedc2
commit
64385aee0c
@ -664,13 +664,13 @@ agreement").
|
|||||||
protocol packets are processed in the local TX queues. This option is
|
protocol packets are processed in the local TX queues. This option is
|
||||||
Linux specific. Default value is 7 (highest priority, privileged traffic).
|
Linux specific. Default value is 7 (highest priority, privileged traffic).
|
||||||
|
|
||||||
<tag><label id="proto-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag>
|
<tag><label id="proto-pass">password "<m/password/" [ { <m>password options</m> } ]</tag>
|
||||||
Specifies a password that can be used by the protocol. Password option
|
Specifies a password that can be used by the protocol as a shared secret
|
||||||
can be used more times to specify more passwords. If more passwords are
|
key. Password option can be used more times to specify more passwords.
|
||||||
specified, it is a protocol-dependent decision which one is really
|
If more passwords are specified, it is a protocol-dependent decision
|
||||||
used. Specifying passwords does not mean that authentication is enabled,
|
which one is really used. Specifying passwords does not mean that
|
||||||
authentication can be enabled by separate, protocol-dependent
|
authentication is enabled, authentication can be enabled by separate,
|
||||||
<cf/authentication/ option.
|
protocol-dependent <cf/authentication/ option.
|
||||||
|
|
||||||
This option is allowed in OSPF and RIP protocols. BGP has also
|
This option is allowed in OSPF and RIP protocols. BGP has also
|
||||||
<cf/password/ option, but it is slightly different and described
|
<cf/password/ option, but it is slightly different and described
|
||||||
@ -700,6 +700,19 @@ agreement").
|
|||||||
|
|
||||||
<tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag>
|
<tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag>
|
||||||
The last time of the usage of the password for packet verification.
|
The last time of the usage of the password for packet verification.
|
||||||
|
|
||||||
|
<tag><label id="proto-pass-from">from "<m/time/"</tag>
|
||||||
|
Shorthand for setting both <cf/generate from/ and <cf/accept from/.
|
||||||
|
|
||||||
|
<tag><label id="proto-pass-to">to "<m/time/"</tag>
|
||||||
|
Shorthand for setting both <cf/generate to/ and <cf/accept to/.
|
||||||
|
|
||||||
|
<tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 )</tag>
|
||||||
|
The message authentication algorithm for the password when cryptographic
|
||||||
|
authentication is enabled. The default value depends on the protocol.
|
||||||
|
For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3
|
||||||
|
protocol it is HMAC-SHA-256.
|
||||||
|
|
||||||
</descrip>
|
</descrip>
|
||||||
|
|
||||||
<chapt>Remote control
|
<chapt>Remote control
|
||||||
@ -2659,7 +2672,7 @@ protocol ospf <name> {
|
|||||||
ttl security [<switch>; | tx only]
|
ttl security [<switch>; | tx only]
|
||||||
tx class|dscp <num>;
|
tx class|dscp <num>;
|
||||||
tx priority <num>;
|
tx priority <num>;
|
||||||
authentication [none|simple|cryptographic];
|
authentication none|simple|cryptographic;
|
||||||
password "<text>";
|
password "<text>";
|
||||||
password "<text>" {
|
password "<text>" {
|
||||||
id <num>;
|
id <num>;
|
||||||
@ -2667,6 +2680,9 @@ protocol ospf <name> {
|
|||||||
generate to "<date>";
|
generate to "<date>";
|
||||||
accept from "<date>";
|
accept from "<date>";
|
||||||
accept to "<date>";
|
accept to "<date>";
|
||||||
|
from "<date>";
|
||||||
|
to "<date>";
|
||||||
|
algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
|
||||||
};
|
};
|
||||||
neighbors {
|
neighbors {
|
||||||
<ip>;
|
<ip>;
|
||||||
@ -2679,8 +2695,18 @@ protocol ospf <name> {
|
|||||||
wait <num>;
|
wait <num>;
|
||||||
dead count <num>;
|
dead count <num>;
|
||||||
dead <num>;
|
dead <num>;
|
||||||
authentication [none|simple|cryptographic];
|
authentication none|simple|cryptographic;
|
||||||
password "<text>";
|
password "<text>";
|
||||||
|
password "<text>" {
|
||||||
|
id <num>;
|
||||||
|
generate from "<date>";
|
||||||
|
generate to "<date>";
|
||||||
|
accept from "<date>";
|
||||||
|
accept to "<date>";
|
||||||
|
from "<date>";
|
||||||
|
to "<date>";
|
||||||
|
algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -2999,15 +3025,18 @@ protocol ospf <name> {
|
|||||||
<tag><label id="ospf-auth-simple">authentication simple</tag>
|
<tag><label id="ospf-auth-simple">authentication simple</tag>
|
||||||
Every packet carries 8 bytes of password. Received packets lacking this
|
Every packet carries 8 bytes of password. Received packets lacking this
|
||||||
password are ignored. This authentication mechanism is very weak.
|
password are ignored. This authentication mechanism is very weak.
|
||||||
|
This option is not available in OSPFv3.
|
||||||
|
|
||||||
<tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag>
|
<tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag>
|
||||||
16-byte long MD5 digest is appended to every packet. For the digest
|
An authentication code is appended to every packet. The specific
|
||||||
generation 16-byte long passwords are used. Those passwords are not sent
|
cryptographic algorithm is selected by option <cf/algorithm/ for each
|
||||||
via network, so this mechanism is quite secure. Packets can still be
|
key. The default cryptographic algorithm for OSPFv2 keys is Keyed-MD5
|
||||||
read by an attacker.
|
and for OSPFv3 keys is HMAC-SHA-256. Passwords are not sent open via
|
||||||
|
network, so this mechanism is quite secure. Packets can still be read by
|
||||||
|
an attacker.
|
||||||
|
|
||||||
<tag><label id="ospf-pass">password "<M>text</M>"</tag>
|
<tag><label id="ospf-pass">password "<M>text</M>"</tag>
|
||||||
An 8-byte or 16-byte password used for authentication. See
|
Specifies a password used for authentication. See
|
||||||
<ref id="proto-pass" name="password"> common option for detailed
|
<ref id="proto-pass" name="password"> common option for detailed
|
||||||
description.
|
description.
|
||||||
|
|
||||||
@ -3069,11 +3098,13 @@ protocol ospf MyOSPF {
|
|||||||
id 1;
|
id 1;
|
||||||
generate to "22-04-2003 11:00:06";
|
generate to "22-04-2003 11:00:06";
|
||||||
accept from "17-01-2001 12:01:05";
|
accept from "17-01-2001 12:01:05";
|
||||||
|
algorithm hmac sha384;
|
||||||
};
|
};
|
||||||
password "def" {
|
password "def" {
|
||||||
id 2;
|
id 2;
|
||||||
generate to "22-07-2005 17:03:21";
|
generate to "22-07-2005 17:03:21";
|
||||||
accept from "22-02-2001 11:34:06";
|
accept from "22-02-2001 11:34:06";
|
||||||
|
algorithm hmac sha512;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
interface "arc0" {
|
interface "arc0" {
|
||||||
@ -3500,8 +3531,7 @@ you can't use RIP on networks where maximal distance is higher than 15
|
|||||||
hosts.
|
hosts.
|
||||||
|
|
||||||
<p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc
|
<p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc
|
||||||
id="2080">), and RIP cryptographic authentication (SHA-1 not implemented)
|
id="2080">), and RIP cryptographic authentication (<rfc id="4822">).
|
||||||
(<rfc id="4822">).
|
|
||||||
|
|
||||||
<p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow
|
<p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow
|
||||||
convergence, big network load and inability to handle larger networks makes it
|
convergence, big network load and inability to handle larger networks makes it
|
||||||
@ -3545,6 +3575,9 @@ protocol rip [<name>] {
|
|||||||
generate to "<date>";
|
generate to "<date>";
|
||||||
accept from "<date>";
|
accept from "<date>";
|
||||||
accept to "<date>";
|
accept to "<date>";
|
||||||
|
from "<date>";
|
||||||
|
to "<date>";
|
||||||
|
algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -3658,7 +3691,9 @@ protocol rip [<name>] {
|
|||||||
Selects authentication method to be used. <cf/none/ means that packets
|
Selects authentication method to be used. <cf/none/ means that packets
|
||||||
are not authenticated at all, <cf/plaintext/ means that a plaintext
|
are not authenticated at all, <cf/plaintext/ means that a plaintext
|
||||||
password is embedded into each packet, and <cf/cryptographic/ means that
|
password is embedded into each packet, and <cf/cryptographic/ means that
|
||||||
packets are authenticated using a MD5 cryptographic hash. If you set
|
packets are authenticated using some cryptographic hash function
|
||||||
|
selected by option <cf/algorithm/ for each key. The default
|
||||||
|
cryptographic algorithm for RIP keys is Keyed-MD5. If you set
|
||||||
authentication to not-none, it is a good idea to add <cf>password</cf>
|
authentication to not-none, it is a good idea to add <cf>password</cf>
|
||||||
section. Default: none.
|
section. Default: none.
|
||||||
|
|
||||||
@ -3704,8 +3739,8 @@ protocol rip [<name>] {
|
|||||||
consideration. When the link disappears (e.g. an ethernet cable is
|
consideration. When the link disappears (e.g. an ethernet cable is
|
||||||
unplugged), neighbors are immediately considered unreachable and all
|
unplugged), neighbors are immediately considered unreachable and all
|
||||||
routes received from them are withdrawn. It is possible that some
|
routes received from them are withdrawn. It is possible that some
|
||||||
hardware drivers or platforms do not implement this feature. Default:
|
hardware drivers or platforms do not implement this feature.
|
||||||
no.
|
Default: no.
|
||||||
</descrip>
|
</descrip>
|
||||||
|
|
||||||
<sect1>Attributes
|
<sect1>Attributes
|
||||||
@ -3738,7 +3773,8 @@ protocol rip {
|
|||||||
garbage time 60;
|
garbage time 60;
|
||||||
interface "eth0" { metric 3; mode multicast; };
|
interface "eth0" { metric 3; mode multicast; };
|
||||||
interface "eth*" { metric 2; mode broadcast; };
|
interface "eth*" { metric 2; mode broadcast; };
|
||||||
authentication none;
|
authentication cryptographic;
|
||||||
|
password "secret-shared-key" { algorithm hmac sha256; };
|
||||||
import filter { print "importing"; accept; };
|
import filter { print "importing"; accept; };
|
||||||
export filter { print "exporting"; accept; };
|
export filter { print "exporting"; accept; };
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user