0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-22 09:41:54 +00:00

DOC: Password algorithm option

This commit is contained in:
Pavel Tvrdík 2016-01-28 17:05:15 +01:00 committed by Ondrej Zajicek (work)
parent 56cb3bedc2
commit 64385aee0c

View File

@ -664,13 +664,13 @@ agreement").
protocol packets are processed in the local TX queues. This option is protocol packets are processed in the local TX queues. This option is
Linux specific. Default value is 7 (highest priority, privileged traffic). Linux specific. Default value is 7 (highest priority, privileged traffic).
<tag><label id="proto-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag> <tag><label id="proto-pass">password "<m/password/" [ { <m>password options</m> } ]</tag>
Specifies a password that can be used by the protocol. Password option Specifies a password that can be used by the protocol as a shared secret
can be used more times to specify more passwords. If more passwords are key. Password option can be used more times to specify more passwords.
specified, it is a protocol-dependent decision which one is really If more passwords are specified, it is a protocol-dependent decision
used. Specifying passwords does not mean that authentication is enabled, which one is really used. Specifying passwords does not mean that
authentication can be enabled by separate, protocol-dependent authentication is enabled, authentication can be enabled by separate,
<cf/authentication/ option. protocol-dependent <cf/authentication/ option.
This option is allowed in OSPF and RIP protocols. BGP has also This option is allowed in OSPF and RIP protocols. BGP has also
<cf/password/ option, but it is slightly different and described <cf/password/ option, but it is slightly different and described
@ -700,6 +700,19 @@ agreement").
<tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag> <tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag>
The last time of the usage of the password for packet verification. The last time of the usage of the password for packet verification.
<tag><label id="proto-pass-from">from "<m/time/"</tag>
Shorthand for setting both <cf/generate from/ and <cf/accept from/.
<tag><label id="proto-pass-to">to "<m/time/"</tag>
Shorthand for setting both <cf/generate to/ and <cf/accept to/.
<tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 )</tag>
The message authentication algorithm for the password when cryptographic
authentication is enabled. The default value depends on the protocol.
For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3
protocol it is HMAC-SHA-256.
</descrip> </descrip>
<chapt>Remote control <chapt>Remote control
@ -2659,7 +2672,7 @@ protocol ospf &lt;name&gt; {
ttl security [&lt;switch&gt;; | tx only] ttl security [&lt;switch&gt;; | tx only]
tx class|dscp &lt;num&gt;; tx class|dscp &lt;num&gt;;
tx priority &lt;num&gt;; tx priority &lt;num&gt;;
authentication [none|simple|cryptographic]; authentication none|simple|cryptographic;
password "&lt;text&gt;"; password "&lt;text&gt;";
password "&lt;text&gt;" { password "&lt;text&gt;" {
id &lt;num&gt;; id &lt;num&gt;;
@ -2667,6 +2680,9 @@ protocol ospf &lt;name&gt; {
generate to "&lt;date&gt;"; generate to "&lt;date&gt;";
accept from "&lt;date&gt;"; accept from "&lt;date&gt;";
accept to "&lt;date&gt;"; accept to "&lt;date&gt;";
from "&lt;date&gt;";
to "&lt;date&gt;";
algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
}; };
neighbors { neighbors {
&lt;ip&gt;; &lt;ip&gt;;
@ -2679,8 +2695,18 @@ protocol ospf &lt;name&gt; {
wait &lt;num&gt;; wait &lt;num&gt;;
dead count &lt;num&gt;; dead count &lt;num&gt;;
dead &lt;num&gt;; dead &lt;num&gt;;
authentication [none|simple|cryptographic]; authentication none|simple|cryptographic;
password "&lt;text&gt;"; password "&lt;text&gt;";
password "&lt;text&gt;" {
id &lt;num&gt;;
generate from "&lt;date&gt;";
generate to "&lt;date&gt;";
accept from "&lt;date&gt;";
accept to "&lt;date&gt;";
from "&lt;date&gt;";
to "&lt;date&gt;";
algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
};
}; };
}; };
} }
@ -2999,15 +3025,18 @@ protocol ospf &lt;name&gt; {
<tag><label id="ospf-auth-simple">authentication simple</tag> <tag><label id="ospf-auth-simple">authentication simple</tag>
Every packet carries 8 bytes of password. Received packets lacking this Every packet carries 8 bytes of password. Received packets lacking this
password are ignored. This authentication mechanism is very weak. password are ignored. This authentication mechanism is very weak.
This option is not available in OSPFv3.
<tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag> <tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag>
16-byte long MD5 digest is appended to every packet. For the digest An authentication code is appended to every packet. The specific
generation 16-byte long passwords are used. Those passwords are not sent cryptographic algorithm is selected by option <cf/algorithm/ for each
via network, so this mechanism is quite secure. Packets can still be key. The default cryptographic algorithm for OSPFv2 keys is Keyed-MD5
read by an attacker. and for OSPFv3 keys is HMAC-SHA-256. Passwords are not sent open via
network, so this mechanism is quite secure. Packets can still be read by
an attacker.
<tag><label id="ospf-pass">password "<M>text</M>"</tag> <tag><label id="ospf-pass">password "<M>text</M>"</tag>
An 8-byte or 16-byte password used for authentication. See Specifies a password used for authentication. See
<ref id="proto-pass" name="password"> common option for detailed <ref id="proto-pass" name="password"> common option for detailed
description. description.
@ -3069,11 +3098,13 @@ protocol ospf MyOSPF {
id 1; id 1;
generate to "22-04-2003 11:00:06"; generate to "22-04-2003 11:00:06";
accept from "17-01-2001 12:01:05"; accept from "17-01-2001 12:01:05";
algorithm hmac sha384;
}; };
password "def" { password "def" {
id 2; id 2;
generate to "22-07-2005 17:03:21"; generate to "22-07-2005 17:03:21";
accept from "22-02-2001 11:34:06"; accept from "22-02-2001 11:34:06";
algorithm hmac sha512;
}; };
}; };
interface "arc0" { interface "arc0" {
@ -3500,8 +3531,7 @@ you can't use RIP on networks where maximal distance is higher than 15
hosts. hosts.
<p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc <p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc
id="2080">), and RIP cryptographic authentication (SHA-1 not implemented) id="2080">), and RIP cryptographic authentication (<rfc id="4822">).
(<rfc id="4822">).
<p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow <p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow
convergence, big network load and inability to handle larger networks makes it convergence, big network load and inability to handle larger networks makes it
@ -3545,6 +3575,9 @@ protocol rip [&lt;name&gt;] {
generate to "&lt;date&gt;"; generate to "&lt;date&gt;";
accept from "&lt;date&gt;"; accept from "&lt;date&gt;";
accept to "&lt;date&gt;"; accept to "&lt;date&gt;";
from "&lt;date&gt;";
to "&lt;date&gt;";
algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
}; };
}; };
} }
@ -3658,7 +3691,9 @@ protocol rip [&lt;name&gt;] {
Selects authentication method to be used. <cf/none/ means that packets Selects authentication method to be used. <cf/none/ means that packets
are not authenticated at all, <cf/plaintext/ means that a plaintext are not authenticated at all, <cf/plaintext/ means that a plaintext
password is embedded into each packet, and <cf/cryptographic/ means that password is embedded into each packet, and <cf/cryptographic/ means that
packets are authenticated using a MD5 cryptographic hash. If you set packets are authenticated using some cryptographic hash function
selected by option <cf/algorithm/ for each key. The default
cryptographic algorithm for RIP keys is Keyed-MD5. If you set
authentication to not-none, it is a good idea to add <cf>password</cf> authentication to not-none, it is a good idea to add <cf>password</cf>
section. Default: none. section. Default: none.
@ -3704,8 +3739,8 @@ protocol rip [&lt;name&gt;] {
consideration. When the link disappears (e.g. an ethernet cable is consideration. When the link disappears (e.g. an ethernet cable is
unplugged), neighbors are immediately considered unreachable and all unplugged), neighbors are immediately considered unreachable and all
routes received from them are withdrawn. It is possible that some routes received from them are withdrawn. It is possible that some
hardware drivers or platforms do not implement this feature. Default: hardware drivers or platforms do not implement this feature.
no. Default: no.
</descrip> </descrip>
<sect1>Attributes <sect1>Attributes
@ -3738,7 +3773,8 @@ protocol rip {
garbage time 60; garbage time 60;
interface "eth0" { metric 3; mode multicast; }; interface "eth0" { metric 3; mode multicast; };
interface "eth*" { metric 2; mode broadcast; }; interface "eth*" { metric 2; mode broadcast; };
authentication none; authentication cryptographic;
password "secret-shared-key" { algorithm hmac sha256; };
import filter { print "importing"; accept; }; import filter { print "importing"; accept; };
export filter { print "exporting"; accept; }; export filter { print "exporting"; accept; };
} }