0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-22 09:41:54 +00:00

RPKI: Add TCP-MD5 authentication option

RPKI-To-Router (RTR) sessions seem to be similar security-sensitivity as
IBGP sessions. BIRD already offered a choice of either "plain TCP" (meh)
or "SSH" (secure, albeit a bit more hassle to set up than TCP-MD5).
The patch adds TCP-MD5 as another option. TCP-MD5 for RTR is specified
through RFC 6810 section 7.3 and RFC 8210 section 9.3.

Minor changes by committer.
This commit is contained in:
Job Snijders 2024-10-03 15:43:12 +02:00 committed by Ondrej Zajicek
parent 5daec239c4
commit 8dc2a36ae5
5 changed files with 83 additions and 9 deletions

View File

@ -5735,7 +5735,10 @@ protocol rpki [<name>] {
refresh [keep] <num>; refresh [keep] <num>;
retry [keep] <num>; retry [keep] <num>;
expire [keep] <num>; expire [keep] <num>;
transport tcp; transport tcp {
authentication none|md5;
password "<text>";
};
transport ssh { transport ssh {
bird private key "</path/to/id_rsa>"; bird private key "</path/to/id_rsa>";
remote public key "</path/to/known_host>"; remote public key "</path/to/known_host>";
@ -5791,15 +5794,27 @@ specify both channels.
instead. This may be useful for implementing loose RPKI check for instead. This may be useful for implementing loose RPKI check for
blackholes. Default: disabled. blackholes. Default: disabled.
<tag>transport tcp</tag> Unprotected transport over TCP. It's a default <tag>transport tcp { <m/TCP transport options.../ }</tag> Transport over
transport. Should be used only on secure private networks. TCP, it's the default transport. Cannot be combined with a SSH transport.
Default: tcp Default: TCP, no authentication.
<tag>transport ssh { <m/SSH transport options.../ }</tag> It enables a <tag>transport ssh { <m/SSH transport options.../ }</tag> It enables a
SSHv2 transport encryption. Cannot be combined with a TCP transport. SSHv2 transport encryption. Cannot be combined with a TCP transport.
Default: off Default: off
</descrip> </descrip>
<sect3>TCP transport options
<p>
<descrip>
<tag>authentication none|md5</tag>
Select authentication method to be used. <cf/none/ means no
authentication, <cf/md5/ is TCP-MD5 authentication (<rfc id="2385">).
Default: no authentication.
<tag>password "<m>text</m>"</tag>
Use this password for TCP-MD5 authentication of the RPKI-To-Router session.
</descrip>
<sect3>SSH transport options <sect3>SSH transport options
<p> <p>
<descrip> <descrip>

View File

@ -13,6 +13,7 @@ CF_HDR
CF_DEFINES CF_DEFINES
#define RPKI_CFG ((struct rpki_config *) this_proto) #define RPKI_CFG ((struct rpki_config *) this_proto)
#define RPKI_TR_TCP_CFG ((struct rpki_tr_tcp_config *) RPKI_CFG->tr_config.spec)
#define RPKI_TR_SSH_CFG ((struct rpki_tr_ssh_config *) RPKI_CFG->tr_config.spec) #define RPKI_TR_SSH_CFG ((struct rpki_tr_ssh_config *) RPKI_CFG->tr_config.spec)
static void static void
@ -32,7 +33,8 @@ rpki_check_unused_transport(void)
CF_DECLS CF_DECLS
CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, SSH, TRANSPORT, USER, CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, SSH, TRANSPORT, USER,
RETRY, REFRESH, EXPIRE, KEEP, IGNORE, MAX, LENGTH, LOCAL, ADDRESS) RETRY, REFRESH, EXPIRE, KEEP, IGNORE, MAX, LENGTH, LOCAL, ADDRESS,
AUTHENTICATION, NONE, MD5, PASSWORD)
%type <i> rpki_keep_interval %type <i> rpki_keep_interval
@ -108,7 +110,7 @@ rpki_cache_addr: text_or_ipa
}; };
rpki_transport: rpki_transport:
TCP rpki_transport_tcp_init TCP rpki_transport_tcp_init rpki_transport_tcp_opts_list rpki_transport_tcp_check
| SSH rpki_transport_ssh_init '{' rpki_transport_ssh_opts '}' rpki_transport_ssh_check | SSH rpki_transport_ssh_init '{' rpki_transport_ssh_opts '}' rpki_transport_ssh_check
; ;
@ -119,6 +121,28 @@ rpki_transport_tcp_init:
RPKI_CFG->tr_config.type = RPKI_TR_TCP; RPKI_CFG->tr_config.type = RPKI_TR_TCP;
}; };
rpki_transport_tcp_opts_list:
/* empty */
| '{' rpki_transport_tcp_opts '}'
;
rpki_transport_tcp_opts:
/* empty */
| rpki_transport_tcp_opts rpki_transport_tcp_item ';'
;
rpki_transport_tcp_item:
AUTHENTICATION NONE { RPKI_TR_TCP_CFG->auth_type = RPKI_TCP_AUTH_NONE; }
| AUTHENTICATION MD5 { RPKI_TR_TCP_CFG->auth_type = RPKI_TCP_AUTH_MD5; }
| PASSWORD text { RPKI_TR_TCP_CFG->password = $2; }
;
rpki_transport_tcp_check:
{
if (!RPKI_TR_TCP_CFG->auth_type != !RPKI_TR_TCP_CFG->password)
cf_error("Authentication and password options should be used together");
};
rpki_transport_ssh_init: rpki_transport_ssh_init:
{ {
#if HAVE_LIBSSH #if HAVE_LIBSSH

View File

@ -685,6 +685,24 @@ rpki_reconfigure_cache(struct rpki_proto *p UNUSED, struct rpki_cache *cache, st
try_reset = 1; try_reset = 1;
} }
if (new->tr_config.type == RPKI_TR_TCP)
{
struct rpki_tr_tcp_config *tcp_old = (void *) old->tr_config.spec;
struct rpki_tr_tcp_config *tcp_new = (void *) new->tr_config.spec;
if (tcp_old->auth_type != tcp_new->auth_type)
{
CACHE_TRACE(D_EVENTS, cache, "Authentication type changed");
return NEED_RESTART;
}
if (bstrcmp(tcp_old->password, tcp_new->password))
{
CACHE_TRACE(D_EVENTS, cache, "MD5 password changed");
return NEED_RESTART;
}
}
#if HAVE_LIBSSH #if HAVE_LIBSSH
else if (new->tr_config.type == RPKI_TR_SSH) else if (new->tr_config.type == RPKI_TR_SSH)
{ {
@ -842,7 +860,11 @@ rpki_show_proto_info(struct proto *P)
default_port = RPKI_SSH_PORT; default_port = RPKI_SSH_PORT;
break; break;
#endif #endif
case RPKI_TR_TCP: case RPKI_TR_TCP:;
struct rpki_tr_tcp_config *tcp_cf = (void *) cf->tr_config.spec;
if (tcp_cf->auth_type == RPKI_TCP_AUTH_MD5)
transport_name = "TCP-MD5";
else
transport_name = "Unprotected over TCP"; transport_name = "Unprotected over TCP";
default_port = RPKI_TCP_PORT; default_port = RPKI_TCP_PORT;
break; break;

View File

@ -24,10 +24,16 @@
static int static int
rpki_tr_tcp_open(struct rpki_tr_sock *tr) rpki_tr_tcp_open(struct rpki_tr_sock *tr)
{ {
struct rpki_cache *cache = tr->cache;
struct rpki_config *cf = (void *) cache->p->p.cf;
struct rpki_tr_tcp_config *tcp_cf = (void *) cf->tr_config.spec;
sock *sk = tr->sk; sock *sk = tr->sk;
sk->type = SK_TCP_ACTIVE; sk->type = SK_TCP_ACTIVE;
if (tcp_cf->auth_type == RPKI_TCP_AUTH_MD5)
sk->password = tcp_cf->password;
if (sk_open(sk) != 0) if (sk_open(sk) != 0)
return RPKI_TR_ERROR; return RPKI_TR_ERROR;

View File

@ -56,6 +56,12 @@ enum rpki_tr_type {
#endif #endif
}; };
/* TCP authentication types */
enum rpki_tcp_auth {
RPKI_TCP_AUTH_NONE,
RPKI_TCP_AUTH_MD5
};
/* Common configure structure for transports */ /* Common configure structure for transports */
struct rpki_tr_config { struct rpki_tr_config {
enum rpki_tr_type type; /* RPKI_TR_TCP or RPKI_TR_SSH */ enum rpki_tr_type type; /* RPKI_TR_TCP or RPKI_TR_SSH */
@ -63,7 +69,8 @@ struct rpki_tr_config {
}; };
struct rpki_tr_tcp_config { struct rpki_tr_tcp_config {
/* No internal configuration data */ enum rpki_tcp_auth auth_type; /* Authentication type */
const char *password; /* Password used for authentication */
}; };
struct rpki_tr_ssh_config { struct rpki_tr_ssh_config {