Support TCP-MD5 authentication for BGP

[ghorofamike]

Is this a bug report or a feature request?:
Feature Request

What happened:
We would like to be able to set a password field in the BGP configuration, needed when working with some peers: Like Vultr's BGP, which accept a password field to authenticate a user, see the protocol bgp vultr section in documentation link above, there is a password line. Looking through the code, seems like it would go to some place like this though of course im not a go programmer yet.

What you expected to happen:
We cant set the password, so we will obviously not be able to use their BGP

How to reproduce it (as minimally and precisely as possible):
Always

Anything else we need to know?:
Not sure if there is a downside, but we only see the upsides.

Environment:

• MetalLB version: 0.5.0
• Kubernetes version: 1.9X
• BGP router type/version: OSS Bird
• OS (e.g. from /etc/os-release): Fedora
• Kernel (e.g. uname -a): 4.15.12

[danderson]

This looks like a great feature to have.

General overview of implementation:

• Add the field to the Peer struct in internal/config, and add some config parsing tests (are there any constraints on the format of the BGP password? I don't know)
• Add the password to the Session struct in internal/bgp, and set the TCP_MD5 socket option in Session.connect() if the password is non-empty. For this, you probably need to be familiar with low-level networking and syscall interfaces in Go, because Go doesn't have an easy API to set the TCP-MD5 key.
• Connect things up in speaker/bgp_controller.go: take the password out of the config objects and pass them into the BGP session creations.
• Add documentation: update manifests/example-config.yaml, check if the website needs an update (probably minor edits, but no need for a full doc section about BGP passwords).
• Add to release notes for 0.6.

Are you interested in contributing a PR for this? I'm happy to implement it myself, but if you want to do it, I would be happy to do code reviews and give you advice!

[ghorofamike]

So i have made some attempt, not yet ready for a PR since its not functional, but see here
code
i need some pointers for solving this error:

E0410 12:19:51.481824       1 bgp.go:52] Connecting to "169.254.169.254:179": setting TCP_MD5 sockopt to "169.254.169.254:179": invalid argument

this line is clearly the issue: Line
its clearly not doing what i intended, but otherwise i think i got the bulk of the checklist done

• Add the field to the Peer struct in internal/config ...
• Add the password to the Session struct in internal/bgp ...
• Connect things up in speaker/bgp_controller.go ...
• Add documentation: update (Partial, edited manifests/example-config.yaml)
• Add to release notes :( not done.

I have had a look at gobgp, which seems to do this by not using net.Conn, but using some fancy legwork with os file descriptors link, which i wish we could avoid if the net.Conn api's allow.

[ghorofamike]

closing, PR #236 merged.

[205g0]

Just trying to get metalllb with vultr's BGP to work as well. I still wonder if I use metallb with or without BIRD. And where do I put the reserved IP I got from vultr if used without BIRD (with BIRD,I'd link it to a dummy interface)?

With this setup my services get private EXTERNAL-IPs and I don't know/understand how to make them available over the public, reserved IP. My config:

kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    peers:
    - peer-address: 169.254.169.254
      peer-asn: 64515
      my-asn: 4288000244
      password: "[redacted]"
    address-pools:
    - name: default
      protocol: bgp
      addresses:
      - 10.1.96.0/20

cc @ghorofamike @danderson

[ghorofamike]

Hi,
With vultr, you do not need bird/quagga et cetra. just your metallb config and the vultr credentials plus a floating ip since you can not use one that comes with the VPS's ethernet. Here is a sample config:

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    peers:
    - peer-address: 169.254.169.254    
      peer-asn: 64515
      my-asn: CHANGEME
      password: "CHANGE-ME-FROM-DASHBOARD"
    address-pools:
    - name: ams-floating
      auto-assign: false
      protocol: bgp
      addresses:
      - CHANGEME-TO-FLOATING/32
      bgp-advertisements:
      - aggregation-length: 32