Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TCP-MD5 authentication for BGP #215

Closed
ghorofamike opened this issue Apr 4, 2018 · 5 comments
Closed

Support TCP-MD5 authentication for BGP #215

ghorofamike opened this issue Apr 4, 2018 · 5 comments
Labels
enhancement interoperability
Projects
BGP mode
Milestone
v0.6.0

Comments

@ghorofamike
Copy link
Contributor

ghorofamike commented Apr 4, 2018
edited

Is this a bug report or a feature request?:
Feature Request

What happened:
We would like to be able to set a password field in the BGP configuration, needed when working with some peers: Like Vultr's BGP, which accept a password field to authenticate a user, see the protocol bgp vultr section in documentation link above, there is a password line. Looking through the code, seems like it would go to some place like this though of course im not a go programmer yet.

What you expected to happen:
We cant set the password, so we will obviously not be able to use their BGP

How to reproduce it (as minimally and precisely as possible):
Always

Anything else we need to know?:
Not sure if there is a downside, but we only see the upsides.

Environment:

  • MetalLB version: 0.5.0
  • Kubernetes version: 1.9X
  • BGP router type/version: OSS Bird
  • OS (e.g. from /etc/os-release): Fedora
  • Kernel (e.g. uname -a): 4.15.12
@danderson danderson added this to To Do in BGP mode via automation Apr 7, 2018
@danderson danderson added this to the v0.6.0 milestone Apr 7, 2018
@danderson
Copy link
Contributor

This looks like a great feature to have.

General overview of implementation:

  • Add the field to the Peer struct in internal/config, and add some config parsing tests (are there any constraints on the format of the BGP password? I don't know)
  • Add the password to the Session struct in internal/bgp, and set the TCP_MD5 socket option in Session.connect() if the password is non-empty. For this, you probably need to be familiar with low-level networking and syscall interfaces in Go, because Go doesn't have an easy API to set the TCP-MD5 key.
  • Connect things up in speaker/bgp_controller.go: take the password out of the config objects and pass them into the BGP session creations.
  • Add documentation: update manifests/example-config.yaml, check if the website needs an update (probably minor edits, but no need for a full doc section about BGP passwords).
  • Add to release notes for 0.6.

Are you interested in contributing a PR for this? I'm happy to implement it myself, but if you want to do it, I would be happy to do code reviews and give you advice!

@danderson danderson changed the title Custom field in BGP protocol config Support TCP-MD5 authentication for BGP Apr 8, 2018
@ghorofamike
Copy link
Contributor Author

ghorofamike commented Apr 10, 2018
edited

So i have made some attempt, not yet ready for a PR since its not functional, but see here
code
i need some pointers for solving this error:

E0410 12:19:51.481824       1 bgp.go:52] Connecting to "169.254.169.254:179": setting TCP_MD5 sockopt to "169.254.169.254:179": invalid argument

this line is clearly the issue: Line
its clearly not doing what i intended, but otherwise i think i got the bulk of the checklist done

  • Add the field to the Peer struct in internal/config ...
  • Add the password to the Session struct in internal/bgp ...
  • Connect things up in speaker/bgp_controller.go ...
  • Add documentation: update (Partial, edited manifests/example-config.yaml)
  • Add to release notes :( not done.

I have had a look at gobgp, which seems to do this by not using net.Conn, but using some fancy legwork with os file descriptors link, which i wish we could avoid if the net.Conn api's allow.

@mdlayher mdlayher mentioned this issue Apr 12, 2018
Closed
@ghorofamike ghorofamike mentioned this issue Apr 15, 2018
Merged
@ghorofamike
Copy link
Contributor Author

closing, PR #236 merged.

BGP mode automation moved this from To Do to Done Apr 18, 2018
@205g0
Copy link

205g0 commented Jun 3, 2021
edited

Just trying to get metalllb with vultr's BGP to work as well. I still wonder if I use metallb with or without BIRD. And where do I put the reserved IP I got from vultr if used without BIRD (with BIRD,I'd link it to a dummy interface)?

With this setup my services get private EXTERNAL-IPs and I don't know/understand how to make them available over the public, reserved IP. My config:

kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    peers:
    - peer-address: 169.254.169.254
      peer-asn: 64515
      my-asn: 4288000244
      password: "[redacted]"
    address-pools:
    - name: default
      protocol: bgp
      addresses:
      - 10.1.96.0/20

image

cc @ghorofamike @danderson

@ghorofamike
Copy link
Contributor Author

ghorofamike commented Aug 5, 2021
edited

Hi,
With vultr, you do not need bird/quagga et cetra. just your metallb config and the vultr credentials plus a floating ip since you can not use one that comes with the VPS's ethernet. Here is a sample config:


apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    peers:
    - peer-address: 169.254.169.254    
      peer-asn: 64515
      my-asn: CHANGEME
      password: "CHANGE-ME-FROM-DASHBOARD"
    address-pools:
    - name: ams-floating
      auto-assign: false
      protocol: bgp
      addresses:
      - CHANGEME-TO-FLOATING/32
      bgp-advertisements:
      - aggregation-length: 32

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement interoperability
Projects
BGP mode
  
Done
Milestone
v0.6.0
Development

No branches or pull requests
3 participants
@danderson @ghorofamike @205g0