== TCPMD5 User Guide
This user guide describes the configuration for Border Gateway Protocol (BGP) and Path Computation Element Protocol (PCEP)
using MD5 authentication. It is destined for users who build applications using MD5 library.
=== Overview
The TCPMD5 library provides access to link:http://tools.ietf.org/html/rfc2385[RFC-2385] MD5 Signature Option on operating systems which support it in their TCP stack.
This option has been historically used to protect BGP sessions, but is equally useful for protecting PCEP sessions.
IMPORTANT: *Before you continue with steps in this user guide, make sure BGP and/or PCEP is configured properly.*
TCPMD5 authentication is *disabled* by default. To enable it (for both protocols), uncomment the contents of _20-tcpmd5.xml_.
You can find this configuration file in your OpenDaylight directory _etc/opendaylight/karaf_ .
CAUTION: [big]#*If the connection can not be established, there are no warnings or errors,
so be sure to double check your configuration and passwords.*#
=== Configuring TCPMD5 manually
==== BGP
IMPORTANT: *Make sure your _20-tcpmd5.xml_ has its content uncommented.*
To enable TCPMD5 for the BGP protocol, perform the following steps:
. In _31-bgp.xml_ uncomment the TCP MD5 section:
+
[source,xml]
----
prefix:md5-channel-factory
md5-client-channel-factory
prefix:md5-server-channel-factory
md5-server-channel-factory
----
. In _41-bgp-example.xml_ add tag to module example-bgp-peer.
+
[source,xml]
----
prefix:bgp-peer
example-bgp-peer
10.25.2.27
180
prefix:rib
example-bgp-rib
prefix:bgp-table-type
ipv4-unicast
prefix:bgp-table-type
ipv6-unicast
prefix:bgp-table-type
linkstate
changeme
----
NOTE: Setting a password on other BGP devices is out of scope for this document.
==== PCEP
IMPORTANT: *Make sure your _20-tcpmd5.xml_ has its content uncommented.*
To enable TCPMD5 for PCE protocol, perform the following steps:
. In _32-pcep.xml_ uncomment the TCPMD5 section:
+
[source,xml]
----
prefix:md5-channel-factory
md5-client-channel-factory
prefix:md5-server-channel-factory
md5-server-channel-factory
----
. In _39-pcep-provider.xml_ uncomment following section:
+
[source,xml]
----
192.0.2.2
changeme
----
IMPORTANT: *Change the value to the address of PCC, the one that is advertized to PCE and provide password matching the one set on PCC.*
NOTE: Setting a password on PCC is out of scope for this document.
=== Configuring TCPMD5 through RESTCONF
IMPORTANT: Before you start, make sure, you have installed features for BGP and/or PCEP. Install another feature, that will provide you the access to _restconf/config/_ URLs.
[source,xml]
----
feature:install odl-netconf-connector-all
----
This log message indicates successful start of netconf-connector: _Netconf connector initialized successfully_
- To check what modules you have currently configured, check following link: http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/
- To check what services you have currently configured, check following link: http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:services/
These URLs are also used to POST new configuration. If you want to change any other configuration that is listed here,
make sure you include the correct namespaces. The correct namespace for is always _urn:opendaylight:params:xml:ns:yang:controller:config_.
The namespace for any other fields can be found by finding given module in configuration yang files.
NOTE: RESTCONF will tell you if some namespace is wrong.
To enable TCPMD5 for either one of the protocols, enable TCPMD5 modules and services:
CAUTION: You have to make *separate* POST requests for each module/service!
[big]#*URL:# http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/
[big]#*POST:*#
[source,xml]
----
x:native-key-access-factory
global-key-access-factory
----
[source,xml]
----
x:md5-client-channel-factory
md5-client-channel-factory
x:key-access-factory
global-key-access-factory
----
[source,xml]
----
prefix:md5-server-channel-factory-impl
md5-server-channel-factory
x:key-access-factory
global-key-access-factory
----
[big]#*URL:*# http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:services/
[big]#*POST:*#
[source,xml]
----
x:key-access-factory
global-key-access-factory
/modules/module[type='native-key-access-factory'][name='global-key-access-factory']
----
[source,xml]
----
x:md5-channel-factory
md5-client-channel-factory
/modules/module[type='md5-client-channel-factory'][name='md5-client-channel-factory']
----
[source,xml]
----
prefix:md5-server-channel-factory
md5-server-channel-factory
/modules/module[type='md5-server-channel-factory-impl'][name='md5-server-channel-factory']
----
==== BGP
CAUTION: You have to introduce modules and services mentioned in the previous section. Your BGP client needs to be *ALREADY* configured. Check User Guide for BGP. // TODO: link to BGP section
. Enabling TCPMD5 in BGP configuration:
+
[big]#*URL:*# http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/
[big]#*POST:*#
[source,xml]
----
x:bgp-dispatcher-impl
global-bgp-dispatcher
x:md5-channel-factory
md5-client-channel-factory
x:md5-server-channel-factory
md5-server-channel-factory
----
. Set password:
+
[big]#*URL:*# http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/
[big]#*POST:*#
[source,xml]
----
x:bgp-peer
example-bgp-peer
changeme
----
==== PCEP
CAUTION: You have to introduce modules and services mentioned in the previous section.
. Enable TCPMD5 in PCEP configuration:
+
[big]#*URL:*# http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/
[big]#*POST:*#
[source,xml]
----
x:pcep-dispatcher-impl
global-pcep-dispatcher
x:md5-channel-factory
md5-client-channel-factory
x:md5-server-channel-factory
md5-server-channel-factory
----
. Set password:
+
[big]#*URL:*# http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/controller-config/yang-ext:mount/config:modules/
[big]#*POST:*#
[source,xml]
----
x:pcep-topology-provider
pcep-topology
192.0.2.2
changeme
----