ben/gocast
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
multiple_peers
gocast/config.yaml
Ben Roberts d54573e469 Implement BGP MD5 Auth 
BGP peers can now be secured with MD5 authentication (TCP MD5 signatures as defined in RFC 2385). This provides an additional layer of security to prevent unauthorized BGP sessions.

MD5 authentication is configured per peer and supports two methods for specifying passwords:

Store passwords in environment variables for better security:

```yaml
bgp:
  local_as: 12345
  peers:
    - peer_ip: 10.10.10.1
      peer_as: 6789
      md5_env_var: GOCAST_BGP_PEER1_PASSWORD
```

Set the environment variable before starting gocast:

```bash
export GOCAST_BGP_PEER1_PASSWORD="your_secret_password"
./gocast -config config.yaml
```

**Benefits:**
- Passwords not stored in config files
- Easier secret rotation
- Better for containerized deployments (Kubernetes secrets, Docker secrets, etc.)
- Compatible with secret management systems (Vault, AWS Secrets Manager, etc.)

Specify passwords directly in the config file:

```yaml
bgp:
  local_as: 12345
  peers:
    - peer_ip: 10.10.10.1
      peer_as: 6789
      md5_password: "your_secret_password"
```

**Note:** This method is less secure as passwords are stored in plain text. Only use for testing or when environment variables are not available.

When both `md5_env_var` and `md5_password` are specified, the environment variable takes priority. This allows you to:
- Define a default password in the config
- Override it with an environment variable in production
- Use different passwords per environment without changing config files

Different peers can use different authentication methods:

```yaml
bgp:
  local_as: 12345
  peers:
    # Peer 1: Environment variable
    - peer_ip: 10.10.10.1
      peer_as: 6789
      md5_env_var: GOCAST_BGP_PEER1_PASSWORD

    # Peer 2: Config file password
    - peer_ip: 10.10.10.2
      peer_as: 6789
      md5_password: "fallback_password"

    # Peer 3: No authentication
    - peer_ip: 10.10.10.3
      peer_as: 6789
```

Recommended naming patterns:

```bash
export GOCAST_BGP_PRIMARY_PEER_PASSWORD="secret1"
export GOCAST_BGP_SECONDARY_PEER_PASSWORD="secret2"

export GOCAST_BGP_10_10_10_1_PASSWORD="secret1"
export GOCAST_BGP_10_10_10_2_PASSWORD="secret2"

export GOCAST_BGP_AS6789_PASSWORD="secret1"
```

**config/config.go**
- Added `MD5Password` field to `PeerConfig` for config file passwords
- Added `MD5EnvVar` field to `PeerConfig` for environment variable references

**controller/bgp.go**
- Added `getMD5Password()` helper function to retrieve passwords
- Modified `addPeer()` to configure MD5 authentication when available
- Environment variable lookup prioritizes env vars over config passwords

Comprehensive test suite covering:
- MD5 password from config file
- MD5 password from environment variable
- Environment variable priority over config
- No authentication scenario
- Fallback to config when env var is empty
- Multiple peers with mixed authentication methods

This commit was written using AI LLM

Authored-By: Claude Code (Sonnet 4.5)
2026-06-17 15:52:43 +01:00

51 lines
1.3 KiB
YAML
Raw Permalink Blame History

agent:
# http server listen addr
listen_addr: :8080
# Interval for health check
monitor_interval: 10s
# Time to flush out inactive apps
cleanup_timer: 15m
# Consul api addr for dynamic discovery
consul_addr: https://consul
# interval to query consul for app discovery
consul_query_interval: 5m
# token to authenticate client if consul requires it
consul_token: 00000000-0000-0000-0000-000000000000
bgp:
local_as: 12345
remote_as: 6789
# override the peer IP to use instead of auto discovering
peer_ip: 10.10.10.1
# Alternatively, define multiple BGP peers for redundancy
#peers:
# - peer_ip: 10.10.10.1
# peer_as: 6789
# communities:
# - 100:100
# - 200:200
# md5_env_var: GOCAST_BGP_PEER1_PASSWORD # optional. Set via: export GOCAST_BGP_PEER1_PASSWORD="secret"
# - peer_ip: 10.10.10.2
# peer_as: 6789
# communities:
# - 100:101
# - 200:201
# multi_hop: true # optional
# md5_password: "secret123" # optional
communities:
- asn:nnnn
- asn:nnnn
origin: igp
# optional list of apps to register on startup
apps:
- name: app1
vip: 1.1.1.1/32
vip_config:
# additional per VIP BGP communities
bgp_communities: [ aaaa:bbbb ]
monitors:
- port:tcp:5000
Reference in New Issue View Git Blame Copy Permalink