<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 2023-06-12 03:28, André Grüneberg
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACm825t+rFaWA+unGnpLFqKJK4JJ3wJGiAavrM2mTAgY9utkWw@mail.gmail.com">
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>But I would make the per-customer default on. For upgrades,
this is still safe, since it will be off globally anyway.<br>
</p>
</div>
</blockquote>
<div>I agree that this may be ok.<br>
</div>
<div>I could imagine a combined selection field per VLAN interface
"Off, No auth, Keyed SHA1, Meticulous Keyed SHA1" to save on UI
elements. In that case "Off" is the better default.
Alternatively One could also configure the global UI default in
.env -- this would allow us to default to "Meticulous Keyed
SHA1".</div>
</blockquote>
<p>In reading the BIRD docs, unfortunately authentication is going
to be a problem. It says, "Note that the algorithm is common for
all keys (on one interface)". So it doesn't seem like we could
configure this per-customer. And changing it would be a flag day
operation. That's really not great.</p>
<p>In reading further, it doesn't seem to do different
authentication per-neighbor at all.</p>
<p>So as far as BIRD goes right now, I think it's effectively
unauthenticated only.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:CACm825t+rFaWA+unGnpLFqKJK4JJ3wJGiAavrM2mTAgY9utkWw@mail.gmail.com">
<div>One might also ask whether to always configure "passive" BFD
or to enforce it per VLAN interface?</div>
</blockquote>
<p>What would "enforce" mean here? Non-passive (i.e. "active") or
something else? I don't think that active actually <i>requires</i>
BFD, does it? I think it just means bird would try to set it up.
But maybe I'm wrong; I haven't tested.<br>
</p>
<pre class="moz-signature" cols="72">--
Richard</pre>
</body>
</html>