From owner-freebsd-net@FreeBSD.ORG Wed Jan 4 05:24:06 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 095FC106564A; Wed, 4 Jan 2012 05:24:06 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 65E988FC13; Wed, 4 Jan 2012 05:24:04 +0000 (UTC) Received: by eekc50 with SMTP id c50so19511220eek.13 for ; Tue, 03 Jan 2012 21:24:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=4TgdzyaUrHCc6kYLQrHLWeVIOyw9pZax/PXZFQ5cElU=; b=DOX1+tKmxKSv63CkZf9k2DU5q3rXw/aSYTgi/2eU/2xfU1927pq6AwlZOOoU+jUMnS 02y5ob6mnzrhDfSNS/u0mETQtpEZIW9uvuQhMWLuwF5KfdEj7lhK4+B2gosLUA06EC6w kofGbiNUgdDy0yaGthAz4MmytaI4lffKrRfog= Received: by 10.213.114.3 with SMTP id c3mr617050ebq.146.1325654641639; Tue, 03 Jan 2012 21:24:01 -0800 (PST) Received: from imba-brutale.totalterror.net ([93.152.152.135]) by mx.google.com with ESMTPS id y12sm214063083eeb.11.2012.01.03.21.23.59 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 03 Jan 2012 21:24:00 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: Nikolay Denev In-Reply-To: <4F036A7F.9030906@FreeBSD.org> Date: Wed, 4 Jan 2012 07:23:58 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> References: <20120103152909.GA83706@sandvine.com> <6FE9FF15-487F-4A31-AEE0-A0AD92F5DC72@sarenet.es> <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> To: Doug Barton X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-net@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 05:24:06 -0000 On Jan 3, 2012, at 10:52 PM, Doug Barton wrote: > On 01/03/2012 11:06, Hiroki Sato wrote: >> Doug Barton wrote >> in <4F027BC0.1080101@FreeBSD.org>: >>=20 >> do> We have a pair of physical FreeBSD systems configured as routers >> do> designed to operate in an active/standby CARP configuration. = Everything >> do> used to work fine, but since an upgrade to 8.2-STABLE on December = 29th >> do> the two routers don't speak BGP to each other anymore. They both >> do> function fine individually, and failover works. It is only the = openbgpd >> do> communication between them that's not flowing. >>=20 >> Doug, does your kernel have TCP_SIGNATURE option?=20 >=20 > Yes. >=20 >> The patch[*] for >> net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG >> option on the listening sockets. >>=20 >> [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff >>=20 >> While this is an ugly hack and I will investigate more reasonable >> solution for that, I want to narrow down the cause first. Can anyone >> who are using a 8-STABLE kenrel with TCP_SIGNATURE let me know if >> this works or not? >=20 > This patch works even if net.inet.tcp.signature_verify_input=3D1. If I > turn that sysctl off on both sides they can talk to each other even > without the patch. So that would definitely seem to indicate that the > tcp_signature stuff is the source of the problem. >=20 > What unfortunately did not work is configuring signatures on both = sides. > With the sysctl enabled, IPSEC set up on both hosts, and the tcp = md5sig > option in both bgpd.conf files, we got the same result as before, no > communication between them. When -HUP'ing and/or restarting openbgpd > with the tcp md5sig option enabled we get "pfkey setup failed." >=20 > So, "working iBGP + no signatures" is a good next step. "iBGP + > signatures" would be an even better one. :) We're happy to test more > patches, etc.; and thanks again to everyone who has responded so far. >=20 >=20 > Doug >=20 > --=20 >=20 > You can observe a lot just by watching. -- Yogi Berra >=20 > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ >=20 You are setting the keys with setkey for both directions of a single = session, right? i.e.: =20 add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass"; add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass"; As before it was only needed to set the "outgoing" direction key, which = should not work anymore unless=20 net.inet.tcp.signature_verify_input is zero.