From owner-freebsd-net@FreeBSD.ORG Sun Sep 21 10:08:33 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1884A14F for ; Sun, 21 Sep 2014 10:08:33 +0000 (UTC) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E23CC6BD for ; Sun, 21 Sep 2014 10:08:32 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id fb1so2753286pad.41 for ; Sun, 21 Sep 2014 03:08:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=uiJ9kA+X2n34yFIT2X85Ric9BmQC/Dm9m4F3ZIMi/BU=; b=QbfdgbrKZ3miaPtpYvoAjDWg47G2R2rq3lIIuZJEc/AjvxWBnCsl6dBO8Uq17N20ad 6xvv7H8iQB9VaCLXJJ7e5utnlahe0MXx2+E5Yg+OwhcNVKQ9fjXFOPs8nTTLrW+C2R/X wDw79C7b7gAZ2u81krP0VETt985QPM+nc2gTrW6ZJg0P4LQ0QPkhIk/rqNda32omj0Qz O/GYaCVPR8kgZmXOZqK3a3r4fjjcH78lc9Qphw1jEdVyR+9ENZpJ/P6G2OteJZlDVpYI bqb40Ms2rHfCovm1woV9zxewJKkJqqsnrXfK4A+9Cm4Not5S1s5Q36WFF5dbxI9KMUBX watQ== X-Gm-Message-State: ALoCoQls6p6ZSJaEZoqp7rtoqRHveue+3C+hMGowrCv4uLi4i8JB/G7wUcKgLLPMra2SID5rgbG6 X-Received: by 10.70.118.9 with SMTP id ki9mr18434577pdb.104.1411294105584; Sun, 21 Sep 2014 03:08:25 -0700 (PDT) Received: from [113.11.122.237] ([113.11.122.237]) by mx.google.com with ESMTPSA id ju4sm6427889pbc.6.2014.09.21.03.08.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 21 Sep 2014 03:08:25 -0700 (PDT) Message-ID: <541EA396.7050201@winterei.se> Date: Sun, 21 Sep 2014 19:08:22 +0900 From: "Paul S." User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: IP fast forwarding and setkey Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2014 10:08:33 -0000 Hi folks, I plan to make an edge router out of a freebsd system with OpenBGPD + FreeBSD 10, or such. I've been reading up, and noticed that the net.inet.ip.fastforwarding flag provides rather nice performance benefits. My issue is, my upstream networks insist on using TCP MD5 authentication on their BGP sessions. This is fine, except on FreeBSD -- I'm going to have to use the setkey utility to set those since native PF_KEY support for OpenBGPD does not seem available. Now, since setkey is part of IPSec, and there are countless warnings about using IPSec and fastforwarding together in the manpage, am I correct in assuming that this will not work if I have fastforwarding enabled? Is there any way to make it work? Quagga, from what I've read, seems to also be in the same boat (Usage of setkey required for TCP MD5). I tried searching the manpages, but couldn't locate anything concrete on this. Any assistance/replies are welcome. Thank you!