Date: Tue, 3 Jan 2012 19:16:14 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Doug Barton <dougb@FreeBSD.org> Cc: attilio@FreeBSD.org, freebsd-net@freebsd.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade Message-ID: <245C4A7C-3E63-4587-AAF3-840F67212D47@lists.zabbadoz.net> In-Reply-To: <4F035067.30609@FreeBSD.org> References: <99A5FFD9-8815-4CCC-9868-FB2E3D799566@gridfury.com> <4F027BC0.1080101@FreeBSD.org> <8F87C898-3290-41B9-ACDF-3558D7C28D74@gmail.com> <20120103152909.GA83706@sandvine.com> <6FE9FF15-487F-4A31-AEE0-A0AD92F5DC72@sarenet.es> <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <4F035067.30609@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3. Jan 2012, at 19:00 , Doug Barton wrote: > On 01/03/2012 10:03, Bjoern A. Zeeb wrote: >>=20 >> On 3. Jan 2012, at 17:47 , Borja Marcos wrote: >>=20 >>>=20 >>> On Jan 3, 2012, at 4:29 PM, Ed Maste wrote: >>>=20 >>>> Thanks for the link Nikolay. >>>>=20 >>>> Borja, I assume it's the PR submission form that gave you trouble - >>>> sorry for that. Based on your report it sounds to me like the bug = is >>>> in OpenBGPd itself. If it works on OpenBSD with the TCP_MD5SIG = option >>>> though I'd assume it's due to a difference in our (FreeBSD's) >>>> implementation of the option. Did you look at the OpenBSD/FreeBSD >>>> differences in your investigation? >>>=20 >>> Both bird and quagga work as expected on FreeBSD. You can leave = TCP_MD5 enabled in the kernel. If you specify "password" options for a = BGP peer, it will enable TCP_MD5. Of course in FreeBSD it's a bit clumsy = and you have to use setkey(8) to set the keys. But it works. >>=20 >> The reason for setkey is just because the software (quagga, bird,...) = didn't grow a proper key management integration on pfkey2. Would be = easy. Might be needed soon anyway;-) >>=20 >> Not having looked at the particular openbgpd patches in our ports = tree I would almost expect there can only be a minor issue that it would = stop to work for non-protected peers once MD5 support is present in the = kernel and that should be easy to spot. >>=20 >> Unfortunately Doug didn't say from where he updated to this December = 8-STABLE to see if it could be the MFCs of the MD5 changes by Attilio = could make OpenBGPd as in ports cranky? >=20 > I mentioned December 29, sorry if that wasn't explicit enough, I = didn't > have the svn revision close to hand. >=20 > Is r226260 the MFC that you're referring to? The log says, "Skip > TCP_SIGNATURE calculation for INP_TIMEWAIT case." If so, that happened > in October so we're well past that in our version of -stable. >=20 > I'll be working on the various suggestions (thanks everyone for them, > most helpful!) and report back on what works. I was wondering from *where* you were updating, not to which revision. I.e. was it an 8.2-RELEASE you were coming from or something earlier? --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?245C4A7C-3E63-4587-AAF3-840F67212D47>