From owner-freebsd-net@FreeBSD.ORG Sun Sep 21 10:35:57 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F194670B for ; Sun, 21 Sep 2014 10:35:57 +0000 (UTC) Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C3604977 for ; Sun, 21 Sep 2014 10:35:57 +0000 (UTC) Received: by mail-pa0-f41.google.com with SMTP id ey11so3130695pad.14 for ; Sun, 21 Sep 2014 03:35:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Ma7jBKv8wMP6ONZHi5PQIPOwJYIYFjnF+ovOlNE1Vyc=; b=lxQ8ZFvs7sLALdjrBte4SEenAd5ugDd0s96utvJpeRZ7J+YwL9KamCrmFxfT62omDZ ao7LvXr/L4s8t8tPGmGV96AAwMkoo5S9ojl8smUR4oHRzhmyKaFcPewnI9gYuqkymKjJ KO6w91IgB4X02J45L2jkAdgs3qix+rBLu+PBdI9D8tQJ/07c0smmqJLEbXqLu483wlIK tk/cE2Vhir0ezvBXiOaEatFfCPX5n8o7EHfOY7St442OBXx4Lxb71Ie1r0o5oinYiHRZ FKrYysFuGxeZ270mERxR02S+J0qMCXIGuqIQn8zwOdpd9o+H7lhpV2PwhN4SYEB1skyp zhsw== MIME-Version: 1.0 X-Received: by 10.68.69.38 with SMTP id b6mr14242870pbu.70.1411295757286; Sun, 21 Sep 2014 03:35:57 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.70.102.80 with HTTP; Sun, 21 Sep 2014 03:35:57 -0700 (PDT) In-Reply-To: <541EA8FE.5080905@winterei.se> References: <541EA396.7050201@winterei.se> <541EA8FE.5080905@winterei.se> Date: Sun, 21 Sep 2014 12:35:57 +0200 X-Google-Sender-Auth: -po8j8dL54dzrmOrSkYlSGu1Leg Message-ID: Subject: Re: IP fast forwarding and setkey From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: "Paul S." Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2014 10:35:58 -0000 On Sun, Sep 21, 2014 at 12:31 PM, Paul S. wrote: > Ermal, > > I'd prefer a raw BSD installation (Call it a comfort thing, if you will). > > Has the pfSense project actually managed to patch OpenBGPD to remove its > dependency on OpenBSD specific bindings for TCP_MD5? > > It might be worth it to just try to build their fork, if that's the case. > > Thank you for responding! > > Yeah OpenBGPd port of pfSense has the support for installing SPDs without setkey. > > On 9/21/2014 =E5=8D=88=E5=BE=8C 07:26, Ermal Lu=C3=A7i wrote: > > If for you is an option pfSense has all the hard work done for you and yo= u > can use it for such installations. > > On Sun, Sep 21, 2014 at 12:08 PM, Paul S. wrote: > >> Hi folks, >> >> I plan to make an edge router out of a freebsd system with OpenBGPD + >> FreeBSD 10, or such. >> >> I've been reading up, and noticed that the net.inet.ip.fastforwarding >> flag provides rather nice performance benefits. >> >> My issue is, my upstream networks insist on using TCP MD5 authentication >> on their BGP sessions. >> >> This is fine, except on FreeBSD -- I'm going to have to use the setkey >> utility to set those since native PF_KEY support for OpenBGPD does not s= eem >> available. >> >> Now, since setkey is part of IPSec, and there are countless warnings >> about using IPSec and fastforwarding together in the manpage, am I corre= ct >> in assuming that this will not work if I have fastforwarding enabled? >> >> Is there any way to make it work? Quagga, from what I've read, seems to >> also be in the same boat (Usage of setkey required for TCP MD5). >> >> I tried searching the manpages, but couldn't locate anything concrete on >> this. >> >> Any assistance/replies are welcome. >> >> Thank you! >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > > > > -- > Ermal > > > --=20 Ermal