From owner-freebsd-net@FreeBSD.ORG Tue Jan 3 20:52:52 2012 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id D4A67106566C; Tue, 3 Jan 2012 20:52:52 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 7E79414DE63; Tue, 3 Jan 2012 20:52:15 +0000 (UTC) Message-ID: <4F036A7F.9030906@FreeBSD.org> Date: Tue, 03 Jan 2012 12:52:15 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20111222 Thunderbird/9.0 MIME-Version: 1.0 To: Hiroki Sato References: <20120103152909.GA83706@sandvine.com> <6FE9FF15-487F-4A31-AEE0-A0AD92F5DC72@sarenet.es> <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <20120104.040611.1847309275485655567.hrs@allbsd.org> In-Reply-To: <20120104.040611.1847309275485655567.hrs@allbsd.org> X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: ndenev@gmail.com, emaste@FreeBSD.org, borjam@sarenet.es, freebsd-net@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2012 20:52:52 -0000 On 01/03/2012 11:06, Hiroki Sato wrote: > Doug Barton wrote > in <4F027BC0.1080101@FreeBSD.org>: > > do> We have a pair of physical FreeBSD systems configured as routers > do> designed to operate in an active/standby CARP configuration. Everything > do> used to work fine, but since an upgrade to 8.2-STABLE on December 29th > do> the two routers don't speak BGP to each other anymore. They both > do> function fine individually, and failover works. It is only the openbgpd > do> communication between them that's not flowing. > > Doug, does your kernel have TCP_SIGNATURE option? Yes. > The patch[*] for > net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG > option on the listening sockets. > > [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff > > While this is an ugly hack and I will investigate more reasonable > solution for that, I want to narrow down the cause first. Can anyone > who are using a 8-STABLE kenrel with TCP_SIGNATURE let me know if > this works or not? This patch works even if net.inet.tcp.signature_verify_input=1. If I turn that sysctl off on both sides they can talk to each other even without the patch. So that would definitely seem to indicate that the tcp_signature stuff is the source of the problem. What unfortunately did not work is configuring signatures on both sides. With the sysctl enabled, IPSEC set up on both hosts, and the tcp md5sig option in both bgpd.conf files, we got the same result as before, no communication between them. When -HUP'ing and/or restarting openbgpd with the tcp md5sig option enabled we get "pfkey setup failed." So, "working iBGP + no signatures" is a good next step. "iBGP + signatures" would be an even better one. :) We're happy to test more patches, etc.; and thanks again to everyone who has responded so far. Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/