From owner-freebsd-net@FreeBSD.ORG Tue Jan 3 21:04:01 2012 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12E561065688; Tue, 3 Jan 2012 21:04:01 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper-int.allbsd.org [IPv6:2001:2f0:104:e002::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6CAE08FC15; Tue, 3 Jan 2012 21:04:00 +0000 (UTC) Received: from alph.allbsd.org ([IPv6:2001:2f0:104:e010:862b:2bff:febc:8956]) (authenticated bits=128) by mail.allbsd.org (8.14.4/8.14.4) with ESMTP id q03L3mbw077696; Wed, 4 Jan 2012 06:03:58 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.allbsd.org (8.14.4/8.14.4) with ESMTP id q03L3l6C083828; Wed, 4 Jan 2012 06:03:47 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Wed, 04 Jan 2012 06:03:27 +0900 (JST) Message-Id: <20120104.060327.1335862860296491365.hrs@allbsd.org> To: dougb@FreeBSD.org From: Hiroki Sato In-Reply-To: <4F036A7F.9030906@FreeBSD.org> References: <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.3.51 on Emacs 23.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Wed_Jan__4_06_03_27_2012_282)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (mail.allbsd.org [IPv6:2001:2f0:104:e001::32]); Wed, 04 Jan 2012 06:03:59 +0900 (JST) X-Spam-Status: No, score=-104.6 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT, RDNS_NONE, SPF_SOFTFAIL, USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on gatekeeper.allbsd.org Cc: ndenev@gmail.com, emaste@FreeBSD.org, borjam@sarenet.es, freebsd-net@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2012 21:04:01 -0000 ----Security_Multipart(Wed_Jan__4_06_03_27_2012_282)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Doug Barton wrote in <4F036A7F.9030906@FreeBSD.org>: do> This patch works even if net.inet.tcp.signature_verify_input=1. If I do> turn that sysctl off on both sides they can talk to each other even do> without the patch. So that would definitely seem to indicate that the do> tcp_signature stuff is the source of the problem. do> do> What unfortunately did not work is configuring signatures on both sides. do> With the sysctl enabled, IPSEC set up on both hosts, and the tcp md5sig do> option in both bgpd.conf files, we got the same result as before, no do> communication between them. When -HUP'ing and/or restarting openbgpd do> with the tcp md5sig option enabled we get "pfkey setup failed." do> do> So, "working iBGP + no signatures" is a good next step. "iBGP + do> signatures" would be an even better one. :) We're happy to test more do> patches, etc.; and thanks again to everyone who has responded so far. Okay, thank you for your report. I will take some time to fix TCP_MD5SIG support in openbgpd and inform you when another patch is ready. -- Hiroki ----Security_Multipart(Wed_Jan__4_06_03_27_2012_282)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAk8DbR8ACgkQTyzT2CeTzy1drQCglm+AWVP4TvNJlleoHd0HmTTq zZEAni9yHXnm9ZBGGyhz9bYxjbZrj8DT =DR0G -----END PGP SIGNATURE----- ----Security_Multipart(Wed_Jan__4_06_03_27_2012_282)----