From owner-freebsd-net@FreeBSD.ORG Wed Apr 15 14:55:07 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4340E106564A for ; Wed, 15 Apr 2009 14:55:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id F1E1E8FC1D for ; Wed, 15 Apr 2009 14:55:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id C031E41C6F2; Wed, 15 Apr 2009 16:55:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id gRv2mER7Fk3r; Wed, 15 Apr 2009 16:55:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 5353441C6DB; Wed, 15 Apr 2009 16:55:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D52294448E6; Wed, 15 Apr 2009 14:50:56 +0000 (UTC) Date: Wed, 15 Apr 2009 14:50:56 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: alexey.blinkov@gmail.com In-Reply-To: <2d934d80904150642r585049b4wadfdfc82a3d8c7fc@mail.gmail.com> Message-ID: <20090415144956.T15361@maildrop.int.zabbadoz.net> References: <2d934d80904150642r585049b4wadfdfc82a3d8c7fc@mail.gmail.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: MD5 authentication in quagga X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2009 14:55:07 -0000 On Wed, 15 Apr 2009, wrote: > Hi. I have a problem with Subj. In mailing list quagga me say for > mailing to frebsd list. > > Quote: > > It is well documented that md5 'password' authentication for bgpd works, > but only for outgoing packets... there is no way for FreeBSD (to my > knowledge) to actually verify packets inbound. > > ...it's better than nothing ;) > > > First one. My configuration in FreeBSD 7.1 > > /etc/rc.conf > > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > > /etc/ipsec.conf > > flush; > add x.x.x.x y.y.y.y tcp 0x1000 -A tcp-md5 "*********"; > > where: > > x.x.x.x - IP local side > y.y.y.y - IP remote side > ******** - password > > Next. My kernel was rebuilded with next options: > > options TCP_SIGNATURE > options IPSEC > device crypto > device cryptodev > device cryptodev > > Now i set password to bgp neighbor > > quagga-router(config router)# neighbor y.y.y.y password ******** > > And clear session > > quagga-router(config router)# do clear ip bgp y.y.y.y > > In remote side PASSWORD NOT SET YET, but bgp session passes to state > UP, and network prefixes sending from local to remote side and vice > versa. > > But neigborship must no upping if password not coincide... And what's the peer? If it's another FreeBSD box uon't check incoming packets either and thus it won't make a difference to when it's not there. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.