Date: Mon, 9 Jan 2012 11:01:44 +0100 From: Borja Marcos <borjam@sarenet.es> To: Claudio Jeker <cjeker@diehard.n-r-g.com> Cc: freebsd-net@freebsd.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade Message-ID: <FBEBE2F1-AE82-4347-A3AA-448665220756@sarenet.es> In-Reply-To: <20120104092824.GA24657@diehard.n-r-g.com> References: <99A5FFD9-8815-4CCC-9868-FB2E3D799566@gridfury.com> <4F027BC0.1080101@FreeBSD.org> <8F87C898-3290-41B9-ACDF-3558D7C28D74@gmail.com> <20120103152909.GA83706@sandvine.com> <680405C8-3323-49BC-AE59-494FC394B6F6@sarenet.es> <20120104092824.GA24657@diehard.n-r-g.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 4, 2012, at 10:28 AM, Claudio Jeker wrote: > On Wed, Jan 04, 2012 at 09:27:28AM +0100, Borja Marcos wrote: >>=20 >> Behavior on FreeBSD: The setsockopt(TCP_MD5SIG) *enables* TCP_MD5. >> According to my packet captures, in case there's no properly set key >> with setkey(8) it will use whatever key. Look at the captures = mentioned >> here: >>=20 >> = http://groups.google.com/group/mailing.freebsd.bugs/browse_thread/thread/e= a347a919dbc165d/eeaa2965fc4f64c9?show_docid=3Deeaa2965fc4f64c9&pli=3D1 >>=20 >>=20 >> Behavior on OpenBSD: Maybe the TCP_MD5 isn't *really* working unless >> there's a valid key associated to the socket, either using setkey(8) = (I >> don't know if they use it) or via the API for setting keys. > How does FreeBSD avoid the chicken and egg problem of accepting > connections with MD5SIG? I understand, but what if you haven't configured any peer for MD5SIG? = Openbgpd is *still* enabling it. Maybe there's a simple solution in FreeBSD: ignoring the MD5SIG flags = (and not adding the option to the outgoing packets) _UNLESS_ there's a = matching SPD for the flow. I think that's the problem. It's pointless to = check MD5SIG or originate packets with MD5SIG when there's no matching = SPD. What does it use in that case, a random key? So I'm beginning to think that FreeBSD is the problem, not Openbgpd. = Although of course neither Quagga nor bird set the MD5 option when you = haven't explicitly enabled it in your BGP configuration. Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FBEBE2F1-AE82-4347-A3AA-448665220756>