From owner-freebsd-net@FreeBSD.ORG Mon Jan 9 10:01:48 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BC6C106564A for ; Mon, 9 Jan 2012 10:01:48 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop04b.sare.net (proxypop04b.sare.net [194.30.0.79]) by mx1.freebsd.org (Postfix) with ESMTP id F02F88FC0C for ; Mon, 9 Jan 2012 10:01:47 +0000 (UTC) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop04.sare.net (Postfix) with ESMTPSA id D3BAD9DC4AD; Mon, 9 Jan 2012 11:01:45 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <20120104092824.GA24657@diehard.n-r-g.com> Date: Mon, 9 Jan 2012 11:01:44 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <99A5FFD9-8815-4CCC-9868-FB2E3D799566@gridfury.com> <4F027BC0.1080101@FreeBSD.org> <8F87C898-3290-41B9-ACDF-3558D7C28D74@gmail.com> <20120103152909.GA83706@sandvine.com> <680405C8-3323-49BC-AE59-494FC394B6F6@sarenet.es> <20120104092824.GA24657@diehard.n-r-g.com> To: Claudio Jeker X-Mailer: Apple Mail (2.1084) Cc: freebsd-net@freebsd.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 10:01:48 -0000 On Jan 4, 2012, at 10:28 AM, Claudio Jeker wrote: > On Wed, Jan 04, 2012 at 09:27:28AM +0100, Borja Marcos wrote: >>=20 >> Behavior on FreeBSD: The setsockopt(TCP_MD5SIG) *enables* TCP_MD5. >> According to my packet captures, in case there's no properly set key >> with setkey(8) it will use whatever key. Look at the captures = mentioned >> here: >>=20 >> = http://groups.google.com/group/mailing.freebsd.bugs/browse_thread/thread/e= a347a919dbc165d/eeaa2965fc4f64c9?show_docid=3Deeaa2965fc4f64c9&pli=3D1 >>=20 >>=20 >> Behavior on OpenBSD: Maybe the TCP_MD5 isn't *really* working unless >> there's a valid key associated to the socket, either using setkey(8) = (I >> don't know if they use it) or via the API for setting keys. > How does FreeBSD avoid the chicken and egg problem of accepting > connections with MD5SIG? I understand, but what if you haven't configured any peer for MD5SIG? = Openbgpd is *still* enabling it. Maybe there's a simple solution in FreeBSD: ignoring the MD5SIG flags = (and not adding the option to the outgoing packets) _UNLESS_ there's a = matching SPD for the flow. I think that's the problem. It's pointless to = check MD5SIG or originate packets with MD5SIG when there's no matching = SPD. What does it use in that case, a random key? So I'm beginning to think that FreeBSD is the problem, not Openbgpd. = Although of course neither Quagga nor bird set the MD5 option when you = haven't explicitly enabled it in your BGP configuration. Borja.