Date: Wed, 4 Jan 2012 07:23:58 +0200 From: Nikolay Denev <ndenev@gmail.com> To: Doug Barton <dougb@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade Message-ID: <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> In-Reply-To: <4F036A7F.9030906@FreeBSD.org> References: <20120103152909.GA83706@sandvine.com> <6FE9FF15-487F-4A31-AEE0-A0AD92F5DC72@sarenet.es> <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 3, 2012, at 10:52 PM, Doug Barton wrote: > On 01/03/2012 11:06, Hiroki Sato wrote: >> Doug Barton <dougb@freebsd.org> wrote >> in <4F027BC0.1080101@FreeBSD.org>: >> >> do> We have a pair of physical FreeBSD systems configured as routers >> do> designed to operate in an active/standby CARP configuration. Everything >> do> used to work fine, but since an upgrade to 8.2-STABLE on December 29th >> do> the two routers don't speak BGP to each other anymore. They both >> do> function fine individually, and failover works. It is only the openbgpd >> do> communication between them that's not flowing. >> >> Doug, does your kernel have TCP_SIGNATURE option? > > Yes. > >> The patch[*] for >> net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG >> option on the listening sockets. >> >> [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff >> >> While this is an ugly hack and I will investigate more reasonable >> solution for that, I want to narrow down the cause first. Can anyone >> who are using a 8-STABLE kenrel with TCP_SIGNATURE let me know if >> this works or not? > > This patch works even if net.inet.tcp.signature_verify_input=1. If I > turn that sysctl off on both sides they can talk to each other even > without the patch. So that would definitely seem to indicate that the > tcp_signature stuff is the source of the problem. > > What unfortunately did not work is configuring signatures on both sides. > With the sysctl enabled, IPSEC set up on both hosts, and the tcp md5sig > option in both bgpd.conf files, we got the same result as before, no > communication between them. When -HUP'ing and/or restarting openbgpd > with the tcp md5sig option enabled we get "pfkey setup failed." > > So, "working iBGP + no signatures" is a good next step. "iBGP + > signatures" would be an even better one. :) We're happy to test more > patches, etc.; and thanks again to everyone who has responded so far. > > > Doug > > -- > > You can observe a lot just by watching. -- Yogi Berra > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > You are setting the keys with setkey for both directions of a single session, right? i.e.: add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass"; add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass"; As before it was only needed to set the "outgoing" direction key, which should not work anymore unless net.inet.tcp.signature_verify_input is zero.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650>