From owner-freebsd-net@FreeBSD.ORG Sun Sep 21 14:01:33 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B218F9 for ; Sun, 21 Sep 2014 14:01:33 +0000 (UTC) Received: from mail-pa0-f49.google.com (mail-pa0-f49.google.com [209.85.220.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0A146D0C for ; Sun, 21 Sep 2014 14:01:32 +0000 (UTC) Received: by mail-pa0-f49.google.com with SMTP id lf10so2883306pab.8 for ; Sun, 21 Sep 2014 07:01:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=pTr9gZLWyr2NcK0KnsP3JehaIWZYaUcfbOgdcINWo98=; b=T6Irm2xHM0cRmwzHWpVJlZVJ6QTyLfUaY+QYaCC8uzaPv9O90D4xlePUkdYjTTsbjv ddoH2u0tzhWV8G4qR6SecNAmCs8Yv8ta+fPGd72BFim1mOZTqv3WN+6Rf4v0tSRvtp28 fcjks/6c3p8ON7/43mzNl9Y04XMNG45RGzwJaA0wUsJ3xnDUTPTeks8OkGg6ZZV46Fpk R2XuR0VFH9EApOF8sbUQioo5I06gq+axBjJXzItY2YHVJ8v7j1IxoTuJ/OG+GyvOs++A CiuQ4PIbWLOUXHz8e05EpnOvmZBw3P5xewbzUbMLDo4CI/RBbRlYo+XwD1TgXau1F4al epYA== X-Gm-Message-State: ALoCoQmx37+g3J/G8RBanW13jQUBIrAXgyT+CIbX54NwlLbsx3VDyO1JPZgSdzicKiOVo0bQ/pSl X-Received: by 10.70.98.201 with SMTP id ek9mr4274596pdb.150.1411308086125; Sun, 21 Sep 2014 07:01:26 -0700 (PDT) Received: from [113.11.122.237] ([113.11.122.237]) by mx.google.com with ESMTPSA id q1sm6843259pdq.67.2014.09.21.07.01.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 21 Sep 2014 07:01:25 -0700 (PDT) Message-ID: <541EDA32.3080007@winterei.se> Date: Sun, 21 Sep 2014 23:01:22 +0900 From: "Paul S." User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXDp2k=?= Subject: [Solved] Re: IP fast forwarding and setkey References: <541EA396.7050201@winterei.se> <541EA8FE.5080905@winterei.se> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2014 14:01:33 -0000 So, just to notify -- I got a copy of the pfsense port of OpenBGPD (available from the pfsense-tools repository -- see https://forum.pfsense.org/index.php?topic=76132.0) and TCP-MD5 indeed does work in the build. Configuring local-address per peer is mandatory, however. I think it uses that to configure the SPDs. Cheers! On 9/21/2014 午後 07:35, Ermal Luçi wrote: > > > On Sun, Sep 21, 2014 at 12:31 PM, Paul S. > wrote: > > Ermal, > > I'd prefer a raw BSD installation (Call it a comfort thing, if you > will). > > Has the pfSense project actually managed to patch OpenBGPD to > remove its dependency on OpenBSD specific bindings for TCP_MD5? > > It might be worth it to just try to build their fork, if that's > the case. > > Thank you for responding! > > > Yeah OpenBGPd port of pfSense has the support for installing SPDs > without setkey. > > > On 9/21/2014 午後 07:26, Ermal Luçi wrote: >> If for you is an option pfSense has all the hard work done for >> you and you can use it for such installations. >> >> On Sun, Sep 21, 2014 at 12:08 PM, Paul S. > > wrote: >> >> Hi folks, >> >> I plan to make an edge router out of a freebsd system with >> OpenBGPD + FreeBSD 10, or such. >> >> I've been reading up, and noticed that the >> net.inet.ip.fastforwarding flag provides rather nice >> performance benefits. >> >> My issue is, my upstream networks insist on using TCP MD5 >> authentication on their BGP sessions. >> >> This is fine, except on FreeBSD -- I'm going to have to use >> the setkey utility to set those since native PF_KEY support >> for OpenBGPD does not seem available. >> >> Now, since setkey is part of IPSec, and there are countless >> warnings about using IPSec and fastforwarding together in the >> manpage, am I correct in assuming that this will not work if >> I have fastforwarding enabled? >> >> Is there any way to make it work? Quagga, from what I've >> read, seems to also be in the same boat (Usage of setkey >> required for TCP MD5). >> >> I tried searching the manpages, but couldn't locate anything >> concrete on this. >> >> Any assistance/replies are welcome. >> >> Thank you! >> _______________________________________________ >> freebsd-net@freebsd.org >> mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to >> "freebsd-net-unsubscribe@freebsd.org >> " >> >> >> >> >> -- >> Ermal > > > > > -- > Ermal