From owner-freebsd-net@FreeBSD.ORG Mon Nov 21 13:29:50 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9D11106566B for ; Mon, 21 Nov 2011 13:29:50 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from proxypop04.sare.net (proxypop04.sare.net [194.30.0.65]) by mx1.freebsd.org (Postfix) with ESMTP id A90348FC0C for ; Mon, 21 Nov 2011 13:29:50 +0000 (UTC) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop04.sare.net (Postfix) with ESMTPSA id 05D5C9DC41E for ; Mon, 21 Nov 2011 14:29:49 +0100 (CET) From: Borja Marcos Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 21 Nov 2011 14:29:47 +0100 Message-Id: To: freebsd-net@freebsd.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: Openbgpd incorrectly sets TCP_MD5 on the listen socket, regardless of configuration X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2011 13:29:51 -0000 (Sent to freebsd-bugs as well, copied here for discussion, if needed) =09 Sorry for the brief report and the scarce details. The f****ing form = insists on rejecting the captcha after one hour writing a report.=20 So, in short: If TCP_MD5 is available on the system, options IPSEC options TCP_SIGNATURE #include support for RFC 2385 device crypto Turns out openbgpd can't receive BGP connections.=20 The error is in the session.c file, line 148, function = setup_listeners(u_int *la_cnt). Code snippet: opt =3D 1; if (setsockopt(la->fd, IPPROTO_TCP, TCP_MD5SIG, &opt, sizeof(opt)) =3D=3D -1) { if (errno =3D=3D ENOPROTOOPT) { /* system w/o = md5sig */ log_warnx("md5sig not available, = disabling"); sysdep.no_md5sig =3D 1; } else fatal("setsockopt TCP_MD5SIG"); } This is wrong. Regardless of the configuration, this code activates = TCP_MD5 for the socket and leaves it enabled. This is what happens: 14:04:33.009212 IP 10.0.0.2.36610 > 10.0.0.1.179: Flags [S], seq = 1941690122, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val = 115224 ecr 0], length 0 14:04:33.009267 IP 10.0.0.1.179 > 10.0.0.2.36610: Flags [S.], seq = 2935503211, ack 1941690123, win 65535, options [mss 1460,nop,wscale = 6,sackOK,TS val 4192648161 ecr 115224,nop,nop,md5shared secret not = supplied with -M, can't check - a360f2c9a9f96a582ccbabe79418105c], = length 0 The daemon receiving the connection is replying with TCP_MD5, even = though there's no TCP_MD5 option set in the bgpd.conf file. Removing this code (or placing it outside of the loop, creating a = temporary socket just to enable TCP_MD5 on it and using it to detect the = availability of TCP_MD5) works: 14:04:35.395447 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [S], seq = 366635408, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val = 220116 ecr 0], length 0 14:04:35.395490 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [S.], seq = 1226417253, ack 366635409, win 65535, options [mss 1460,nop,wscale = 6,sackOK,TS val 511187362 ecr 220116], length 0 14:04:35.395584 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [.], ack 1, win = 1040, options [nop,nop,TS val 220116 ecr 511187362], length 0 14:04:35.396072 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 1:46, = ack 1, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length = 45: BGP, length: 45 14:04:35.397031 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [P.], seq 1:50, = ack 46, win 1040, options [nop,nop,TS val 511187362 ecr 220116], length = 49: BGP, length: 49 14:04:35.397381 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 46:65, = ack 50, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length = 19: BGP, length: 19 Sorry for the terse report. It was very detailed, but lost. Borja.