Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Jan 2012 16:41:29 -0500
From:      J David <j.david.lists@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   Re: openbgpds not talking each other since 8.2-STABLE upgrade
Message-ID:  <CABXB=RQFuAdkFiRgNH%2B9QWHMn8zMR31wmcSWumwWv54UwVyvvw@mail.gmail.com>
In-Reply-To: <20120104.144214.74742226.sthaug@nethelp.no>
References:  <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> <20120104.144214.74742226.sthaug@nethelp.no>

next in thread | previous in thread | raw e-mail | index | archive | help
I am experiencing the same problem with bgpd and FreeBSD 8.2-STABLE as
described in this thread. =A0If I have correctly interpreted this
thread, it is currently not possible to have an OpenBGPd that speaks
TCP-MD5 to some peers, but not to others on FreeBSD. =A0Is that correct?

(It seems possible to bend this rule by tricking it to listen for the
non-MD5 connections and initiate the MD5 ones by using the hack/patch
posted here that turns off MD5 on the listening socket, but only
allowing connections to be initiated in one direction is out of spec
and a recipe for flaky connections.)

While I think I am following the discussion so far, and it has been
very informative, I am not sure where to go from here to actually
resolve this problem correctly.

I feel like if I had/understood the answer to Claudio's question:

> How does FreeBSD avoid the chicken and egg problem of accepting
> connections with MD5SIG?

I might feel more like I knew what to do next.  Although I think, for
me, the question generalizes to "How should one listen for client
connections on FreeBSD if some clients will use TCP_MD5SIG and some
will not?"  Sorry if that's a silly question; I have not been able to
dig up a lot of how-to programming information for IPSec on FreeBSD.
But the tcp(4) man page suggests that if you don't set a key on the
connection, "it will have an invalid digest option prepended."

I also found this on the tcp(4) man page:

"In the current release, only outgoing traffic is digested; digests on
incoming traffic are not verified."

Is this still true after the recent changes?  It doesn't *feel* true
based on these problems, but I haven't tested for it specifically.

Thanks!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXB=RQFuAdkFiRgNH%2B9QWHMn8zMR31wmcSWumwWv54UwVyvvw>