From owner-freebsd-net@FreeBSD.ORG Thu Jan 5 22:08:39 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 341E9106564A for ; Thu, 5 Jan 2012 22:08:39 +0000 (UTC) (envelope-from jdavidlists@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id E6DAD8FC08 for ; Thu, 5 Jan 2012 22:08:38 +0000 (UTC) Received: by yhfq46 with SMTP id q46so423819yhf.13 for ; Thu, 05 Jan 2012 14:08:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=iiWkHTP2PHJ0+kley8Ad7OTKr6h4Jr2/9G/cjrTnAEU=; b=fMWAh0pjsDgzK+LLPlE5b43grZz5ZlNeM2AH/hgpNNOFVld69BGXWy9GsxtoYhSswD nnChjWVqvIkTG0UTqqfMF5bn/MtL65ITxOANB8UaY/FvNkroRhMTdX8Wg/GmVngl+L2h sgSs4P3muHw/5cW2DuugCgo8eWXUUL8QeY0MU= MIME-Version: 1.0 Received: by 10.236.43.66 with SMTP id k42mr4235515yhb.116.1325799689313; Thu, 05 Jan 2012 13:41:29 -0800 (PST) Sender: jdavidlists@gmail.com Received: by 10.236.24.194 with HTTP; Thu, 5 Jan 2012 13:41:29 -0800 (PST) In-Reply-To: <20120104.144214.74742226.sthaug@nethelp.no> References: <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> <20120104.144214.74742226.sthaug@nethelp.no> Date: Thu, 5 Jan 2012 16:41:29 -0500 X-Google-Sender-Auth: fACP4rZxUg2LxgsZjksb0OR5Djw Message-ID: From: J David To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2012 22:08:39 -0000 I am experiencing the same problem with bgpd and FreeBSD 8.2-STABLE as described in this thread. =A0If I have correctly interpreted this thread, it is currently not possible to have an OpenBGPd that speaks TCP-MD5 to some peers, but not to others on FreeBSD. =A0Is that correct? (It seems possible to bend this rule by tricking it to listen for the non-MD5 connections and initiate the MD5 ones by using the hack/patch posted here that turns off MD5 on the listening socket, but only allowing connections to be initiated in one direction is out of spec and a recipe for flaky connections.) While I think I am following the discussion so far, and it has been very informative, I am not sure where to go from here to actually resolve this problem correctly. I feel like if I had/understood the answer to Claudio's question: > How does FreeBSD avoid the chicken and egg problem of accepting > connections with MD5SIG? I might feel more like I knew what to do next. Although I think, for me, the question generalizes to "How should one listen for client connections on FreeBSD if some clients will use TCP_MD5SIG and some will not?" Sorry if that's a silly question; I have not been able to dig up a lot of how-to programming information for IPSec on FreeBSD. But the tcp(4) man page suggests that if you don't set a key on the connection, "it will have an invalid digest option prepended." I also found this on the tcp(4) man page: "In the current release, only outgoing traffic is digested; digests on incoming traffic are not verified." Is this still true after the recent changes? It doesn't *feel* true based on these problems, but I haven't tested for it specifically. Thanks!