Date: Sat, 30 Nov 2013 13:47:04 -0800 From: Dennis Glatting <freebsd@pki2.com> To: freebsd-questions@freebsd.org Subject: FreeBSD 9.2 setkey/quagga BGP MD5 Message-ID: <1385848024.67585.14.camel@btw.pki2.com>
next in thread | raw e-mail | index | archive | help
I am trying to use Quagga BGP with TCP MD5 checksums to a Cisco 3945
router from a FreeBSD 9.2 server. Although there is a bunch of
information on how to set this up on the FreeBSD side there is a piece
missing: how to specify the destination port.
Specifically, and assuming I understand the setkey syntax correctly,
you /cannot/ specify the destination port resulting in all TCP
connections between the source and destination attempting to use MD5
checksums. Yes?
In my case, I only want TCP connections to dest port 172 to use MD5,
such as the following syntax that does not work:
add 192.168.3.33 192.168.3.2/32[179] tcp 0x1000 -A tcp-md5 "xyzzy" ;
Looking at the YACC syntax I find:
add_command
: ADD ipaddropts ipaddr ipaddr protocol_spec \
spi extension_spec algorithm_spec EOT
Chasing "ipaddr" I find:
$$ = parse_addr($1.buf, NULL);
Where NULL is the port spec.
I don't really want all connections to use MD5, such as RANCID and other
TCP utilities. Rather, I only want MD5 to be used where I want it used.
I am assuming from the YACC syntax that isn't possible.
I really prefer to have some form of security, if only weak, across my
infrastructure because my infrastructure is used for penetration testing
and my users occasionally forget a route, or two, or three, resulting in
penetration tests against the infrastructure and not the targets.
Any suggestions?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1385848024.67585.14.camel>