From owner-freebsd-questions@FreeBSD.ORG Sat Nov 30 21:47:14 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F1D83EFC for ; Sat, 30 Nov 2013 21:47:14 +0000 (UTC) Received: from btw.pki2.com (btw.pki2.com [IPv6:2001:470:a:6fd::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B6AFF1C07 for ; Sat, 30 Nov 2013 21:47:14 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by btw.pki2.com (8.14.7/8.14.5) with ESMTP id rAULl4bw061373 for ; Sat, 30 Nov 2013 13:47:04 -0800 (PST) (envelope-from freebsd@pki2.com) Subject: FreeBSD 9.2 setkey/quagga BGP MD5 From: Dennis Glatting To: freebsd-questions@freebsd.org Content-Type: text/plain; charset="ISO-8859-1" Date: Sat, 30 Nov 2013 13:47:04 -0800 Message-ID: <1385848024.67585.14.camel@btw.pki2.com> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-yoursite-MailScanner-Information: Dennis Glatting X-yoursite-MailScanner-ID: rAULl4bw061373 X-yoursite-MailScanner: Found to be clean X-MailScanner-From: freebsd@pki2.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Nov 2013 21:47:15 -0000 I am trying to use Quagga BGP with TCP MD5 checksums to a Cisco 3945 router from a FreeBSD 9.2 server. Although there is a bunch of information on how to set this up on the FreeBSD side there is a piece missing: how to specify the destination port. Specifically, and assuming I understand the setkey syntax correctly, you /cannot/ specify the destination port resulting in all TCP connections between the source and destination attempting to use MD5 checksums. Yes? In my case, I only want TCP connections to dest port 172 to use MD5, such as the following syntax that does not work: add 192.168.3.33 192.168.3.2/32[179] tcp 0x1000 -A tcp-md5 "xyzzy" ; Looking at the YACC syntax I find: add_command : ADD ipaddropts ipaddr ipaddr protocol_spec \ spi extension_spec algorithm_spec EOT Chasing "ipaddr" I find: $$ = parse_addr($1.buf, NULL); Where NULL is the port spec. I don't really want all connections to use MD5, such as RANCID and other TCP utilities. Rather, I only want MD5 to be used where I want it used. I am assuming from the YACC syntax that isn't possible. I really prefer to have some form of security, if only weak, across my infrastructure because my infrastructure is used for penetration testing and my users occasionally forget a route, or two, or three, resulting in penetration tests against the infrastructure and not the targets. Any suggestions?