Date: Fri, 6 Jan 2012 10:35:01 -0500 From: Ed Maste <emaste@freebsd.org> To: J David <j.david.lists@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade Message-ID: <20120106153500.GA78077@sandvine.com> In-Reply-To: <CABXB=RR7hwaQtQcOJks3ipt3iKM=_ViErxG8THSr2rsCoLgOTA@mail.gmail.com> References: <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org> <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com> <20120104.144214.74742226.sthaug@nethelp.no> <CABXB=RQFuAdkFiRgNH%2B9QWHMn8zMR31wmcSWumwWv54UwVyvvw@mail.gmail.com> <CABXB=RR7hwaQtQcOJks3ipt3iKM=_ViErxG8THSr2rsCoLgOTA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 05, 2012 at 08:18:39PM -0500, J David wrote: > To help understand what's going on and test some of this stuff, I > hacked up a TCP-MD5-aware echo server and tried various things. Hi J David, Thank you very much for this extensive testing and analysis. Would you care to post your basic echo server somewhere for others to use in debugging this, just to save time for anyone who can debug further? I've reformatted your results into a table for reference: Case Verify Socket Opt Result Server Client Server Client 1 0 0 N N P 2 0 0 N Y P 3 0 0 Y N P 4 0 0 Y Y P 5 0 1 N N P 6 0 1 N Y FAIL - LAST_ACK 7 0 1 Y N FAIL - times out 8 0 1 Y Y FAIL - LAST_ACK 9 1 0 N N P 10 1 0 N Y P 11 1 0 Y N FAIL 12 1 0 Y Y P 13 1 1 N N P 14 1 1 N Y FAIL - LAST_ACK 15 1 1 Y N FAIL - times out 16 1 1 Y Y FAIL - LAST_ACK > although the tcp(4) man page refers only to outgoing > traffic. (Though again that may be a documentation error.) Yes, tcp(4) was not updated when inbound TCP-MD5 checking went in. I'll commit a change similar to the one below (after I find the appropriate markup for the sysctl ID). Index: tcp.4 =================================================================== --- tcp.4 (revision 229319) +++ tcp.4 (working copy) @@ -196,8 +196,8 @@ .It Dv TCP_MD5SIG This option enables the use of MD5 digests (also known as TCP-MD5) on writes to the specified socket. -In the current release, only outgoing traffic is digested; -digests on incoming traffic are not verified. +Outgoing traffic is digested; digests on incoming traffic are verfied +if the net.inet.tcp.signature_verify_input sysctl is nonzero. The current default behavior for the system is to respond to a system advertising this option with TCP-MD5; this may change. .Pp > So there may be some bugs here on the FreeBSD side that may make it > hard to get openbgpd working properly. Yes, your testing clearly demonstrates some kernel issues here. I'll see if I can find someone to investigate (or can help guide further debugging). Thanks again for the effort here so far. -Ed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120106153500.GA78077>