openbgpds not talking each other since 8.2-STABLE upgrade
Claudio Jeker
cjeker at diehard.n-r-g.com
Mon Jan 9 23:01:32 UTC 2012
On Mon, Jan 09, 2012 at 11:01:44AM +0100, Borja Marcos wrote:
>
> On Jan 4, 2012, at 10:28 AM, Claudio Jeker wrote:
>
> > On Wed, Jan 04, 2012 at 09:27:28AM +0100, Borja Marcos wrote:
> >>
> >> Behavior on FreeBSD: The setsockopt(TCP_MD5SIG) *enables* TCP_MD5.
> >> According to my packet captures, in case there's no properly set key
> >> with setkey(8) it will use whatever key. Look at the captures mentioned
> >> here:
> >>
> >> http://groups.google.com/group/mailing.freebsd.bugs/browse_thread/thread/ea347a919dbc165d/eeaa2965fc4f64c9?show_docid=eeaa2965fc4f64c9&pli=1
> >>
> >>
> >> Behavior on OpenBSD: Maybe the TCP_MD5 isn't *really* working unless
> >> there's a valid key associated to the socket, either using setkey(8) (I
> >> don't know if they use it) or via the API for setting keys.
>
> > How does FreeBSD avoid the chicken and egg problem of accepting
> > connections with MD5SIG?
>
> I understand, but what if you haven't configured any peer for MD5SIG?
> Openbgpd is *still* enabling it.
>
> Maybe there's a simple solution in FreeBSD: ignoring the MD5SIG flags
> (and not adding the option to the outgoing packets) _UNLESS_ there's a
> matching SPD for the flow. I think that's the problem. It's pointless to
> check MD5SIG or originate packets with MD5SIG when there's no matching
> SPD. What does it use in that case, a random key?
>
> So I'm beginning to think that FreeBSD is the problem, not Openbgpd.
> Although of course neither Quagga nor bird set the MD5 option when you
> haven't explicitly enabled it in your BGP configuration.
Since it is possible to add MD5 for neighbors on config reload and the
listening sockets are normaly not closed and reopened on config reload it
was the easiest to set the MD5 option on all listening sockets no matter
what (especially since at that time OpenBSD was the only BSD doing TCP MD5
and the always enable was there from the beginning (actually the MD5SUM
support was done for/with OpenBGPD).
--
:wq Claudio
More information about the freebsd-net
mailing list