IP fast forwarding and setkey

Paul S. contact at winterei.se
Sun Sep 21 10:31:35 UTC 2014 

Ermal,

I'd prefer a raw BSD installation (Call it a comfort thing, if you will).

Has the pfSense project actually managed to patch OpenBGPD to remove its 
dependency on OpenBSD specific bindings for TCP_MD5?

It might be worth it to just try to build their fork, if that's the case.

Thank you for responding!

On 9/21/2014 午後 07:26, Ermal Luçi wrote:
> If for you is an option pfSense has all the hard work done for you and 
> you can use it for such installations.
>
> On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <contact at winterei.se 
> <mailto:contact at winterei.se>> wrote:
>
>     Hi folks,
>
>     I plan to make an edge router out of a freebsd system with
>     OpenBGPD + FreeBSD 10, or such.
>
>     I've been reading up, and noticed that the
>     net.inet.ip.fastforwarding flag provides rather nice performance
>     benefits.
>
>     My issue is, my upstream networks insist on using TCP MD5
>     authentication on their BGP sessions.
>
>     This is fine, except on FreeBSD -- I'm going to have to use the
>     setkey utility to set those since native PF_KEY support for
>     OpenBGPD does not seem available.
>
>     Now, since setkey is part of IPSec, and there are countless
>     warnings about using IPSec and fastforwarding together in the
>     manpage, am I correct in assuming that this will not work if I
>     have fastforwarding enabled?
>
>     Is there any way to make it work? Quagga, from what I've read,
>     seems to also be in the same boat (Usage of setkey required for
>     TCP MD5).
>
>     I tried searching the manpages, but couldn't locate anything
>     concrete on this.
>
>     Any assistance/replies are welcome.
>
>     Thank you!
>     _______________________________________________
>     freebsd-net at freebsd.org <mailto:freebsd-net at freebsd.org> mailing list
>     http://lists.freebsd.org/mailman/listinfo/freebsd-net
>     To unsubscribe, send any mail to
>     "freebsd-net-unsubscribe at freebsd.org
>     <mailto:freebsd-net-unsubscribe at freebsd.org>"
>
>
>
>
> -- 
> Ermal

More information about the freebsd-net mailing list