FreeBSD 9.2 setkey/quagga BGP MD5
Dennis Glatting
freebsd at pki2.com
Sat Nov 30 21:47:15 UTC 2013
I am trying to use Quagga BGP with TCP MD5 checksums to a Cisco 3945
router from a FreeBSD 9.2 server. Although there is a bunch of
information on how to set this up on the FreeBSD side there is a piece
missing: how to specify the destination port.
Specifically, and assuming I understand the setkey syntax correctly,
you /cannot/ specify the destination port resulting in all TCP
connections between the source and destination attempting to use MD5
checksums. Yes?
In my case, I only want TCP connections to dest port 172 to use MD5,
such as the following syntax that does not work:
add 192.168.3.33 192.168.3.2/32[179] tcp 0x1000 -A tcp-md5 "xyzzy" ;
Looking at the YACC syntax I find:
add_command
: ADD ipaddropts ipaddr ipaddr protocol_spec \
spi extension_spec algorithm_spec EOT
Chasing "ipaddr" I find:
$$ = parse_addr($1.buf, NULL);
Where NULL is the port spec.
I don't really want all connections to use MD5, such as RANCID and other
TCP utilities. Rather, I only want MD5 to be used where I want it used.
I am assuming from the YACC syntax that isn't possible.
I really prefer to have some form of security, if only weak, across my
infrastructure because my infrastructure is used for penetration testing
and my users occasionally forget a route, or two, or three, resulting in
penetration tests against the infrastructure and not the targets.
Any suggestions?
More information about the freebsd-questions
mailing list