FreeBSD 9.2 setkey/quagga BGP MD5

Dennis Glatting freebsd at
Sat Nov 30 21:47:15 UTC 2013

I am trying to use Quagga BGP with TCP MD5 checksums to a Cisco 3945
router from a FreeBSD 9.2 server. Although there is a bunch of
information on how to set this up on the FreeBSD side there is a piece
missing: how to specify the destination port.

Specifically, and assuming I understand the setkey syntax correctly,
you /cannot/ specify the destination port resulting in all TCP
connections between the source and destination attempting to use MD5
checksums. Yes?

In my case, I only want TCP connections to dest port 172 to use MD5,
such as the following syntax that does not work:

  add[179] tcp 0x1000 -A tcp-md5 "xyzzy" ;

Looking at the YACC syntax I find:

        :       ADD ipaddropts ipaddr ipaddr protocol_spec \
                 spi extension_spec algorithm_spec EOT

Chasing "ipaddr" I find:

  $$ = parse_addr($1.buf, NULL);

Where NULL is the port spec. 

I don't really want all connections to use MD5, such as RANCID and other
TCP utilities. Rather, I only want MD5 to be used where I want it used.
I am assuming from the YACC syntax that isn't possible.

I really prefer to have some form of security, if only weak, across my
infrastructure because my infrastructure is used for penetration testing
and my users occasionally forget a route, or two, or three, resulting in
penetration tests against the infrastructure and not the targets.

Any suggestions?

More information about the freebsd-questions mailing list