Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Nov 2013 13:47:04 -0800
From:      Dennis Glatting <freebsd@pki2.com>
To:        freebsd-questions@freebsd.org
Subject:   FreeBSD 9.2 setkey/quagga BGP MD5
Message-ID:  <1385848024.67585.14.camel@btw.pki2.com>

next in thread | raw e-mail | index | archive | help
I am trying to use Quagga BGP with TCP MD5 checksums to a Cisco 3945
router from a FreeBSD 9.2 server. Although there is a bunch of
information on how to set this up on the FreeBSD side there is a piece
missing: how to specify the destination port.

Specifically, and assuming I understand the setkey syntax correctly,
you /cannot/ specify the destination port resulting in all TCP
connections between the source and destination attempting to use MD5
checksums. Yes?

In my case, I only want TCP connections to dest port 172 to use MD5,
such as the following syntax that does not work:

  add 192.168.3.33 192.168.3.2/32[179] tcp 0x1000 -A tcp-md5 "xyzzy" ;

Looking at the YACC syntax I find:

  add_command
        :       ADD ipaddropts ipaddr ipaddr protocol_spec \
                 spi extension_spec algorithm_spec EOT


Chasing "ipaddr" I find:

  $$ = parse_addr($1.buf, NULL);

Where NULL is the port spec. 

I don't really want all connections to use MD5, such as RANCID and other
TCP utilities. Rather, I only want MD5 to be used where I want it used.
I am assuming from the YACC syntax that isn't possible.

I really prefer to have some form of security, if only weak, across my
infrastructure because my infrastructure is used for penetration testing
and my users occasionally forget a route, or two, or three, resulting in
penetration tests against the infrastructure and not the targets.

Any suggestions?








Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1385848024.67585.14.camel>