From owner-freebsd-net@FreeBSD.ORG  Thu Nov 28 15:05:56 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A88FCB8C
 for <freebsd-net@freebsd.org>; Thu, 28 Nov 2013 15:05:56 +0000 (UTC)
Received: from mail-pb0-x229.google.com (mail-pb0-x229.google.com
 [IPv6:2607:f8b0:400e:c01::229])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 795AF1303
 for <freebsd-net@freebsd.org>; Thu, 28 Nov 2013 15:05:56 +0000 (UTC)
Received: by mail-pb0-f41.google.com with SMTP id jt11so12854704pbb.28
 for <freebsd-net@freebsd.org>; Thu, 28 Nov 2013 07:05:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=ZybPseI3wpKgaxFVSSA6eVw5BdD37BZHVHkBbutSNts=;
 b=HZnu/SrOeAzH7q4kHD+jn11E8Cw69osMfjsKaL7D0r2XiWvfk2HpYWglGU9i8J8l8A
 ozr2/ngAfz91Fp/w2yqGoBuCDquLTRoRTcMA9Iu6luH8aw+JA5c+VnHN71bl7w8giBPo
 n9OOJMymj6MDOZMiMcPThRLOl/N8Fez6rqpasnMBC4TgbP96POl3TEXH5lhBGZGRU7a5
 F3Bghs9zSbmG6oBprF0afEf2gFsVTFOaAPLYfTRMusFGoBon66UFRoteE/jQEqNAAJt2
 eoKKnWfg2M7Vdfqb3RzNW44mIwhJ6R59W4KYvgV7GaFsLjxdsLwwN5gJtzf/wnjVDc6G
 9J8Q==
MIME-Version: 1.0
X-Received: by 10.68.129.130 with SMTP id nw2mr11303524pbb.88.1385651155532;
 Thu, 28 Nov 2013 07:05:55 -0800 (PST)
Sender: ermal.luci@gmail.com
Received: by 10.70.4.163 with HTTP; Thu, 28 Nov 2013 07:05:55 -0800 (PST)
In-Reply-To: <874n6xu31q.fsf@marcos.anarc.at>
References: <87zjoqu3wr.fsf@marcos.anarc.at>
 <CAPBZQG192HxfHfCj7zkWO-Ot95+Y7vr8VJ47OyzNhD2jxuZTKg@mail.gmail.com>
 <874n6xu31q.fsf@marcos.anarc.at>
Date: Thu, 28 Nov 2013 16:05:55 +0100
X-Google-Sender-Auth: Ibmz40ysgcbI1DUxU4ZopRXi6CA
Message-ID: <CAPBZQG17w218wB3SsJ8rvCLzP4hKz4N5=zE-YLnMws5H-x2_FQ@mail.gmail.com>
Subject: Re: OpenBGPd + TCP-MD5 sig fails after a few weeks
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To: =?ISO-8859-1?Q?Antoine_Beaupr=E9?= <anarcat@koumbit.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.16
Cc: freebsd-net <freebsd-net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2013 15:05:56 -0000

On Wed, Nov 27, 2013 at 7:12 PM, Antoine Beaupr=E9 <anarcat@koumbit.org>wro=
te:

> On 2013-11-27 05:58:12, Ermal Lu=E7i wrote:
> > You can use the port here
> > https://github.com/pfsense/pfsense-tools/tree/master/pfPorts/openbgpd
> > It has integration with pfkey sockets of FreeBSD in the daemon itself a=
nd
> > you have to specify only th espd policy through setkey.
> >
> > It works for pfSense.
>
> While it seems to bootstrap properly, it still fails to isntall a
> security association, in my bgpd.conf:
>
>         tcp md5sig password "[...]"
>

Probably because you are putting "(quotes) on the password and that is
wrong.
That means password on the connection is wrong since it has " in it.
Think its an issue of the bgpd parser on this.


> Startup log:
>
> root@rtr0:/usr/home/anarcat # bgpd -d
> startup
> rereading config
> route decision engine ready
> session engine ready
> RDE reconfigured
> listening on 0.0.0.0
> listening on ::
> SE reconfigured
> neighbor 199.58.81.1 (rtr1): state change None -> Idle, reason: None
> neighbor 38.104.152.101 (Cogent): state change None -> Idle, reason:
> None
> neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start
> pfkey: Invalid argument
> neighbor 38.104.152.101 (Cogent): pfkey setup failed
> neighbor 199.58.81.1 (rtr1): state change Connect -> Active, reason:
> Connection open failed
> ^Cneighbor 199.58.81.1 (rtr1): state change Active -> Idle, reason: Stop
> kernel routing table 0 (Loc-RIB) decoupled
> pfkey: Invalid argument
> route decision engine exiting
> session engine exiting
> Terminating
>
> What do I need to set with setkey?
>
> It seems to send the wrong password to the other side:
>
> 13:06:33.455309 IP (tos 0x0, ttl 255, id 18405, offset 0, flags [DF],
> proto TCP (6), length 68, bad cksum 0 (->b632)!)
>     38.104.152.102.179 > 38.104.152.101.44659: Flags [S.], cksum 0xe57b
> (correct), seq 2310073167, ack 669413589, win 65535, options [mss
> 1436,nop,wscale 6,nop,nop,md5invalid], length 0
>
> After removing the tcpsig from my config, things work again because the
> other side is initiating the connexion... But connexions initiated from
> our side are not properly signed.
>
> also, I have another bgpd that i want to setup an iBGP session with, and
> this one loops to death:
>
> neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start
> neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason:
> Connection opened
> neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason=
:
> OPEN message received
> neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established,
> reason: KEEPALIVE message received
> neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping
> routes
> neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason:
> Connection closed
> neighbor 199.58.81.1 (rtr1): state change Idle -> Connect, reason: Start
> neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason:
> Connection opened
> neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason=
:
> OPEN message received
> neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established,
> reason: KEEPALIVE message received
> neighbor 199.58.81.1 (rtr1): graceful restart of IPv4 unicast, keeping
> routes
> neighbor 199.58.81.1 (rtr1): state change Established -> Idle, reason:
> Connection closed
>
> ... etc. After restarting the other daemon, it seems to work properly,
> but that was really scary...
>
> neighbor 199.58.81.1 (rtr1): state change Connect -> OpenSent, reason:
> Connection opened
> neighbor 199.58.81.1 (rtr1): state change OpenSent -> OpenConfirm, reason=
:
> OPEN message received
> neighbor 199.58.81.1 (rtr1): state change OpenConfirm -> Established,
> reason: KEEPALIVE message received
>
> a.
>
> --
> Freedom is being able to make decisions that affect mainly you. Power
> is being able to make decisions that affect others more than you. If
> we confuse power with freedom, we will fail to uphold real freedom.
>                         - Richard Stallman
>



--=20
Ermal