Date: Tue, 03 Jan 2012 12:52:15 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Hiroki Sato <hrs@FreeBSD.org> Cc: ndenev@gmail.com, emaste@FreeBSD.org, borjam@sarenet.es, freebsd-net@FreeBSD.org Subject: Re: openbgpds not talking each other since 8.2-STABLE upgrade Message-ID: <4F036A7F.9030906@FreeBSD.org> In-Reply-To: <20120104.040611.1847309275485655567.hrs@allbsd.org> References: <20120103152909.GA83706@sandvine.com> <6FE9FF15-487F-4A31-AEE0-A0AD92F5DC72@sarenet.es> <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <20120104.040611.1847309275485655567.hrs@allbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/03/2012 11:06, Hiroki Sato wrote: > Doug Barton <dougb@freebsd.org> wrote > in <4F027BC0.1080101@FreeBSD.org>: > > do> We have a pair of physical FreeBSD systems configured as routers > do> designed to operate in an active/standby CARP configuration. Everything > do> used to work fine, but since an upgrade to 8.2-STABLE on December 29th > do> the two routers don't speak BGP to each other anymore. They both > do> function fine individually, and failover works. It is only the openbgpd > do> communication between them that's not flowing. > > Doug, does your kernel have TCP_SIGNATURE option? Yes. > The patch[*] for > net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG > option on the listening sockets. > > [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff > > While this is an ugly hack and I will investigate more reasonable > solution for that, I want to narrow down the cause first. Can anyone > who are using a 8-STABLE kenrel with TCP_SIGNATURE let me know if > this works or not? This patch works even if net.inet.tcp.signature_verify_input=1. If I turn that sysctl off on both sides they can talk to each other even without the patch. So that would definitely seem to indicate that the tcp_signature stuff is the source of the problem. What unfortunately did not work is configuring signatures on both sides. With the sysctl enabled, IPSEC set up on both hosts, and the tcp md5sig option in both bgpd.conf files, we got the same result as before, no communication between them. When -HUP'ing and/or restarting openbgpd with the tcp md5sig option enabled we get "pfkey setup failed." So, "working iBGP + no signatures" is a good next step. "iBGP + signatures" would be an even better one. :) We're happy to test more patches, etc.; and thanks again to everyone who has responded so far. Doug -- You can observe a lot just by watching. -- Yogi Berra Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F036A7F.9030906>