Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Jan 2012 07:23:58 +0200
From:      Nikolay Denev <ndenev@gmail.com>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: openbgpds not talking each other since 8.2-STABLE upgrade
Message-ID:  <52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650@gmail.com>
In-Reply-To: <4F036A7F.9030906@FreeBSD.org>
References:  <20120103152909.GA83706@sandvine.com> <6FE9FF15-487F-4A31-AEE0-A0AD92F5DC72@sarenet.es> <20DC0C8A-DD9E-408E-9ACA-82532DB31871@lists.zabbadoz.net> <20120104.040611.1847309275485655567.hrs@allbsd.org> <4F036A7F.9030906@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On Jan 3, 2012, at 10:52 PM, Doug Barton wrote:

> On 01/03/2012 11:06, Hiroki Sato wrote:
>> Doug Barton <dougb@freebsd.org> wrote
>>  in <4F027BC0.1080101@FreeBSD.org>:
>>=20
>> do> We have a pair of physical FreeBSD systems configured as routers
>> do> designed to operate in an active/standby CARP configuration. =
Everything
>> do> used to work fine, but since an upgrade to 8.2-STABLE on December =
29th
>> do> the two routers don't speak BGP to each other anymore. They both
>> do> function fine individually, and failover works. It is only the =
openbgpd
>> do> communication between them that's not flowing.
>>=20
>> Doug, does your kernel have TCP_SIGNATURE option?=20
>=20
> Yes.
>=20
>> The patch[*] for
>> net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG
>> option on the listening sockets.
>>=20
>> [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff
>>=20
>> While this is an ugly hack and I will investigate more reasonable
>> solution for that, I want to narrow down the cause first.  Can anyone
>> who are using a 8-STABLE kenrel with TCP_SIGNATURE let me know if
>> this works or not?
>=20
> This patch works even if net.inet.tcp.signature_verify_input=3D1. If I
> turn that sysctl off on both sides they can talk to each other even
> without the patch. So that would definitely seem to indicate that the
> tcp_signature stuff is the source of the problem.
>=20
> What unfortunately did not work is configuring signatures on both =
sides.
> With the sysctl enabled, IPSEC set up on both hosts, and the tcp =
md5sig
> option in both bgpd.conf files, we got the same result as before, no
> communication between them. When -HUP'ing and/or restarting openbgpd
> with the tcp md5sig option enabled we get "pfkey setup failed."
>=20
> So, "working iBGP + no signatures" is a good next step. "iBGP +
> signatures" would be an even better one. :)  We're happy to test more
> patches, etc.; and thanks again to everyone who has responded so far.
>=20
>=20
> Doug
>=20
> --=20
>=20
> 	You can observe a lot just by watching.	-- Yogi Berra
>=20
> 	Breadth of IT experience, and depth of knowledge in the DNS.
> 	Yours for the right price.  :)  http://SupersetSolutions.com/
>=20

You are setting the keys with setkey for both directions of a single =
session, right?
i.e.:
=20
  add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass";
  add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass";

As before it was only needed to set the "outgoing" direction key, which =
should not work anymore unless=20
net.inet.tcp.signature_verify_input is zero.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52D4B9DF-4BC3-4AF7-BCE0-A88E18F25650>