Date: Sun, 21 Sep 2014 17:41:51 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: "Paul S." <contact@winterei.se> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: IP fast forwarding and setkey Message-ID: <CA%2Bq%2BTcpygKBrDjnS1_-JeXxeQeH=YqAjY9qjJpEPXKTGOXBt%2BQ@mail.gmail.com> In-Reply-To: <541EA396.7050201@winterei.se> References: <541EA396.7050201@winterei.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <contact@winterei.se> wrote: > Hi folks, > > I plan to make an edge router out of a freebsd system with OpenBGPD + > FreeBSD 10, or such. > > I've been reading up, and noticed that the net.inet.ip.fastforwarding flag > provides rather nice performance benefits. > > My issue is, my upstream networks insist on using TCP MD5 authentication > on their BGP sessions. > > This is fine, except on FreeBSD -- I'm going to have to use the setkey > utility to set those since native PF_KEY support for OpenBGPD does not seem > available. > > Now, since setkey is part of IPSec, and there are countless warnings about > using IPSec and fastforwarding together in the manpage, am I correct in > assuming that this will not work if I have fastforwarding enabled? > > Is there any way to make it work? Quagga, from what I've read, seems to > also be in the same boat (Usage of setkey required for TCP MD5). > > fastforwarding is not compatible with IPSec only but can be used with TCP_MD5 without problem (tested on FreeBSD 10-stable). Regards, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcpygKBrDjnS1_-JeXxeQeH=YqAjY9qjJpEPXKTGOXBt%2BQ>