Date: Mon, 21 Nov 2011 14:28:42 +0100 From: Borja Marcos <borjam@sarenet.es> To: freebsd-bugs@FreeBSD.org Subject: Openbgpd incorrectly sets TCP_MD5 on the listen socket, regardless of configuration Message-ID: <129489FD-E98D-4954-8D43-632D88E745CE@sarenet.es>
next in thread | raw e-mail | index | archive | help
Sorry for the brief report and the scarce details. The f****ing form =
insists on rejecting the captcha after one hour writing a report.=20
So, in short:
If TCP_MD5 is available on the system,
options IPSEC
options TCP_SIGNATURE #include support for RFC 2385
device crypto
Turns out openbgpd can't receive BGP connections.=20
The error is in the session.c file, line 148, function =
setup_listeners(u_int *la_cnt).
Code snippet:
opt =3D 1;
if (setsockopt(la->fd, IPPROTO_TCP, TCP_MD5SIG,
&opt, sizeof(opt)) =3D=3D -1) {
if (errno =3D=3D ENOPROTOOPT) { /* system =
w/o md5sig */
log_warnx("md5sig not available, =
disabling");
sysdep.no_md5sig =3D 1;
} else
fatal("setsockopt TCP_MD5SIG");
}
This is wrong. Regardless of the configuration, this code activates =
TCP_MD5 for the socket and leaves it enabled. This is what happens:
14:04:33.009212 IP 10.0.0.2.36610 > 10.0.0.1.179: Flags [S], seq =
1941690122, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val =
115224 ecr 0], length 0
14:04:33.009267 IP 10.0.0.1.179 > 10.0.0.2.36610: Flags [S.], seq =
2935503211, ack 1941690123, win 65535, options [mss 1460,nop,wscale =
6,sackOK,TS val 4192648161 ecr 115224,nop,nop,md5shared secret not =
supplied with -M, can't check - a360f2c9a9f96a582ccbabe79418105c], =
length 0
The daemon receiving the connection is replying with TCP_MD5, even =
though there's no TCP_MD5 option set in the bgpd.conf file.
Removing this code (or placing it outside of the loop, creating a =
temporary socket just to enable TCP_MD5 on it and using it to detect the =
availability of TCP_MD5) works:
14:04:35.395447 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [S], seq =
366635408, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val =
220116 ecr 0], length 0
14:04:35.395490 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [S.], seq =
1226417253, ack 366635409, win 65535, options [mss 1460,nop,wscale =
6,sackOK,TS val 511187362 ecr 220116], length 0
14:04:35.395584 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [.], ack 1, win =
1040, options [nop,nop,TS val 220116 ecr 511187362], length 0
14:04:35.396072 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 1:46, =
ack 1, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length =
45: BGP, length: 45
14:04:35.397031 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [P.], seq 1:50, =
ack 46, win 1040, options [nop,nop,TS val 511187362 ecr 220116], length =
49: BGP, length: 49
14:04:35.397381 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 46:65, =
ack 50, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length =
19: BGP, length: 19
Sorry for the terse report. It was very detailed, but lost.
Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?129489FD-E98D-4954-8D43-632D88E745CE>