Esben Norby wrote:
On Friday 28 October 2005 09:15, Egbert Krook wrote:
Hi,
Does anyone know if MD5 authentication in ospfd is known to be broken? In
our test environment things work fine without authentication or simple
authentication turned on, but as soon as we turn on MD5 authentication
things break.
We're using the snapshot of October 13th and a Cisco 3640 router (IOS
12.1(5)). If this is an unknown problem I will submit a bug report.
I cannot reproduce this with ospfd from current and a cisco 72xx router, using
your configuration...
Could you provide a tcpdump trace?
/Esben
Not sure if that's the same problem I provided example of and got a
patch for, but in the MD5 setup, there is a problem with BGPd if you
also have the "ip tcp selective-ack" active on your Cisco box?
I don't know this would affect you as well using OSPFd as it obviously
did me on BGPd, but I would suspect that it would. Not sure why it
wouldn't really. The problem is/was in tcp-input.c and that's on the TCP
stack use for both the BGPd and OSPFd obviously.
Just try this and see the results for now:
sysctl net.inet.tcp.sack=0
This is worth a try. It doesn't fix the bug, but the part of the code
that needs to be worked around is disable with it.
So, redo your test with "ip tcp selective-ack" and without on your
remote Cisco router, and/or with the sysctl above on your OpenBSD router.
Also on your setup for now, I would strongly recommend not to use "ip
tcp selective-ack" if you have the choice, but the problem is the remote
router running this will affect your local OpenBSD router.
Just my thought.
Hope this help you anyway, if sure put me on the spot for a few weeks
until it was worked around.
Daniel
