Esben Norby wrote:
On Friday 28 October 2005 09:15, Egbert Krook wrote:

Hi,

Does anyone know if MD5 authentication in ospfd is known to be broken? In
our test environment things work fine without authentication or simple
authentication turned on, but as soon as we turn on MD5 authentication
things break.

We're using the snapshot of October 13th and a Cisco 3640 router (IOS
12.1(5)). If this is an unknown problem I will submit a bug report.



I cannot reproduce this with ospfd from current and a cisco 72xx router, using your configuration...

Could you provide a tcpdump trace?

/Esben


Not sure if that's the same problem I provided example of and got a patch for, but in the MD5 setup, there is a problem with BGPd if you also have the "ip tcp selective-ack" active on your Cisco box?

I don't know this would affect you as well using OSPFd as it obviously did me on BGPd, but I would suspect that it would. Not sure why it wouldn't really. The problem is/was in tcp-input.c and that's on the TCP stack use for both the BGPd and OSPFd obviously.

Just try this and see the results for now:

sysctl net.inet.tcp.sack=0

This is worth a try. It doesn't fix the bug, but the part of the code that needs to be worked around is disable with it.

So, redo your test with "ip tcp selective-ack" and without on your remote Cisco router, and/or with the sysctl above on your OpenBSD router.

Also on your setup for now, I would strongly recommend not to use "ip tcp selective-ack" if you have the choice, but the problem is the remote router running this will affect your local OpenBSD router.

Just my thought.

Hope this help you anyway, if sure put me on the spot for a few weeks until it was worked around.

Daniel

Reply via email to