bgpd.conf md5sig, iBGP and redistributing routes to/from ospf

[per engelbrecht]

Hi all

[20051019 snap i386]
I've made a setup with two identical bgp routers. On each router there's 
3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
these routers and finally pipes backwards to the internal nets. Part of 
bgpd.conf further down.
I'm replacing a single router (no ospf) fbsd/zebra setup.


Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.
A: ?


Q: adding md5sig password, how can I activate these stepwise without 
having to take bgpd down/up and affecting all connections - ospfctl does 
not seem have it as an option. Would like to add md5sig one carrier at a 
time on a "live" system.
A: ?


Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)
[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
"play along" in the same way a 'redistribute ospf' in Zebra/Cisco IOS
A: ?


Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times "redistributing" of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.
A: ?


Part of bgpd.conf:

[...]
neighbor $peer0 {
        remote-as ABCD
        descr   "ebgp sucks"
        set nexthop aaa.aaa.aaa.aab
        multihop 10
        local-address aaa.aaa.aaa.aaa
        announce self
        announce IPv6 none
        enforce neighbor-as yes
        set weight 100
        #tcp md5sig password HotPotatoes
}
...
...
neighbor $carp {
        remote-as <our_own_AS>
        descr   "internal"
        local-address 172.16.0.1
        depend on em5
        announce all
        announce IPv6 none
        enforce neighbor-as no
        set weight 200
        #tcp md5sig password NoPotatoes
}

I have a:
deny from any prefix 172.16.0.0/12 prefixlen >= 12
but the carp interface uses a /8 i.e. should be safe :)