Daniel Ouellet wrote:
Falk Brockerhoff wrote:
Hello,
I'm just playing around with OpenBGP on OpenBSD3.8. My BGP Session
comes up, MD5 works fine. OpenBGP is a intuitiv tool and works fine. :)
Just a word of BIG caution on this MD5 usage. There was a bug corrected
in 3.9 for MD5 when the remote reset the session. Make sure to upgrade
to 3.9 and NOT to run the 3.8 when MD5 is in use. You will sleep much
better, believe me.
Just for the records as some may have question on that one. You will
only see the bug if the remote party use MD5 and have the "ip tcp
selective-ack" enable in their configuration. The problem is that you
don't know if they do or not. If you can't upgrade right away, one very
easy work around if to simply have:
sysctl net.inet.tcp.sack=0
in your OpenBSD configuration until you have time to upgrade to 3.9.
Hope this help and clarify the issue a bit more. Not obvious and took me
a long time to figure it out. Having dead peer, or worst main access is
no fun. (:>
Sorry for the somewhat short answer the first time around.
Daniel
