Doug Barton wrote
in <4f0ce268.1000...@freebsd.org>:
do> On 01/03/2012 13:03, Hiroki Sato wrote:
do> > Okay, thank you for your report. I will take some time to fix
do> > TCP_MD5SIG support in openbgpd and inform you when another patch is
do> > ready.
do>
do> Any news on this? Not trying to
On 01/03/2012 13:03, Hiroki Sato wrote:
> Okay, thank you for your report. I will take some time to fix
> TCP_MD5SIG support in openbgpd and inform you when another patch is
> ready.
Any news on this? Not trying to be pushy, just wondering if I need to
plan a test/change window.
Thanks,
Dou
On Tue, Jan 10, 2012 at 09:01:35AM +0100, Borja Marcos wrote:
>
> On Jan 10, 2012, at 12:01 AM, Claudio Jeker wrote:
>
> > Since it is possible to add MD5 for neighbors on config reload and the
> > listening sockets are normaly not closed and reopened on config reload it
> > was the easiest to se
On Jan 10, 2012, at 12:01 AM, Claudio Jeker wrote:
> Since it is possible to add MD5 for neighbors on config reload and the
> listening sockets are normaly not closed and reopened on config reload it
> was the easiest to set the MD5 option on all listening sockets no matter
> what (especially sin
On Mon, Jan 09, 2012 at 11:01:44AM +0100, Borja Marcos wrote:
>
> On Jan 4, 2012, at 10:28 AM, Claudio Jeker wrote:
>
> > On Wed, Jan 04, 2012 at 09:27:28AM +0100, Borja Marcos wrote:
> >>
> >> Behavior on FreeBSD: The setsockopt(TCP_MD5SIG) *enables* TCP_MD5.
> >> According to my packet capture
On 6. Jan 2012, at 22:18 , Claudio Jeker wrote:
> On Fri, Jan 06, 2012 at 10:35:01AM -0500, Ed Maste wrote:
>> On Thu, Jan 05, 2012 at 08:18:39PM -0500, J David wrote:
>>
>>> To help understand what's going on and test some of this stuff, I
>>> hacked up a TCP-MD5-aware echo server and tried vari
On Jan 4, 2012, at 10:28 AM, Claudio Jeker wrote:
> On Wed, Jan 04, 2012 at 09:27:28AM +0100, Borja Marcos wrote:
>>
>> Behavior on FreeBSD: The setsockopt(TCP_MD5SIG) *enables* TCP_MD5.
>> According to my packet captures, in case there's no properly set key
>> with setkey(8) it will use whateve
On Fri, Jan 06, 2012 at 10:35:01AM -0500, Ed Maste wrote:
> On Thu, Jan 05, 2012 at 08:18:39PM -0500, J David wrote:
>
> > To help understand what's going on and test some of this stuff, I
> > hacked up a TCP-MD5-aware echo server and tried various things.
>
> Hi J David,
>
> Thank you very much
On Fri, Jan 6, 2012 at 10:35 AM, Ed Maste wrote:
> Thank you very much for this extensive testing and analysis. Would you
> care to post your basic echo server somewhere for others to use in
> debugging this, just to save time for anyone who can debug further?
With a bit of clean-up to stop peop
On 6. Jan 2012, at 15:35 , Ed Maste wrote:
> Yes, your testing clearly demonstrates some kernel issues here. I'll
> see if I can find someone to investigate (or can help guide further
> debugging).
>
> Thanks again for the effort here so far.
I am still having trouble with the table (as I had w
On Thu, Jan 05, 2012 at 08:18:39PM -0500, J David wrote:
> To help understand what's going on and test some of this stuff, I
> hacked up a TCP-MD5-aware echo server and tried various things.
Hi J David,
Thank you very much for this extensive testing and analysis. Would you
care to post your bas
> > Are you sure? I have net.inet.tcp.signature_verify_input = 1 and only
> > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on
> > 8.2-STABLE.
>
> Hmm, you are right, it seems that my second SAD entries are not used at all.
> However I'm now running with net.inet.tcp.signature_ve
On Jan 4, 2012, at 3:42 PM, sth...@nethelp.no wrote:
>> You are setting the keys with setkey for both directions of a single
>> session, right?
>> i.e.:
>>
>> add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass";
>> add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass";
>>
>> As before it was
To help understand what's going on and test some of this stuff, I
hacked up a TCP-MD5-aware echo server and tried various things.
The first thing I found was that setting
net.inet.tcp.signature_verify_input to 0 does not stop the listener
socket from setting TCP_MD5SIG. So, setting this is not a
I am experiencing the same problem with bgpd and FreeBSD 8.2-STABLE as
described in this thread. If I have correctly interpreted this
thread, it is currently not possible to have an OpenBGPd that speaks
TCP-MD5 to some peers, but not to others on FreeBSD. Is that correct?
(It seems possible to b
> You are setting the keys with setkey for both directions of a single session,
> right?
> i.e.:
>
> add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass";
> add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass";
>
> As before it was only needed to set the "outgoing" direction key, which
> s
On Wed, Jan 04, 2012 at 09:27:28AM +0100, Borja Marcos wrote:
>
> On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
>
> > Thanks for the link Nikolay.
> >
> > Borja, I assume it's the PR submission form that gave you trouble -
> > sorry for that. Based on your report it sounds to me like the bug is
>
On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
> Thanks for the link Nikolay.
>
> Borja, I assume it's the PR submission form that gave you trouble -
> sorry for that. Based on your report it sounds to me like the bug is
> in OpenBGPd itself. If it works on OpenBSD with the TCP_MD5SIG option
> th
On Jan 3, 2012, at 9:36 PM, sth...@nethelp.no wrote:
>> Doug, does your kernel have TCP_SIGNATURE option? The patch[*] for
>> net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG
>> option on the listening sockets.
>>
>> [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.2012010
On 01/03/2012 21:23, Nikolay Denev wrote:
> You are setting the keys with setkey for both directions of a single session,
> right?
Yes. But thanks for asking. :)
Doug
--
You can observe a lot just by watching. -- Yogi Berra
Breadth of IT experience, and depth of knowledge in
On Jan 3, 2012, at 10:52 PM, Doug Barton wrote:
> On 01/03/2012 11:06, Hiroki Sato wrote:
>> Doug Barton wrote
>> in <4f027bc0.1080...@freebsd.org>:
>>
>> do> We have a pair of physical FreeBSD systems configured as routers
>> do> designed to operate in an active/standby CARP configuration. Ev
Doug Barton wrote
in <4f036a7f.9030...@freebsd.org>:
do> This patch works even if net.inet.tcp.signature_verify_input=1. If I
do> turn that sysctl off on both sides they can talk to each other even
do> without the patch. So that would definitely seem to indicate that the
do> tcp_signature stuff
On 01/03/2012 11:06, Hiroki Sato wrote:
> Doug Barton wrote
> in <4f027bc0.1080...@freebsd.org>:
>
> do> We have a pair of physical FreeBSD systems configured as routers
> do> designed to operate in an active/standby CARP configuration. Everything
> do> used to work fine, but since an upgrade t
> Doug, does your kernel have TCP_SIGNATURE option? The patch[*] for
> net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG
> option on the listening sockets.
>
> [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff
>
> While this is an ugly hack and I will inv
On 01/03/2012 11:16, Bjoern A. Zeeb wrote:
> I was wondering from *where* you were updating, not to which revision.
D'oh! Sorry ... the previous kernel was from stable/8 about 6 months
ago. Well before Attilio's merge.
Doug
--
You can observe a lot just by watching. -- Yogi Berra
On 3. Jan 2012, at 19:00 , Doug Barton wrote:
> On 01/03/2012 10:03, Bjoern A. Zeeb wrote:
>>
>> On 3. Jan 2012, at 17:47 , Borja Marcos wrote:
>>
>>>
>>> On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
>>>
Thanks for the link Nikolay.
Borja, I assume it's the PR submission form t
Doug Barton wrote
in <4f027bc0.1080...@freebsd.org>:
do> We have a pair of physical FreeBSD systems configured as routers
do> designed to operate in an active/standby CARP configuration. Everything
do> used to work fine, but since an upgrade to 8.2-STABLE on December 29th
do> the two routers do
On 01/03/2012 10:03, Bjoern A. Zeeb wrote:
>
> On 3. Jan 2012, at 17:47 , Borja Marcos wrote:
>
>>
>> On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
>>
>>> Thanks for the link Nikolay.
>>>
>>> Borja, I assume it's the PR submission form that gave you trouble -
>>> sorry for that. Based on your repo
On 3. Jan 2012, at 17:47 , Borja Marcos wrote:
>
> On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
>
>> Thanks for the link Nikolay.
>>
>> Borja, I assume it's the PR submission form that gave you trouble -
>> sorry for that. Based on your report it sounds to me like the bug is
>> in OpenBGPd its
On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
> Thanks for the link Nikolay.
>
> Borja, I assume it's the PR submission form that gave you trouble -
> sorry for that. Based on your report it sounds to me like the bug is
> in OpenBGPd itself. If it works on OpenBSD with the TCP_MD5SIG option
> th
On Jan 3, 2012, at 4:29 PM, Ed Maste wrote:
> On Tue, Jan 03, 2012 at 09:07:56AM +0200, Nikolay Denev wrote:
>
>> Since I've had similar problem with Quagga after updating to 8.2-STABLE I'd
>> suggest
>> you to try setting "net.inet.tcp.signature_verify_input=0" and see if that
>> would help.
On Tue, Jan 03, 2012 at 09:07:56AM +0200, Nikolay Denev wrote:
> Since I've had similar problem with Quagga after updating to 8.2-STABLE I'd
> suggest
> you to try setting "net.inet.tcp.signature_verify_input=0" and see if that
> would help.
>
> Here is another thread about the similar (if not
On Jan 3, 2012, at 8:07 AM, Nikolay Denev wrote:
>
> On Jan 3, 2012, at 5:53 AM, Doug Barton wrote:
>
>> We have a pair of physical FreeBSD systems configured as routers
>> designed to operate in an active/standby CARP configuration. Everything
>> used to work fine, but since an upgrade to 8.2-
On Jan 3, 2012, at 5:53 AM, Doug Barton wrote:
> We have a pair of physical FreeBSD systems configured as routers
> designed to operate in an active/standby CARP configuration. Everything
> used to work fine, but since an upgrade to 8.2-STABLE on December 29th
> the two routers don't speak BGP to
We have a pair of physical FreeBSD systems configured as routers
designed to operate in an active/standby CARP configuration. Everything
used to work fine, but since an upgrade to 8.2-STABLE on December 29th
the two routers don't speak BGP to each other anymore. They both
function fine individually
35 matches
Mail list logo