openbgpds not talking each other since 8.2-STABLE upgrade

Wed Jan 4 05:24:06 UTC 2012

On Jan 3, 2012, at 10:52 PM, Doug Barton wrote:

> On 01/03/2012 11:06, Hiroki Sato wrote:
>> Doug Barton <dougb at freebsd.org> wrote
>>  in <4F027BC0.1080101 at FreeBSD.org>:
>> 
>> do> We have a pair of physical FreeBSD systems configured as routers
>> do> designed to operate in an active/standby CARP configuration. Everything
>> do> used to work fine, but since an upgrade to 8.2-STABLE on December 29th
>> do> the two routers don't speak BGP to each other anymore. They both
>> do> function fine individually, and failover works. It is only the openbgpd
>> do> communication between them that's not flowing.
>> 
>> Doug, does your kernel have TCP_SIGNATURE option? 
> 
> Yes.
> 
>> The patch[*] for
>> net/openbgpd can be used as a workaround if it was due to TCP_MD5SIG
>> option on the listening sockets.
>> 
>> [*] http://people.allbsd.org/~hrs/FreeBSD/openbgpd.20120104-1.diff
>> 
>> While this is an ugly hack and I will investigate more reasonable
>> solution for that, I want to narrow down the cause first.  Can anyone
>> who are using a 8-STABLE kenrel with TCP_SIGNATURE let me know if
>> this works or not?
> 
> This patch works even if net.inet.tcp.signature_verify_input=1. If I
> turn that sysctl off on both sides they can talk to each other even
> without the patch. So that would definitely seem to indicate that the
> tcp_signature stuff is the source of the problem.
> 
> What unfortunately did not work is configuring signatures on both sides.
> With the sysctl enabled, IPSEC set up on both hosts, and the tcp md5sig
> option in both bgpd.conf files, we got the same result as before, no
> communication between them. When -HUP'ing and/or restarting openbgpd
> with the tcp md5sig option enabled we get "pfkey setup failed."
> 
> So, "working iBGP + no signatures" is a good next step. "iBGP +
> signatures" would be an even better one. :)  We're happy to test more
> patches, etc.; and thanks again to everyone who has responded so far.
> 
> 
> Doug
> 
> -- 
> 
> 	You can observe a lot just by watching.	-- Yogi Berra
> 
> 	Breadth of IT experience, and depth of knowledge in the DNS.
> 	Yours for the right price.  :)  http://SupersetSolutions.com/
> 

You are setting the keys with setkey for both directions of a single session, right?
i.e.:

  add X.X.X.X Y.Y.Y.Y tcp 0x1000 -A tcp-md5 "SomePass";
  add Y.Y.Y.Y X.X.X.X tcp 0x1000 -A tcp-md5 "SomePass";

As before it was only needed to set the "outgoing" direction key, which should not work anymore unless 
net.inet.tcp.signature_verify_input is zero.