Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Openbgpd incorrectly sets TCP_MD5 on the listen socket, regardless of configuration

31 views
Skip to first unread message

Borja Marcos

unread,
Nov 21, 2011, 8:28:42 AM11/21/11
to

Sorry for the brief report and the scarce details. The f****ing form insists on rejecting the captcha after one hour writing a report.

So, in short:

If TCP_MD5 is available on the system,
options IPSEC
options TCP_SIGNATURE #include support for RFC 2385
device crypto

Turns out openbgpd can't receive BGP connections.

The error is in the session.c file, line 148, function setup_listeners(u_int *la_cnt).

Code snippet:

opt = 1;
if (setsockopt(la->fd, IPPROTO_TCP, TCP_MD5SIG,
&opt, sizeof(opt)) == -1) {
if (errno == ENOPROTOOPT) { /* system w/o md5sig */
log_warnx("md5sig not available, disabling");
sysdep.no_md5sig = 1;
} else
fatal("setsockopt TCP_MD5SIG");
}


This is wrong. Regardless of the configuration, this code activates TCP_MD5 for the socket and leaves it enabled. This is what happens:

14:04:33.009212 IP 10.0.0.2.36610 > 10.0.0.1.179: Flags [S], seq 1941690122, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 115224 ecr 0], length 0
14:04:33.009267 IP 10.0.0.1.179 > 10.0.0.2.36610: Flags [S.], seq 2935503211, ack 1941690123, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4192648161 ecr 115224,nop,nop,md5shared secret not supplied with -M, can't check - a360f2c9a9f96a582ccbabe79418105c], length 0

The daemon receiving the connection is replying with TCP_MD5, even though there's no TCP_MD5 option set in the bgpd.conf file.

Removing this code (or placing it outside of the loop, creating a temporary socket just to enable TCP_MD5 on it and using it to detect the availability of TCP_MD5) works:

14:04:35.395447 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [S], seq 366635408, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 220116 ecr 0], length 0
14:04:35.395490 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [S.], seq 1226417253, ack 366635409, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 511187362 ecr 220116], length 0
14:04:35.395584 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [.], ack 1, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length 0
14:04:35.396072 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 1:46, ack 1, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length 45: BGP, length: 45
14:04:35.397031 IP 10.0.0.2.179 > 10.0.0.1.45119: Flags [P.], seq 1:50, ack 46, win 1040, options [nop,nop,TS val 511187362 ecr 220116], length 49: BGP, length: 49
14:04:35.397381 IP 10.0.0.1.45119 > 10.0.0.2.179: Flags [P.], seq 46:65, ack 50, win 1040, options [nop,nop,TS val 220116 ecr 511187362], length 19: BGP, length: 19




Sorry for the terse report. It was very detailed, but lost.






Borja.


_______________________________________________
freebs...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs...@freebsd.org"

0 new messages