Re: 6.3 router crash

[Jay Hart]

>
> On Sep 8, 2018 11:27 AM, Jay Hart  wrote:
>>
>> Hello,
>>
>> My new router crashed this morning.  About 4-5 days ago I ran 'syspatch' 
>> and think that 14, 15,
>> and 16 patches were installed. At the conclusion of the install, the kernel 
>> "relinked". No
>> issues
>> reported.  I did not reboot the box.
>>
>> Today, while trying to combat that duplicate IP address issue, I rebooted 
>> the box, Upon startup
>> it
>> dropped into the debugger. Did another reboot just to see if that was a 
>> one-off, but it dropped
>> into the debugger again.
>>
>> Standard 6.3 release machine. Not following current or snapshots...
>>
>> I've attached a pic below of the screen.  Its all I've got right now.  I 
>> have to disable
>> inteldrm
>> to get the box to boot [normally]. I have an old thread about that.
>>
>> www.kevla.org/6.3crash.jpg
>>
>> Any suggestions or processes to try? I've never been in this boat, no idea 
>> what to do...
>>
>> Thanks,
>>
>> Jay
>>
>
> Maybe you can boot single user and try syspatch -R.
>
> boot> boot -s
>
> # syspatch -R
> # reboot
>
> If that fixes it you could then possibly apply one patch at a time via source 
> until you find what
> hosed it and report that to tech@.
>
>

I tried that.  Same thing, gets to the line shown in my original email pic, and 
drops down into
the debugger.

Jay

IKED not sending packets ?

[Tim Jones]

Hi,

Thinking it might be something with my earlier config, I created a simple 
one-liner:

ikev2 esp from 172.16.1.2 to 172.16.1.3

However iked does not appear to be sending out any packets ?  Which I thought 
would be the case in its default active mode ?  It seems to just load the 
config and then sit there doing nothing ?

$ doas iked -dvvv
ikev2 "policy1" passive esp inet from 172.16.1.2 to 172.16.1.3 local 172.16.1.2 
peer 172.16.1.3 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rfc7427
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type ECDSA length 171
ca_pubkey_serialize: type ECDSA length 124
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: no mobike
ca_privkey_to_method: type ECDSA method ECDSA_384
ca_getkey: received private key type ECDSA length 171
ca_getkey: received public key type ECDSA length 124
ca_dispatch_parent: config reset
ca_reload: local cert type ECDSA
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0

Re: IKED "not a valid authentication mode"

[Tim Jones]

> Note that this isn't commenting a line, this is commenting all lines
> that come after it. The parser joins the line first and removes
> comments afterwards, so the config above becomes
>
> ... group curve22519 #childsa enc aes-128 auth hmac-sha2-256 srcid ...
>
> and then everything after the # is ignored. As someone pointed out the
> error is at ikeauth. The error goes away because that line is
> commented out, as are the three that precede it.
>
> You have no idea how many hours I wasted trying to make sense of why
> some configuration changes seemed to have no effect whatsoever, before I
> learned about this. Incidentally, pf.conf uses the same parser, so it
> behaves the same.
>
> Cheers
> Zé


Zé wow.  That's one handy piece of advice. As you say, could save hours and 
days of wasted time. Thank you.

Re: Running your own mail server

[Luke A. Call]

On 09-10 13:30, Craig Skinner wrote:
> Being a postmaster (email server administrator) and hostmaster (DNS
> server administrator) is fun, hectic, and takes about 5 years to learn.
> [] 
> Save yourself the trouble and let them use their gMail
> accounts/addresses directly. They'll soon be getting Android or Apple
> phones, so let them use their Google/Apple accounts themselves.
> 

Some good points.

One could also use a different provider just for mail (pop or webmail) 
instead of google, if one wants to keep from centralizing more power there.  

(One example among many is pair.com, for webmail, DNS, domain, some hosting 
but not OpenBSD that I know of, unless you get a virtual private server).

Re: APU2 and Spectre

[Zbyszek Żółkiewski]

> Wiadomość napisana przez Consus  w dniu 25.08.2018, o godz. 
> 17:08:
> 
> Seems like APU2 board is vulnerable to Spectre:

seems there is microcode update with mitigations but looks like none want to 
claim where that microcode comes from:

https://github.com/pcengines/apu2-documentation/issues/75

did someone try to load it from obsd? is it possible?

_
Zbyszek Żółkiewski

Re: Equipment for OBSD based firewall

[Jordan Geoghegan]

On 09/10/18 08:22, Sonic wrote:

How does the Edgerouter compare in performance to an Atom 2358/2558
based system?
Especially interested in firewall performance using site-to-site VPN's.



There's trade-offs for everything. The x86 platform is fundamentally 
flawed and contains innumerable backdoors  and vulnerabilities. The 
C2000 chip series has issues with hardware/circuit degradation. On 
MIPS64 the mmu lacks support for W^X and the pmap module only supports 
32 bit mappings resulting in weaker ASLR,  there's also no rtc on octeon.


In terms of performance, I've found the Edgerouter Pro to be able to 
handle half a gigabit of traffic no problem. I've never owned an APU / 
soekris device to compare the performance to. Obviously a 2 or 3 Ghz x86 
machine is going to push more packets through sheer brute force, but for 
the average home or office connection, there will be no difference 
unless you're among the lucky few with a synchronous gigabit connection. 
For my clients or family/friends with their measly 30/5 or 80/8 
connections, an ERL running fq_codel QoS runs great, and pulls less than 
10 watts of power.  Something like a soekris device would be unnecessary 
overkill.  Even in situations where I was working with 100/100 or 
250/250 connections, the ERPro handled it like a champ. A buddy of mine 
has been running a PowerMac G4 as a OpenBSD router/firewall for his 
150/150 fibre connection for many years just because he doesn't like 
x86. I've seen benchmarks of the early beta octeon IPsec hw accleration 
being able to push around 50Mbit/s on an Edgerouter Lite. There should 
be better performance on the ERPro, but I have yet to see any benchmarks.

Re: IKED "not a valid authentication mode"

[Stuart Henderson]

On 2018-09-10, Tim Jones  
wrote:
> Unless I misunderstand the 6.3 docs, the following should be valid :
> childsa auth enc chacha20-poly1305 group curve25519

For the AEAD types like chacha20-poly1305 and aes-256-gcm, just specify
them in "enc" and leave out "auth".

> But i get an error "not a valid authentication mode".  If I comment out that 
> line, my configuration validates OK.
>
> The same happens if I copy/paste one of the examples from the docs (e.g. 
> childsa enc aes-128 auth hmac-sha2-256 )
>
> This is what my /etc/iked.conf looks like (excluding the macro lines, which 
> have been wittheld to protect the innocent) :
>
> # MAIN CONFIG
> ikev2 esp from $local_subnet to $remote_subnet \
>     local $local_ip peer $remote_ip \
>     ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group 
> curve25519 \
>     #childsa enc aes-128 auth hmac-sha2-256\
>     srcid $local_ip dstid $remote_ip \
>     ikelifetime 4h lifetime 3h bytes 512M \
>     ikeauth ecdsa384

"ikeauth" isn't a keyword to be used in the file, it's something that is
replaced with either "eap ", "ecdsa###", "psk ", etc.

Domain name including openbsd

[John Naggets]

Hi,

I was wondering if the OpenBSD community permits the usage of the
"openbsd" word inside a domain name with the purpose of offering
commercial OpenBSD-based services? For example let's say I want to
sell OpenBSD-based cloud services, would I be allowed to purchase the
domain name openbsd.cloud and use it to sell my OpenBSD-based cloud
services?

Best regards,
John

Re: Equipment for OBSD based firewall

[Sonic]

How does the Edgerouter compare in performance to an Atom 2358/2558
based system?
Especially interested in firewall performance using site-to-site VPN's.

On Mon, Sep 3, 2018 at 8:01 PM Jordan Geoghegan  wrote:
>
> On 09/03/18 16:17, Bogdan Kulbida wrote:
> > Ladies and gentlemen,
> >
> > I need to build a pf OBSD firewall for a small office. What minimally
> > feasible equipment would you recommend in order to achieve this goal?
> >
> > Thank you!
> I've ran multiple office networks on octeon devices. I've found the
> Edgerouter and Edgerouter Pro to be quite performant. The Edgerouter Pro
> can easily handle a 100/100 connection or even a 250/250 connection. I
> like them because they're free of any spectre / fpu bugs as they use an
> in-order CPU. OpenBSD also supports hw accelerated IPsec on them. I've
> used them to run DHCP and DNS servers, used them heavily as jump
> hosts/proxies and also ran my unbound-adblock and pf-badhost scripts;
> with over 100,000 domains and IP/CIDR blocks being filtered while
> pushing dozens of terrabytes in network traffic through them each month,
> they've proven to be rock solid. If you have modest needs, then an
> Edgerouter lite should suffice.
>
> Keep in mind, these are just my personal opinions, and I am biased. I
> can't stand the thought of having an x86 machine exposed on the open
> internet, much less trusting it to secure and segment my network. With
> spooky management engine shenanigans and hardware bugs abound, I'm just
> not interested in putting my faith in x86 again. Too much emotion, too
> much garbage.
>
> Cheers,
> Jordan
>

IKED "not a valid authentication mode"

[Tim Jones]

Unless I misunderstand the 6.3 docs, the following should be valid :
childsa auth enc chacha20-poly1305 group curve25519

But i get an error "not a valid authentication mode".  If I comment out that 
line, my configuration validates OK.

The same happens if I copy/paste one of the examples from the docs (e.g. 
childsa enc aes-128 auth hmac-sha2-256 )

This is what my /etc/iked.conf looks like (excluding the macro lines, which 
have been wittheld to protect the innocent) :

# MAIN CONFIG
ikev2 esp from $local_subnet to $remote_subnet \
    local $local_ip peer $remote_ip \
    ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 
\
    #childsa enc aes-128 auth hmac-sha2-256\
    srcid $local_ip dstid $remote_ip \
    ikelifetime 4h lifetime 3h bytes 512M \
    ikeauth ecdsa384

Re: Vultr hosting of OpenBSD

[Merv Hammer]

> On 8. Sep 2018, at 19:55, Ken M  wrote:


...

> 1. Is it still current information that it would be better to use my own
> image/install/iso for openbsd on Vultr?
> 

I’ve run general purpose OpenBSD boxes on Vultr for several years, mostly for 
development while travelling and without access to my basement stacks, each on 
-current (initially installed from OpenBSD FTP servers) and then upgraded every 
week or two using ramdisks from snapshots. I’ve never tried Vultr’s own baked 
images so I can’t comment on them. However, I’ve never had any problems 
maintaining my methodology in which both new installs as well as upgrades can 
be completed in a few minutes.

> 2. Is vultr a good place to host an openbsd box? If not interested in hearing
> alternatives.

Uptime can sometimes be unreliable (I run hosts from Vultr’s European locations 
only, mostly Amsterdam and Frankfurt), network “maintenance” being quite 
frequent. However, given that I am not using Vultr for critical services, I’m 
prepared to accept this minor irritation when weighed against cost. For 
important hosts that I rely upon for mail, OpenVPN, DNS, etc., I use Exoscale 
and find the slightly higher costs well worth it.

Kindly,

-Merv

Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)

[Mark Patruck]

Yes, a short test shows no errors anymore.

On Mon, Sep 10, 2018 at 10:39:56AM -0300, Martin Pieuchot wrote:
> On 10/09/18(Mon) 12:15, Mark Patruck wrote:
> > I've tested with a current snapshot and two freshly installed systems
> > and get the same error, but...
> > 
> > reverting mpi@s 'Add per-TDB counters and a new SADB extension (1)'
> > changes make the issues disappear.
> > 
> > (1) https://marc.info/?l=openbsd-cvs&m=153546931106420&w=2
> 
> Does the smaller revert below also fix the issue?
> 
> Index: net/pfkeyv2.c
> ===
> RCS file: /cvs/src/sys/net/pfkeyv2.c,v
> retrieving revision 1.191
> diff -u -p -r1.191 pfkeyv2.c
> --- net/pfkeyv2.c 31 Aug 2018 12:55:46 -  1.191
> +++ net/pfkeyv2.c 10 Sep 2018 13:39:01 -
> @@ -793,8 +793,7 @@ pfkeyv2_get(struct tdb *tdb, void **head
>   void *p;
>  
>   /* Find how much space we need */
> - i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime) +
> - sizeof(struct sadb_x_counter);
> + i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime);
>  
>   if (tdb->tdb_soft_allocations || tdb->tdb_soft_bytes ||
>   tdb->tdb_soft_timeout || tdb->tdb_soft_first_use)
> @@ -955,9 +954,6 @@ pfkeyv2_get(struct tdb *tdb, void **head
>   export_tap(&p, tdb);
>   }
>  #endif
> -
> - headers[SADB_X_EXT_COUNTER] = p;
> - export_counter(&p, tdb);
>  
>   rval = 0;
>  
> 

-- 
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51

http://www.wrapped.cx

Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)

[Martin Pieuchot]

On 10/09/18(Mon) 12:15, Mark Patruck wrote:
> I've tested with a current snapshot and two freshly installed systems
> and get the same error, but...
> 
> reverting mpi@s 'Add per-TDB counters and a new SADB extension (1)'
> changes make the issues disappear.
> 
> (1) https://marc.info/?l=openbsd-cvs&m=153546931106420&w=2

Does the smaller revert below also fix the issue?

Index: net/pfkeyv2.c
===
RCS file: /cvs/src/sys/net/pfkeyv2.c,v
retrieving revision 1.191
diff -u -p -r1.191 pfkeyv2.c
--- net/pfkeyv2.c   31 Aug 2018 12:55:46 -  1.191
+++ net/pfkeyv2.c   10 Sep 2018 13:39:01 -
@@ -793,8 +793,7 @@ pfkeyv2_get(struct tdb *tdb, void **head
void *p;
 
/* Find how much space we need */
-   i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime) +
-   sizeof(struct sadb_x_counter);
+   i = sizeof(struct sadb_sa) + sizeof(struct sadb_lifetime);
 
if (tdb->tdb_soft_allocations || tdb->tdb_soft_bytes ||
tdb->tdb_soft_timeout || tdb->tdb_soft_first_use)
@@ -955,9 +954,6 @@ pfkeyv2_get(struct tdb *tdb, void **head
export_tap(&p, tdb);
}
 #endif
-
-   headers[SADB_X_EXT_COUNTER] = p;
-   export_counter(&p, tdb);
 
rval = 0;
 

Re: Duplicate IP Address -> Spoof/Verizon???

[Mikkel C. Simonsen]

Den 08-09-2018 kl. 14:47 skrev Pierre Emeriaud:

Le sam. 8 sept. 2018 à 13:40, Jay Hart  a écrit :

-ifconfig -A from the router--
re1: flags=8843 mtu 1500
 lladdr 00:22:4d:d1:48:d5
 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255



Some CPEs have 192.168.1.1 hardcoded as management ip address, even
though they are currently used as modem/bridges. Renumber your
internal subnet to some other private address space and see if the
logs go away.
I have seen a cheap managed switch from Zyxel that decided to live on 
192.168.1.1 after a power cut...


192.168.1.1 is the default address on a lot of stuff.

Re: Running your own mail server

[Craig Skinner]

Hi Ken,

On Sat, 8 Sep 2018 11:23:35 -0400 Ken M wrote:
> Just curious how many of you use openbsd to run your own personal
> email server? Do you find it a hassle to manage in any way?

Being a postmaster (email server administrator) and hostmaster (DNS
server administrator) is fun, hectic, and takes about 5 years to learn.

OpenBSD is the best OS for both tasks (I've worked for an ISP doing both
roles, on other operating systems).

 
> Back story my family all has email addresses through the domain I
> have. Which basically will forward to a gmail account.

Save yourself the trouble and let them use their gMail
accounts/addresses directly. They'll soon be getting Android or Apple
phones, so let them use their Google/Apple accounts themselves.


> The kids  are getting old enough to use their own accounts for
> things and not just through the school which sets them up with google
> accounts to use through their chromebook.

Let them use their Google account themselves.


> So my wife really doesn't like the idea of setting them loose on
> their own email accounts, and I don't necessarily disagree with her,
> but I disagree on the way to do it. In a gmail point of view all I
> can think of is shared passwords for for the kids. I don't like that
> because first of all they could change it, second of all monitoring
> their email means literally reading their email.

What about their Google 'Hangout' instant messages?

Or their Messenger/Facebook messages?

Or their Twitter/Tumbler/Reddit/etc/etc/etc messages?

Why not let them grow up? They will soon mature and leave home anyway.
Are you going to be a permanent policeman/ISP in their adult lives??


If you want to become a hostnaster and postmaster for _yourself_, then
do it. By the time you're skilled, your children could have left home.

Forget the wife & kids - don't be a slave to them man!

Do what you want, for your own personal technical skills.

Are you more interested in being a sysadmin, webmaster, netadmin,
hostmaster or postmaster? What do *YOU* want to do with your time?


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)

[Mark Patruck]

I've tested with a current snapshot and two freshly installed systems
and get the same error, but...

reverting mpi@s 'Add per-TDB counters and a new SADB extension (1)'
changes make the issues disappear.

(1) https://marc.info/?l=openbsd-cvs&m=153546931106420&w=2


On Mon, Sep 10, 2018 at 10:13:12AM +0200, Mark Patruck wrote:
> Unfortunately the last kernel i could test with, is from 12 Aug 2018 -
> no issues here. I've also built a new kernel about 12h ago (just to
> make sure) but the error stays.
> 
> Every few hours (lifetime?) the following errors pops up
> 
> pfkey_write: writev failed: Invalid argument
> 
> I'll create an easier test setup and report back.
> 
> 
> On Sat, Sep 08, 2018 at 12:28:22PM +0200, Mark Patruck wrote:
> > Hi,
> > 
> > is anyone else seeing the following message with -current?
> > (i've updated my 25 days old -current yesterday)
> > 
> > iked[12345]: pfkey_reply: no reply from PF_KEY
> > 
> > Also, "ipsecctl -m" looks pretty empty now:
> > 
> > 
> > sadb_get: satype esp vers 2 len 10 seq 2898 pid 12345
> > sa: spi 0xbe0128cf auth none enc none
> > state mature replay 64 flags 0<>
> > address_src: 1.2.3.4
> > address_dst: 5.6.7.8
> > sadb_get: satype esp vers 2 len 10 seq 2899 pid 12345
> > sa: spi 0x24649f1c auth none enc none
> > state mature replay 64 flags 0<>
> > address_src: 5.6.7.8
> > address_dst: 1.2.3.4
> > 
> > 
> > Thanks,
> > 
> > -Mark
> > 
> > -- 
> > Mark Patruck ( mark at wrapped.cx )
> > GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51
> > 
> > http://www.wrapped.cx
> > 
> 
> -- 
> Mark Patruck ( mark at wrapped.cx )
> GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51
> 
> http://www.wrapped.cx
> 

-- 
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51

http://www.wrapped.cx

Re: iked[12345]: pfkey_reply: no reply from PF_KEY (-current)

[Mark Patruck]

Unfortunately the last kernel i could test with, is from 12 Aug 2018 -
no issues here. I've also built a new kernel about 12h ago (just to
make sure) but the error stays.

Every few hours (lifetime?) the following errors pops up

pfkey_write: writev failed: Invalid argument

I'll create an easier test setup and report back.


On Sat, Sep 08, 2018 at 12:28:22PM +0200, Mark Patruck wrote:
> Hi,
> 
> is anyone else seeing the following message with -current?
> (i've updated my 25 days old -current yesterday)
> 
> iked[12345]: pfkey_reply: no reply from PF_KEY
> 
> Also, "ipsecctl -m" looks pretty empty now:
> 
> 
> sadb_get: satype esp vers 2 len 10 seq 2898 pid 12345
> sa: spi 0xbe0128cf auth none enc none
> state mature replay 64 flags 0<>
> address_src: 1.2.3.4
> address_dst: 5.6.7.8
> sadb_get: satype esp vers 2 len 10 seq 2899 pid 12345
> sa: spi 0x24649f1c auth none enc none
> state mature replay 64 flags 0<>
> address_src: 5.6.7.8
> address_dst: 1.2.3.4
> 
> 
> Thanks,
> 
>   -Mark
> 
> -- 
> Mark Patruck ( mark at wrapped.cx )
> GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51
> 
> http://www.wrapped.cx
> 

-- 
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51

http://www.wrapped.cx

Re: "Transit" BGPD not announcing learnt routes to neighbors

[Tim Jones]

> I think you are mixing up 6.3 code with docs for -current, this was
> changed mid-June:
> https://marc.info/?l=openbsd-cvs&m=152888243922828&w=2
>
> There have been big changes in bgpd since 6.3, there are now methods
> to give a simpler/clearer configuration, and some big improvements in
> performance especially when using some of the newer config. These are
> ongoing, especially this week as a network-focussed hackathon is
> currently taking place.
>
> If you aren't quite happy with how things work in 6.3 (especially for
> performance when filtering is used), I'd strongly recommend re-evaluating
> with -current in a week or so.


Thanks Stuart. Will bear that im mind.