carp backup and disconnecting ssh session

[MJ J]

Hi,

I have a carp master and backup on a pair of one-armed Rapsberry Pi 4B
devices (router1 and router2) and when I ssh to the backup using the
carp IP as my gateway, it repeatedly throws me out after a few seconds
with the message:

My laptop's network config:
---
IP: 192.168.4.109
Subnet mask: 255.255.255.0
Gateway: 192.168.4.1

Both RPI4s are connected to switchports with packets tagged for VLANs
2,3,4,6 and the network devices don't have IP configuration -
everything is configured on VLAN interfaces with the single parent
interface bse0. CARP failover actually works as expected, but as
mentioned I am unable to maintain an ssh session with the backup
"router2" while using the carp IPs as my network gateway.

Network switch is a Zyxel GS1200-8 with firmware V2.00(ABME.0)C0. Loop
prevention is enabled and I have also tested with it disabled to no
avail.

What happens:
---
$ ssh 10.0.1.101
Last login: Sun May 23 17:44:21 2021 from 10.0.1.100
OpenBSD 6.9 (GENERIC.MP) #1134: Sun Apr 18 01:53:35 MDT 2021
router2#
router2# client_loop: send disconnect: Broken pipe


Router 1 network config:
---
router1# cat hostname.bse0
up

router1# cat hostname.vlan2
172.16.1.6/24 172.16.1.255 parent bse0 vnetid 2 group PFSYNC
description "private segment with router2"

router1# cat hostname.vlan3
10.0.1.100/24 10.0.1.255 parent bse0 vnetid 3 group INTERNAL
description "router1 internal interface"

router1# cat hostname.vlan4
192.168.1.252/24 192.168.1.255 parent bse0 vnetid 4 group OLDSHIT
description "unmigrated shit"

router1# cat hostname.vlan6
192.168.4.2/24 192.168.4.255 parent bse0 vnetid 6 group TCWIFI
description "Time-Capsule Wifi"

router1# cat hostname.carp4
192.168.1.1/24 carpdev vlan4 pass fukdissh1t vhid 41 advskew 1
description "TC-WIFI gateway"

router1# cat hostname.carp6
192.168.4.1/24 carpdev vlan6 pass fukdissh1t vhid 61 advskew 1
description "TC-WIFI gateway"


Router2 network config:
---
router2# cat hostname.bse0
up

router2# cat hostname.vlan2
172.16.1.7/24 172.16.1.255 parent bse0 vnetid 2 group PFSYNC
description "private segment with router1"

router2# cat hostname.vlan3
10.0.1.101/24 10.0.1.255 parent bse0 vnetid 3 group INTERNAL
description "router2 internal interface"

router2# cat hostname.vlan4
192.168.1.253/24 192.168.1.255 parent bse0 vnetid 4 group OLDSHIT
description "unmigrated shit"

router2# cat hostname.vlan6
192.168.4.3/24 192.168.4.255 parent bse0 vnetid 6 group TCWIFI
description "Time-Capsule Wifi"

router2# cat hostname.carp4
192.168.1.1/24 carpdev vlan4 pass fukdissh1t vhid 41 advskew 128
description "TC-WIFI gateway"

router2# cat hostname.carp6
192.168.4.1/24 carpdev vlan6 pass fukdissh1t vhid 61 advskew 128
description "TC-WIFI gateway"


Any tips much appreciated.

-mike

Re: Request for Funding our Electricity

[MJ]

On 18 Jan 2014, at 04.33, Theo de Raadt dera...@cvs.openbsd.org wrote:
 
 Why is there this effort to convince us to do less?
 

I do not propagate such a train of thought; only said that if you want 
corporate funding then be prepared to detail your costs and justify each and 
every one of them as well as satisfying said corporation’s business interest. 
Not trying to be condescending here at all, but that’s just Logic 101.

The sad and really embarassing fact is that I am not in a position to make any 
sort of donation at this moment, but I promise you that I will do it just as 
soon as I can. And I hope it’s the thought that counts more than the amount. I 
appreciate your work, a lot - I really do.


-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 18 Jan 2014, at 01.13, Christopher Ahrens n...@leviacomm.net wrote:

 In reality, I don't give a shit about any else who doesn't
 pay me, make my life easier or make my life more enjoyable.


It’s a rare moment when I feel the need to publicly bitch-slap someone, but
you triggered it.

That statement alone, and it’s simply impossible to take it out of context, is
the height of selfishness and it disqualifies you from the benefit of the
doubt. It’s at the minimum sociopathy, and at the maximum pure narcissism.
Neither one of them are socially acceptable and since we are participating in
a society here then you, sir, are out of line.

I have my feelings and opinions, boy do I have them, but I don’t go around
devaluing others just because they don’t serve my interests. You, don’t do it
either - stop it. We are all human beings and we all have feelings.
Corporations are greedy, we people don’t have to be.


-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 17 Jan 2014, at 06.05, Philip Guenther guent...@gmail.com wrote:
 Ah, so if NIST looked at work done by someone completely unrelated to
 NIST and said looks good, we'll standardize exactly what you did,
 you think that it's now contaminated by NISTs talking about it?  For
 example, AES, which was designed by europeans and standardized after a
 massively public competitive process that even the losing competitors
 think was legit with no funny games, should be excluded by your
 clarified criteria.  That sounds like you're interested in a political
 statement and not a security goal.
 

Hi Phil,

Thanks for your response.

I am, indeed, more interested in a  security goal than a political goal, though 
political goals are not foreign to my train of thought.

My feeling is thus: NIST is strongly advocating the cryptographic primitives 
that NSA finds feasible to circumvent. This is the thing that is disturbing me. 
The fact is that none of us, unless you are working for NSA crypto team, know 
what their capabilities are. But we do know that they are spending a shitload 
of money and working night and day to establish a functional quantum computer 
which would render all of our current state of the art crypto invalid. That is 
their goal number 1.

I don’t trust NIST at all, and I also don’t trust ICANN.

Here are a list of people I trust when it comes to running their code, in order 
of importance:

RMS
DJB (and his proteges by proxy)
Theo | Henning

Now, if DJB has been recruited than I will forever hang my head in shame.

I don’t trust Eric Allman, and I don’t entirely trust Kirk McKusick though I 
would like to.

-mike

Re: OPENBSD FUNDING SOLUTION -- COME AND PARTICIPATE

[MJ]

On 18 Jan 2014, at 22.25, Chris Cappuccio ch...@nmedia.net wrote:
 Mike, maybe you can stop your rambling, and just do the same. Because 
 otherwise, I don't understand why you feel justified to be on this mailing
 list. You were henning's roommate, so that means that you know all about
 OpenBSD, programming, commputers, business, Logic 101, and how Theo is not a
 businessman? And you have the real solution, right? You can tell everyone how
 to make it work?

I wasn’t Henning’s roommate, “live” with a long vowel means simply that I know 
him face to face for several days straight, sorry for the ambiguity of our 
English language - you can blame our mother.

Life is full of unpredictable twists and turns. I’ve had more than my share of 
them as of late. But you are probably right - if I’d spend more time trying to 
get a business off the ground and less time, for example, on this mailing list 
(which is, coincidentally, a very small portion of my time), then I might be in 
a position to actually make enough money that I could donate something 
something deemed significant.  Of course, the same applies to you.

—Mike

Re: Request for Funding our Electricity

[MJ]

On 18 Jan 2014, at 20.15, Jan Stary h...@stare.cz wrote:

 On Jan 18 16:29:46, m...@sci.fi wrote:
 On 18 Jan 2014, at 04.33, Theo de Raadt dera...@cvs.openbsd.org wrote:
 And I hope it?s the thought that counts more than the amount.
 
 LOL, yes, especially when it comes to bills being paid.
 

You, too, sir, can also take an overdose of fugoff. 1  0, no matter how you 
look at it.

I will do what I can. And do not private message me again without including the 
rest of the addresses included in the original context. Or are you simply 
seeking supply?


-mike

Re: Request for Funding our Electricity

[MJ]

On 19 Jan 2014, at 01.36, Jan Stary h...@stare.cz wrote:

 So, the 1 is the thought, and the 0 is the amount?

 Sorry, but your comments were so ridiculous I couldn't help it.
 Saying it's the thougth that counts to people who have
 repeated explicitly they need MONEY.

There you go again with your simple inability to understand what Reply All
means.


 I will do what I can. And do not private message me again without including
the rest of the addresses included in the original context. Or are you simply
seeking supply?

 ?
 A supply of what?


No comment.



—Mike

Re: OpenBSD funding status

[MJ]

On 18 Jan 2014, at 20.01, Desktop User OpenBSD openbsd.desktop.u...@gmail.com 
wrote:

 Hello,
 
 I would love to subscribe to the monthly donation on:
 
 http://openbsdfoundation.org/donations.html
 
 but I need to ask, say a few things before:
 
 1) The
 https://openbsdfoundation.org/donations.html
 is redirecting to http://www.obtuse.com/
 why? HTTPS should work properly or it shouldn't be there.

Word.

 2) What is the status of the funding? The CAD$(?) 20,000?

Word again. Open with the code doesn’t mean black box with the money.

 3) Are there any subscriptions too or there are only one-time donations?
 

I would do a subscription if it were possible, but the amount has to be 
entirely of my own choosing. Paypal certainly does offer recurring payments, so 
there is no reason not to offer them to people willing to support the project.

 4) Could Theo or anyone from the OpenBSD team contact any vendors, or has
 the project any bigger subscription donator already?
 

Again, and I really need to highlight this: when the project comes to the 
position that it is asking for money or die, then the project is also in a 
requirement to provide financial transparency. If money is the question, then a 
mailing list isn’t the answer - this is 2014 and most of the world couldn’t 
give a flying shit about email anymore (and if I can additionally stick in a 
side comment regarding antiquity, then give up the FTP already - it’s a 
dinosaur, it’s unnecessarily complex, and it serves no specific purpose when 
HTTP is available.)


 5) If something would happen to Theo (which __I don't want or wish__), who
 would be the project leader? Son or daughter? Or any lead developers? Are
 there any plans for this?
 In the book: Absolute OpenBSD (2nd) which came out at April of 2013 says
 only one sentence about this:
 Theo takes whatever actions necessary to keep the OpenBSD Project running
 smoothly. If something should ever happen to Theo, the project does have
 plans for replacing him.”

Maybe Michael knows something that we don’t as the result of an evening full of 
beers together with the core team. According to Wikipedia, Theo is only a year 
and a half younger than me, so he’s still got at least 30 years in front of him 
barring accidental death or an incurable tumor. Corporate attitude likes to 
propagate the attitude that none of us are indispensable, but the fact is that 
unless you are a java coder and by default travelling down the Ho Chi Min trail 
then you are also indispensable. Friends don’t let friends code Java. Period.


 6) off: If OpenSSH is deployed widely in the world, wouldn't it be nice
 to put the donation URL in it? (man page or after install)


That’s great if what you are after is peanuts from people  like me. People with 
serious money waiting for a purpose don’t read man pages, with the possible 
exception of Mark Shuttleworth, and he shouldn’t need to be prodded to throw 
some money in this direction - but again, I simply can not overemphasise the 
importance of my response to point 4 above. Isn’t Mark running a Canadian 
company? Even if the OS he’s promoting is directly competing, he is standing on 
the shoulders of at least one giant - Theo.


-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 17 Jan 2014, at 17.30, Christian Weisgerber na...@mips.inka.de wrote:
 
 As guenther@ has pointed out, refusing all crypto covered by that
 definition is silly.  But even if you limit yourself to the
 specification part, you should be very disappointed about the newly
 added Curve25519 key exchange and Ed25519 signing in OpenSSH, because
 as implemented both rely on SHA-2 cryptographic hashes, which were
 not only specified by NIST, but in fact designed by the NSA.
 
 Of course mainstream cryptographers don't think that SHA-2 is
 insecure, much less backdoored, but that again raises the question:
 What do mean by that NIST crypto you want to avoid?
 
 -- 
 Christian naddy Weisgerber  na...@mips.inka.de
 

Hi,

Consider for a moment the difference between objective thinking and objective 
feeling, then you might consider my point of view.

You are right, mere involvement has not tainted reality. But it has left me 
suspicious, and that’s something that needs to be satisfied. It’s a fuzzy 
logic, and it wasn’t enough to get me past the doorman in the Umverschämft.


-mike

NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

Hello,

I would like to inquire as to which OpenBSD RELEASE will offer the possibility
to avoid NIST crypto for everything in Base (isakmpd, openssh, openssl, https,
nginx being the key items in mind)?

BTW, looks like things are heading in the right direction
(http://www.slideshare.net/yandex/rubsd2013-mikeben)

As it stands, there is currently cipher-suite negotiation / configuration
coded into every single crypto-enabled tool / daemon and it’s a bit of a mess
and a headache to manage it all. Would it be good to start to think about
having a single, system-wide cipher-suite negotiation configuration and
socket? interface and removing all this mess from things like isakmpd,
openssh, openssl, httpd, nginx, etc? For example, one could specify a
preferred ordered list of cipher suites and ones that aren’t listed would be
completely avoided at the system level. This could, for example, eliminate
static algorithm configuration in ipsec.conf and instead start negotiation
traveling down the ordered list until either success or end of list. This
method would provide an abstract interface to avoid future version downgrade
attacks, i.e. no need to update anything other than the configuration file.

And, of course, the autocipher engine would be powered by libsodium (NaCl).

Thoughts, comments, insults, etc, are all welcome! The quantum computer is
coming soon to a theatre near you.


-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 16 Jan 2014, at 18.23, Chris Cappuccio ch...@nmedia.net wrote:

 For instance, you may have noticed that OpenSSH is moving towards an
 openssl-free mode by importing NaCl components directly?
 
 One problem with abandoning OpenSSL is that you lose SSL, TLS, (oh, and
 everything has to be rewritten to use NaCl, and is now incompatible with
 everything else.) So what you see with OpenSSH is the first attempt at
 doing this, and it will only be compatible with other people also using
 new OpenSSH.
 
 The issue is compatbility.


Thanks Chris for your response and yes, you make a good point regarding 
compatibility.

I am by far a crypto expert, but these issues have been anyway on my mind as of 
late. So bear with me, but would it be possible to switch /dev/crypto to be an 
interface to an autocipher engine where both OpenSSL and NaCl ciphers could be 
supported via e.g. /etc/autocipher.conf and then change all crypto-enabled apps 
to use /dev/crypto and only /dev/crypto as the interface? This approach could 
highly simplify the crypto operations in all of the associated daemons/tools 
included in Base, as well Ports could slowly converted to use the same 
interface. This is precisely the approach that is being taken in Ethos 
operating system which is being designed from the ground up to withstand 
cryptographic attack. Given the current status quo (widespread compromise of 
our computing base by 3 letter agencies), this starts to sound a bit less 
paranoid of an approach.

Or have I got something wrong? Again, I am open to any sort of response.


-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 16 Jan 2014, at 18.23, Chris Cappuccio ch...@nmedia.net wrote:
 
 For instance, you may have noticed that OpenSSH is moving towards an
 openssl-free mode by importing NaCl components directly?
 
 One problem with abandoning OpenSSL is that you lose SSL, TLS, (oh, and
 everything has to be rewritten to use NaCl, and is now incompatible with
 everything else.) So what you see with OpenSSH is the first attempt at
 doing this, and it will only be compatible with other people also using
 new OpenSSH.
 
 The issue is compatbility.

I’m sorry for the typo:

s/I am by far a crypto expert/I am far from being a crypto expert/

Thanks.

-mike

Re: Request for Funding our Electricity

[MJ]

On 16 Jan 2014, at 19.45, Jack Woehr jwo...@softwoehr.com wrote:
 
 I think Theo has answered this previously. His point was that he doesn't want 
 to spend his time year after year
 running campaigns. Being neither a politician nor a diplomat nor a 
 grantmaster, he wants a sustainable model.

There’s a person who writes excellent documentation for OpenBSD, isn’t he an 
English language professor? Excellent documentation is one of the key features 
of OpenBSD, hands down, i.e. he is an extremely valuable project member even if 
he doesn’t commit executable code to version control. With this in mind, 
wouldn’t there be room in core for a person dedicated to fund-raising, i.e. a 
person with a strong vote?

I really do want to see OpenBSD survive, but expenses are a reality as we now 
see. Being the project leader means also addressing the issue of funding in a 
feasible manner, even if addressing simply means delegation to a person who has 
both the competence as well as motivation to perform such a role. Fact is, if I 
were capable of funding the electricity bill then I would do it in a heartbeat, 
but it would definitely require transparency as has been stated earlier in this 
conversation.

Wikipedia runs these sort of fundraisers every year and they do it in a very 
obtrusive way, but they haven’t yet run out of money. Time to face reality.


-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 16 Jan 2014, at 19.17, Chris Cappuccio ch...@nmedia.net wrote:
 OpenBSD has already began incorporating NaCl by bypassing OpenSSL entirely.

Good news - perhaps my philosophy is “why lay a lot of small bricks here and 
there when you can lay a cornerstone and be done with it?”. But perhaps I am 
not taking all things into consideration.


 I can't speak for the architectural issues but I can't imagine that I or you
 are the only people imagining better cipher suites in the base system.

You are certainly right - that would be just naive. The OpenBSD approach to 
things is generally to make the interfaces as simple as possible, drop-dead 
simple. This eliminates configuration mistakes. Take OpenNTPD for example - 
it’s simply beautiful what has been done with the configuration interface.

A systemwide autocipher engine device could easily be incorporated directly in 
to PF, no? block all cipher hmac-sha1 (for example).

-mike

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 16 Jan 2014, at 20.24, Chris Cappuccio ch...@nmedia.net wrote:
 
 Block traffic with specific ciphers from traversing the network? That's sci.fi
 

You’re right again - this stuff is futuristic but could potentially be 
accomplished via inspection of unencrypted packet headers, etc (i.e. via 
packet-pattern/flow  analysis). However, it could likely be accomplished for 
things that access the machine itself.

We are getting into the realm of wirespeed DPI now. If we won’t be doing it, 
somebody else will. What are our efforts worth if the crypto exists in silos 
and is vulnerable to side channel attacks? Is it really worth delegating these 
sorts of things to ports?

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 16 Jan 2014, at 20.49, Nicolai nicolai-om...@chocolatine.org wrote:

 Things are moving in the right direction!  The last six months have seen
 MAJOR improvements in crypto.  If you want to be a part of it, pick up
 DNSCrypt or DNSCurve.  Get a recent Chromium and play with QUIC.  Read
 about MinimaLT.  Strong, fast encryption is coming.  And I think OpenBSD
 5.5 will be light years ahead when it's released in May.


DNSCurve, I was already trying to compile it yesterday. Wonderful:


# ./configure.nacl

Took a long, long time to complete and didn’t produce any output at all.



# ./configure.curvedns
Finished configuring CurveDNS, ready for compiling.
Chosen/picked ABI:  x86
Chosen/picked compiler: gcc
Chosen/picked compiler options: -m32 -O3 -fomit-frame-pointer -funroll-loops

We are now ready to compile, run 'make' to do so.

# make
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86  -c curvedns-keygen.c
In file included from misc.h:49,
 from curvedns-keygen.c:46:
ip.h:54:31: error: ev.h: No such file or directory
In file included from misc.h:49,
 from curvedns-keygen.c:46:
ip.h:78: error: expected '=', ',', ';', 'asm' or '__attribute__' before
'global_ip_internal_timeout'
ip.h:79: error: expected '=', ',', ';', 'asm' or '__attribute__' before
'global_ip_tcp_external_timeout'
*** Error code 1

Stop in /usr/local/src/curvedns-0.87 (line 79 of Makefile).


Seems that it can’t even find headers in /usr/local/include, which is where
the OpenBSD pack for libev installs the header, so I had to add that:

# vim Makefile

# If you have libev at a non-standard place, specify that here:
EV=/usr/local
EVCFLAGS=-I$(EV)/include
EVLDFLAGS=-L$(EV)/lib


And then we get a bit further:

# make
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86 -I/usr/local/include -c curvedns-keygen.c
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86 -I/usr/local/include -c debug.c
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86 -I/usr/local/include -c ip.c
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86 -I/usr/local/include -c misc.c
misc.c: In function 'misc_base32_decode':
misc.c:291: error: 'EPROTO' undeclared (first use in this function)
misc.c:291: error: (Each undeclared identifier is reported only once
misc.c:291: error: for each function it appears in.)
*** Error code 1

Stop in /usr/local/src/curvedns-0.87 (line 76 of Makefile).



What’s this EPROTO and do I really need to care? I commented it out in misc.c,
dnscurve.c and dns.c:

PROTO:
//errno = EPROTO;
return 0;
}



And then:

# make
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86 -I/usr/local/include -c dns.c
gcc -m32 -O3 -fomit-frame-pointer -funroll-loops -Wall -fno-strict-aliasing
-O3 -Inacl/build/include/x86 -I/usr/local/include -c curvedns.c
In file included from curvedns.c:37:
/usr/include/sys/socket.h:162: error: expected specifier-qualifier-list before
'u_int8_t'
/usr/include/sys/socket.h:180: error: expected specifier-qualifier-list before
'u_int8_t'
/usr/include/sys/socket.h:378: error: expected specifier-qualifier-list before
'socklen_t'
/usr/include/sys/socket.h:405: error: expected specifier-qualifier-list before
'socklen_t'
In file included from curvedns.c:37:
/usr/include/sys/socket.h:462: error: expected declaration specifiers or '...'
before 'socklen_t'
/usr/include/sys/socket.h:463: error: expected declaration specifiers or '...'
before 'socklen_t'
/usr/include/sys/socket.h:464: error: expected declaration specifiers or '...'
before 'socklen_t'
/usr/include/sys/socket.h:465: error: expected declaration specifiers or '...'
before 'uid_t'
/usr/include/sys/socket.h:465: error: expected declaration specifiers or '...'
before 'gid_t'
/usr/include/sys/socket.h:466: error: expected declaration specifiers or '...'
before 'socklen_t'
/usr/include/sys/socket.h:467: error: expected declaration specifiers or '...'
before 'socklen_t'
/usr/include/sys/socket.h:468: error: expected declaration specifiers or '...'
before 'socklen_t'
/usr/include/sys/socket.h:470: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'recv'
/usr/include/sys/socket.h:471: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'recvfrom'
/usr/include/sys/socket.h:472: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'recvmsg'
/usr/include/sys/socket.h:473: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'send'
/usr/include/sys/socket.h:474: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'sendto'
/usr/include/sys/socket.h:476: error: expected '=', ',', ';', 'asm' or
'__attribute__' before 'sendmsg'
/usr/include/sys/socket.h:477: error: 

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 16 Jan 2014, at 23.55, Chris Cappuccio ch...@nmedia.net wrote:
 
 All until we learn from the newest Snowden slide that Dan Bernstein is
 actually on the NSA payroll :)
 

All your DJBs belong to us!

Re: NIST-free crypto, autociphering, and libsodium (NaCl)

[MJ]

On 17 Jan 2014, at 00.54, Christian Weisgerber na...@mips.inka.de wrote:

 MJ m...@sci.fi wrote:
 
 I would like to inquire as to which OpenBSD RELEASE will offer the 
 possibility
 to avoid NIST crypto for everything in Base (isakmpd, openssh, openssl, 
 https,
 nginx being the key items in mind)?
 
 What is NIST crypto?

Are you serious or just being facetious? I basically used it as an umbrella 
term to include all of the crypto in which the US government has had their hand 
involved in it’s specification, implementation, approval, standardisation, etc 
and so forth.

http://csrc.nist.gov/groups/ST/toolkit/index.html

Re: Request for Funding our Electricity

[MJ]

On 15 Jan 2014, at 16.35, Gilles LAMIRAL gilles.lami...@laposte.net wrote:

 Dear Theo,
 
 Don't we do enough?
 
 You already do too much.

I have long held the opinion that Theo is probably the best coder on this 
planet. That’s not any sort of ass-kissing, either, it’s my objective, unbiased 
opinion. And I know Henning personally, as in “live and worked together with 
him - one hell of an expert.

However, the dilemma that the project has found itself in now very clearly 
demonstrates that Theo is not a businessman and that there isn’t any other 
businessman at the helm, either. Imagining that people will suddenly start to 
pay for something that they have constantly been getting for free is absurd - 
their belief is that somebody else will surely step up first or somebody will 
fork in the name of fame. No business on this planet is going to allocate 
budget to paying OpenBSD’s electricity bills, let alone anything else, without 
1) a detailed itemisation of the electrical bills, 2) a detailed justification 
of said line items, and 3) a satisfaction of their own business interest. It’s 
just not sexy for a philanthropist to support a relatively unheard of operating 
system when cancer is still left uncured.

It’s not good to be removing coders from their tasks; the project needs a 
businessman or two. One who will handle the corporate feature requests and 
charge dearly for them. Things like routing technology and high-speed packet 
forwarding - things that can replace the exorbitant costs of maintaining cisco 
routers. This is the key. With the FBSD 10GB wire speed packet forwarding 
incorporated, OpenBSD would be ready to challenge Cisco in a very serious way. 
Completely free as always, but with paid support for this edge cases that make 
life what it is.

Thanks Theo, Henning, and all of the rest of you.


-mike

Re: Security

[MJ]

On 11 Jan 2014, at 13.36, Craig R. Skinner skin...@britvault.co.uk wrote:
 
 Hosts in hinet have been relentlessly attacking my mail  web servers
 for over 8 years. I feed them rubbish to play with,


A good technique is to run a geospatially-enabled DNS server that maps AS 
numbers to locations and then simply serve different different results to 
different locations. AS number to geospatial mapping isn’t perfect, but it’s 
good enough.

For example, when hosts in hinet location query your MX record, you could serve 
them the answer of 127.0.0.1 ;-) Spammers will love you!


-mike

Re: NPPPD and IPSec

[MJ]

This works with Windows 8, OSX, Android and iOS:

ike passive esp transport \
 proto udp from $public_ip to any port 1701 \
 main auth hmac-sha1 enc aes group modp1024 \
 quick auth hmac-sha1 enc aes \
 psk $psk


On 03 Dec 2013, at 00:28, Frans Haarman franshaar...@gmail.com wrote:

 I have used this with windows 7 and osx:

 ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc aes \
psk 


 2013/12/2 Or Elimelech o...@xwise.com

 Hi,

 I'm having trouble configuring Windows clients with l2tp over ipsec,
 This config works great on OSX/iOS/Android/Linux

 I do not know which type of auth/enc/group I should use for Windows
clients

 I currently use OpenBSD 5.4 with the following

 ike passive esp transport \
 proto udp from 1.2.3.4 to any port 1701 \
 main auth hmac-sha1 enc aes group modp1024 \
 quick auth hmac-sha1 enc aes group modp1024 \
 psk secret

 Thank you so much and keep up the good work I love the OpenBSD project



_
__
 The sender of this email is not authorized to bind XWise Marketing or any
 of its affiliate companies (hereby: the Companies)
 or to make any representations, contracts, or commitments on behalf of the
 Companies.

 The information contained in this communication is intended solely for the
 use of the individual or entity to whom it is addressed and others
 authorized to receive it.
 It may contain confidential or legally privileged information. If you are
 not the intended recipient you are hereby notified that any disclosure,
 copying, distribution or taking any action in reliance on the contents of
 this information is strictly prohibited and may be unlawful.
 If you have received this communication in error, please notify us
 immediately by forwarding this email to le...@xwise.com and then delete
 it from your system.

 The Companies are neither liable for the proper and complete transmission
 of the information contained in this communication nor for any delay in
its
 receipt.

Re: wanna be sys admin question

[MJ]

On 07 Nov 2013, at 06:09, Predrag Punosevac punoseva...@gmail.com wrote:

 I am soliciting opinions and some guidance on few very general sys admin
 questions. 
 
 1. What do people in general use to parse large amount of log files
 received in the form of e-mails?  security/logsurfer and similar. I have
 seen some in the ports tree. 

Perl. You won’t be much of a sysadmin if you don’t take the time to master perl.


 3. Are there any advantages of graphics/dia over general purposes
 vectorial graphics programs like graphics/inkscape for drawing network
 topology. 

Sure, dia has things like network shapes and connection points already included.

Re: strange error on openbsd

[MJ]

Why reinvent the wheel?

[root@black ~]# getent passwd 1
daemon:*:1:1:The devil himself:/root:/sbin/nologin
[root@black ~]#


-mike


On May 7, 2013, at 4:06 AM, Friedrich Locke friedrich.lo...@gmail.com wrote:

 Dear list members,
 
 I am in need to write a simple program to return the passwd entry for a
 given uid number.
 
 Here you have it:
 
 #include sys/types.h
 #include errno.h
 #include pwd.h
 #include stdio.h
 
 int
 main(int argc, char **argv)
 {
struct passwd   *p;
int e;
 
e = errno, errno = 0;
p = getpwuid(0);
if (errno) {
fprintf(stdout, errno is: %u\n, errno);
return 127;
}
errno = e;
 
fprintf(stdout, %s\n, p-pw_name);
return 0;
 }
 
 
 When i execute it i get this on a openbsd:
 
 sioux@lion$ ./pw
 errno is: 13
 sioux@lion$
 
 
 Any ideia why openbsd implementation of getpwuid returns error ?
 
 Thanks in advance.

ospfd OOM crash

[MJ]

Hi,

On two occasions (had to test it to see if it was repeatable), ospfd has 
crashed  on my 5.2 release i386 machine while I was running a ruby script that 
consumed too much memory (which also crashed). No other daemons on the machine 
crashed except ospfd. Needless to say, my network also went down…

I am not sure how the OpenBSD OOM killer works, but IMO important daemons such 
as ospfd should be exempted.


Thanks.

Re: ospfd OOM crash

[MJ]

On Mar 21, 2013, at 10:46 PM, Ted Unangst t...@tedunangst.com wrote:

 
 There is no OOM killer. Your bug report also lacks crucial details
 like what it means to crash. Do you mean it logged a message like
 fatal: out of memory? That's not a crash, that's a message informing
 you about an error condition. You fix it by adding more memory.
 

Crashed as in disappeared from the process table without a trace in the logs.

It's under supervision now.

Re: strange bash (prompt) problem

[MJ]

On Mar 19, 2013, at 11:17 PM, jca+o...@wxcvbn.org (Jérémie Courrèges-Anglas) 
wrote:

 MJ m...@netauth.com writes:
 
 Hi,
 
 Sometimes, maybe once ever 100 commands or so, I get the following type of 
 error:
 
 [root@black socklog]# dmesg | less
 -bash: $'\302\240less': command not found
 
 Here you have an UTF-8 non-breaking space character.
 
 It is not reproducible, at least I don't know how to reproduce it. Hitting up
 arrow will reproduce it, but typing the command again will make it go away. 
 It
 seems to only happen when piping output through something.
 
 Any ideas how to fix this?
 
 Don't type on both your AltGr and your Space key when you don't intend
 to.

Interesting, so that's the cause of it? On my macbook, I type space and then 
AltGr 7 to get a pipe character. I have had this MacBook for 3 years, and I 
didn't just start typing or using OpenBSD yesterday… I do type extremely fast, 
but this never happens to me for example on my FreeBSD server or the MacBook 
itself.

The OpenBSD machine is a very old i386 Epia that is pretty heavily loaded with 
a lot of processes. Could it be that my typing input sometimes comes faster 
than it can process it (bytes getting crossed on the wire)?

 [root@black ~]# cat .bash_profile 
 alias ll='ls -al'
 
 PAGER=less
 PATH=/usr/local/bin:/usr/local/sbin:$PATH
 PS1=[\u@\h \W]# 
 LANG=en_US.UTF-8
 PKG_PATH=http://ftp.funet.fi/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/5.2/packages/i386
 
 
 export PAGER PATH PKG_PATH PS1 LANG
 
 
 
 Thanks.
 
 -- 
 Jérémie Courrèges-Anglas
 GPG Key fingerprint: 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

strange bash (prompt) problem

[MJ]

Hi,

Sometimes, maybe once ever 100 commands or so, I get the following type of 
error:

[root@black socklog]# dmesg | less
-bash: $'\302\240less': command not found


It is not reproducible, at least I don't know how to reproduce it. Hitting up 
arrow will reproduce it, but typing the command again will make it go away. It 
seems to only happen when piping output through something.

Any ideas how to fix this?


[root@black ~]# cat .bash_profile 
alias ll='ls -al'

PAGER=less
PATH=/usr/local/bin:/usr/local/sbin:$PATH
PS1=[\u@\h \W]# 
LANG=en_US.UTF-8
PKG_PATH=http://ftp.funet.fi/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/5.2/packages/i386


export PAGER PATH PKG_PATH PS1 LANG



Thanks.

Re: EIGRP implementation?

[MJ]

IGRP is a 28 year old routing protocol from the stone ages, no wonder it was 
retired. EIGRP is a bit more modern ;-)

Cisco won't be discontinuing EIGRP anytime soon; it's the preferred routing 
protocol for building DMVPNs and Cisco DMVPN is a very widely used technology. 
Cisco definitely pushes EIGRP for building DMVPNs as it works better than 
anything currently available.

The best way for OpenBSD to take hold in this area would be to implement NHRP 
(RFC 2332) and allow users to build DMVPNs using nhrpd and bgpd. BGP is not 
quite as good as EIGRP for DMVPNs, but it's a lot more scalable than OSPF.




On Feb 21, 2013, at 4:28 PM, Daniel Ouellet dan...@presscom.net wrote:

 Interesting.
 
 Cisco discontinued IGRP starting with IOS 12.2(13)T and 12.2(R1s4)S.
 
 And many years ago it was recommended to me my the Cisco SmartNet people
 to switch form EIGRP to may be ISIS or OSPF back then as it was possible
 that Cisco discontinue EIGRP as well. May be they are desperate to loose
 control over EIGRP now and various router protocol seeing that lots more
 competition is coming to them now. (:
 
 I guess after you know OSPF and in some cases if you want to use ISIS, I
 see no reason to have EIGRP anyway.
 
 I don't think Cisco is pushing their own EIGRP and not that I miss it
 anyway, but may be ISIS would be nicer then EIGRP inside an OpenBSD
 router, even if I do not miss it. The only advantage is that ISIS is
 much simpler to use and learn then properly done OSPF for a smaller and
 simpler network that OpenBSD may fit better with it.
 
 Some not to familiar IT guys may prefer ISIS to OSPF, but really I see
 no needs for EIGRP.
 
 Anyway, just my $0.02 worth for what it is.
 
 Daniel
 
 On 2/20/13 7:24 PM, Stuart Henderson wrote:
 On 2013-02-20, Claudio Jeker cje...@diehard.n-r-g.com wrote:
 On Wed, Feb 20, 2013 at 03:35:59PM +0300, Aaron Glenn wrote:
 I'm wondering if any one is thinking/contemplating/attempting
 implementing the newly release EIGRP draft from Cisco.
 No, I don't have patches to contribute...this is just a simple anyone
 else thinking about this? message. feel free to contact me privately
 if this is too noisy a message (hah...misc...noisy...heaven forbid)
 
 interesting commentary at packetpushers if you missed it..
 
 http://packetpushers.net/why-is-cisco-bothering-with-open-eigrp/
 
 Last time I looked EIGRP was a Cisco propretary protocol from the times
 when RIP was modern. I see no need to support it, I would first consider
 ISIS and adding stuff to ospfd / ospf6d.
 
 +1
 
 [demime 1.01d removed an attachment of type application/pgp-signature which 
 had a name of signature.asc]

Re: Millions of files in /var/www inode / out of space issue.

[MJ]

Which app are you running that is generating millions of tiny files in a single 
directory?  Regardless, in this case OpenBSD is not the right tool for the job. 
You need either FreeBSD or a Solaris variant to handle this problem because you 
need ZFS.


What limits does ZFS have?
---
The limitations of ZFS are designed to be so large that they will never be 
encountered in any practical operation. ZFS can store 16 Exabytes in each 
storage pool, file system, file, or file attribute. ZFS can store billions of 
names: files or directories in a directory, file systems in a file system, or 
snapshots of a file system. ZFS can store trillions of items: files in a file 
system, file systems, volumes, or snapshots in a pool.


I'm not sure why ZFS hasn't yet been ported to OpenBSD, but if it were then 
that would pretty much eliminate the need for my one and only FreeBSD box ;-)



On Feb 19, 2013, at 2:35 AM, Keith ke...@scott-land.net wrote:

 Q. How do I make the default web folder /var/www/ capable of holding millions 
 of files (say 50GB worth of small 2kb-12kb files) so that I won't get inode 
 issues ?
 
 The problem is that my server has the default disk layout as I didn't expect 
 to have millions of files (I though they would be stored in the DB). When I 
 started the app it generated all the files and I got out of space warnings. I 
 tried moving the folder containing the files and making a symlink back but 
 that didn't work because nginx is in a chroot.
 
 The two option I think I have are.
 
 1. Reinstall the OS and make a dedicated /var/www partition but how I 
 increase the inode limit I have no idea.
 2. Make a new partition, format it, copy the files from the original 
 partition and swap them around and restart nginx. ( Do i  run newfs with some 
 option to make more inodes ?)
 
 Thanks
 Keith.

Re: Pf with multi gateways

[MJ]

Best solution is ECMP combined with ifstated - you get double bandwidth until
one link goes down, in which case it is automatically removed from the routing
table until it comes up again. This is a pretty common setup in e.g. Top Of
Rack (ToR) switching setups.

I just wrote a blog post mentioning this a few days ago, didn't go into
technical configurations yet but when I do the next post I will be sure to
mention ifstated.

http://terminalprompt.com/2013/02/12/openbsd-a-real-powerhouse/


On Feb 13, 2013, at 6:09 PM, Janne Johansson icepic...@gmail.com wrote:

 You can have ifstated test gw reachability, I think relayd has similar
 functionality to manage routes, one could somewhat easily script if
 gwA up send packets via ifA, if gwB up ...
 mpath would be yet one option.

 2013/2/13 What you get is Not what you see wygin...@gmail.com:
 Hi
 I have a pf box with 4 links (a multihomed box ) and some services like
 dns,dhcp on it.
 I have set /etc/mygate to one of the gateways.
 Sometimes the line drops and when it drops, obviously some services like
 dns stop.
 But the other lines are up then.
 What is the proper way of handling mygate?
 Do you suggest mpath?




 --
 May the most significant bit of your life be positive.

OSPFD on a VLAN Trunk Interface

[MJ]

192.168.1.0/24   10.1.0.1  Type 1 ext   Network   110 03:28:33


Above: next-hop for 10.1.8.0/22 should be 10.1.8.1 (vlan3 interface on box2), 
and so forth.


-mj