Re: OpenBGP tcp md5 woes...
On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Did it work before the update with that peer? Most of the time the problem is different passwords or some other misconfiguration. TCP MD5 is an ugly hack that has some nasty ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Normaly the best is to turn of md5 and check that the session works. Then enabling md5 or use ttl-security. -- :wq Claudio
Re: OpenBGP tcp md5 woes...
Hi there, Le 16 mai 2010 ` 14:26, Claudio Jeker a icrit : On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Did it work before the update with that peer? Most of the time the problem is different passwords or some other misconfiguration. TCP MD5 is an ugly hack that has some nasty ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Hum, this is strange, in fact all tcp md5 sessions doesn't work at all. I can give you access to this router if you like Claudio... :) Xavier Normaly the best is to turn of md5 and check that the session works. Then enabling md5 or use ttl-security. -- :wq Claudio
OpenBGP tcp md5 woes...
Hello,
I am running OpenBSD 4.7-current, and it seems I have some problems to
negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have
connection timeout... or what ever.
dmesg :
OpenBSD 4.7-current (GENERIC.MP) #560: Wed Apr 28 11:55:01 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem = 1072132096 (1022MB)
avail mem = 1028767744 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/12/06, BIOS32 rev. 0 @ 0xfb6d0,
SMBIOS rev. 2
.3 @ 0xf0800 (41 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 06/12/2006
bios0: Supermicro P4SC8
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices CSAD(S5) HUB0(S5) HRB_(S5) UAR1(S5) UAR2(S5) USB0(S3)
USB1(S3) U
SBE(S3) MODM(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (CSAB)
acpiprt2 at acpi0: bus 4 (HUB0)
acpiprt3 at acpi0: bus 2 (HRB_)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpitz0 at acpi0acpitz0: THRM: failed to read _TMP
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02
ppb0 at pci0 dev 3 function 0 Intel 82875P CSA rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: apic 2 int
18 (irq
10), address 00:30:48:81:18:0a
ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01
pci3 at ppb2 bus 3
em1 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 0 (i
rq 9), address 00:1b:21:30:85:d4
em2 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 1 (i
rq 9), address 00:1b:21:30:85:d5
em3 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 2 (i
rq 9), address 00:1b:21:30:85:d6
em4 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 3 (i
rq 9), address 00:1b:21:30:85:d7
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: apic 2 int 16
(irq 11)
uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: apic 2 int 19
(irq 12)
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: apic 2 int 23
(irq 7)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x0a
pci4 at ppb3 bus 4
vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em5 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: apic 2
int 19 (ir
q 12), address 00:30:48:81:18:0b
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0
configu
red to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: DMV340H4-004-M
wd0: 1-sector PIO, LBA, 3679MB, 7535808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
ifconfig em5 :
ifconfig em5
em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:48:81:18:0b
description: Sfinx
priority: 0
media: Ethernet 100baseTX full-duplex
status: active
inet 194.68.129.xxx netmask 0xff00 broadcast 194.68.129.255
inet6 fe80::230:48ff:fe81:180b%em5 prefixlen 64 scopeid 0x6
inet6 2001:7f8:4e:2::xxx prefixlen 64
Extract of /etc/bgpd.conf :
group Sfinx {
local-address 194.68.129.xxx
announceall
softreconfigin yes
softreconfigout yes
set med 50
set localpref 5000
# SFinx
neighbor 194.68.129.102 {
remote-as 2200
max-prefix 200 restart 60
tcp md5sig password ZeUnecryptedPass
set { med +5 }
set community delete 2200:*
}
}
Re: OpenBGP tcp md5 woes...
On 2010-05-15, Xavier Beaudouin k...@oav.net wrote:
Hello,
I am running OpenBSD 4.7-current, and it seems I have some problems to
negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have
connection timeout... or what ever.
Please show ipsecctl -sa and netstat -rnfencap.
I have md5 working with a kernel from April 28th and an absolutely
-current bgpd, and also with the version from the Apr 28th snapshot,
so I don't think there is a general problem with the code you're
running.
dmesg :
OpenBSD 4.7-current (GENERIC.MP) #560: Wed Apr 28 11:55:01 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
real mem = 1072132096 (1022MB)
avail mem = 1028767744 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/12/06, BIOS32 rev. 0 @ 0xfb6d0,
SMBIOS rev. 2
.3 @ 0xf0800 (41 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 06/12/2006
bios0: Supermicro P4SC8
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices CSAD(S5) HUB0(S5) HRB_(S5) UAR1(S5) UAR2(S5) USB0(S3)
USB1(S3) U
SBE(S3) MODM(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,D
S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (CSAB)
acpiprt2 at acpi0: bus 4 (HUB0)
acpiprt3 at acpi0: bus 2 (HRB_)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpitz0 at acpi0acpitz0: THRM: failed to read _TMP
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02
ppb0 at pci0 dev 3 function 0 Intel 82875P CSA rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: apic 2 int
18 (irq
10), address 00:30:48:81:18:0a
ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01
pci3 at ppb2 bus 3
em1 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 0 (i
rq 9), address 00:1b:21:30:85:d4
em2 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 1 (i
rq 9), address 00:1b:21:30:85:d5
em3 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 2 (i
rq 9), address 00:1b:21:30:85:d6
em4 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3
int 3 (i
rq 9), address 00:1b:21:30:85:d7
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: apic 2 int 16
(irq 11)
uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: apic 2 int 19
(irq 12)
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: apic 2 int 23
(irq 7)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x0a
pci4 at ppb3 bus 4
vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em5 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: apic 2
int 19 (ir
q 12), address 00:30:48:81:18:0b
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0
configu
red to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: DMV340H4-004-M
wd0: 1-sector PIO, LBA, 3679MB, 7535808 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
ifconfig em5 :
ifconfig em5
em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:48:81:18:0b
description: Sfinx
priority: 0
media: Ethernet 100baseTX full-duplex
status: active
inet 194.68.129.xxx netmask 0xff00 broadcast 194.68.129.255
inet6 fe80::230:48ff:fe81:180b%em5 prefixlen 64 scopeid 0x6
inet6 2001:7f8:4e:2::xxx prefixlen 64
Extract of /etc/bgpd.conf :
group Sfinx {
local-address
Re: OpenBGP tcp md5 woes...
Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Xavier
