Bug 184545

Summary:

net/openbgpd: OpenBGPd fails to initiate TCP MD5 sig connexions

Product:

Ports & Packages

Reporter:

anarcat+register

Component:

Individual Port(s)

Assignee:

Kurt Jaeger <pi>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

eksffa, garga, mykel, pi

Priority:

Normal

Flags:

pi: merge-quarterly-

Version:

Latest

Hardware:

Any

OS:

Any

See Also:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220170

Attachments:

Description	Flags
file.diff	none
OpenBGP port patch for proper tcp md5sig support.	none
Updated patch from pfSense	koobs: maintainer-approval+

Description anarcat+register 2013-12-06 16:20:02 UTC

This stems from a discussion that started here:

http://lists.freebsd.org/pipermail/freebsd-net/2013-November/037133.html

Basically, while it is possible to hack your way through it, the FreeBSD port of OpenBGPd doesn't support MD5 passwords. The way to hack around it is to add SPD policies with setkey, but then it doesn't work when initiating connexions.

This was also reported here first:

http://lists.freebsd.org/pipermail/freebsd-net/2012-January/030921.html

Fix: The fix is to use pfSense's OpenBGPd port. I built a patch which imports from both ports and figures out the best of both worlds, attached.

Patch attached with submission follows:
How-To-Repeat: Configure two FreeBSD OpenBGPd routers, set a ipsec policy as such:

add -n 38.104.152.101 38.104.152.102 tcp 0x1000 -A tcp-md5 "[...]";
add -n 38.104.152.102 38.104.152.101 tcp 0x1000 -A tcp-md5 "[...]";

and with the following kernel config:

options   IPSEC        #IP security
options TCP_SIGNATURE
device    crypto
options         DEVICE_POLLING
device          carp

It will work with netcat:

nc -v -S 10.0.0.2 179

.. but not with openbgpd.

Comment 1 Edwin Groothuis freebsd_committer

2013-12-06 21:35:14 UTC

Responsible Changed
From-To: freebsd-ports-bugs->hrs

Over to maintainer (via the GNATS Auto Assign Tool)

Comment 2 eksffa 2015-01-18 19:34:31 UTC

Created attachment 151804 [details]
OpenBGP port patch for proper tcp md5sig support.

Here is an updated patch against the most recent version of the port. Fully functional, tested w/ MD5 signed BGP session against Cisco iOS, Mikrotik RouterOS and Juniper. Production running for a week now.

Comment 3 anarcat+register 2015-03-26 02:08:54 UTC

i can confirm this patch works. we have been using this in production since january without problems.

thanks!

Comment 4 Renato Botelho freebsd_committer

2015-06-03 13:22:28 UTC

files/patch-openbsd-compat_pfkey_compat.c can be removed from port since it's not going to be used anymore

Comment 5 Renato Botelho freebsd_committer

2015-08-20 11:09:51 UTC

Created attachment 160135 [details]
Updated patch from pfSense

This is the last version of the patch used by pfSense for years. I also removed patch-openbsd-compat_pfkey_compat.c since it's not used anymore and bumped PORTREVISION

Comment 6 Myke G 2016-10-14 09:09:51 UTC

Just compiled & tested against 10.3 and 11p1 and it works. Important to note that the local-address needs to be set in the neighbor config stanza, and not to use the "other" method w/IPSEC & setkey outside of bgpd.conf. (That method also has problem of SYNs not being signed, so you can't initiate a connection to an MD5 peer in passive mode.)

Comment 7 Kubilay Kocak freebsd_committer

2016-10-14 09:14:36 UTC

Maintainer timeout (2 years 9 months), implicit approval.

Pending QA across supported FreeBSD versions, but we have enough people confirming this patch works to progress.

Comment 8 Kurt Jaeger freebsd_committer

2018-01-12 09:04:04 UTC

Testbuilds are fine, committed, thanks!

Comment 9 commit-hook freebsd_committer

2018-01-12 09:04:17 UTC

A commit references this bug:

Author: pi
Date: Fri Jan 12 09:03:50 UTC 2018
New revision: 458810
URL: https://svnweb.freebsd.org/changeset/ports/458810

Log:
  net/openbgpd: Add patches to allow use of TCPMD5 options

  - For additional details, see this post from 2013:
    http://lists.freebsd.org/pipermail/freebsd-net/2013-November/037133.html
  - Please note that this patch is used by pfsense
  - related changes in the base system have already been integrated, see
    https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220170

  PR:		184545
  Submitted by:	anarcat@koumbit.org, eksffa@freebsdbrasil.com.br, garga@FreeBSD.org
  Reviewed by:	mykel@mware.ca
  Approved by:	hrs (maintainer timeout)

Changes:
  head/net/openbgpd/Makefile
  head/net/openbgpd/files/patch-bgpd_Makefile
  head/net/openbgpd/files/patch-bgpd_pfkey.c
  head/net/openbgpd/files/patch-bgpd_session.c
  head/net/openbgpd/files/patch-openbsd-compat_pfkey_compat.c