Subject: Re: openbgpd 3.7
To: None <>
From: Jeff Rizzo <>
List: tech-net
Date: 01/22/2006 14:11:23
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Thor Lancelot Simon wrote:
> On Sun, Jan 22, 2006 at 01:59:49PM +0000, Thomas E. Spanjaard wrote:
>  =20
>> Note that IPsec ESP/AH authentication isn't operational yet,=20
>> as someone(*cough* riz *cough* ;)) needs to upgrade our IPsec/SA stuff=
>> to what OpenBSD has.
>>    =20
> What exactly is involved in this "upgrade"?  The interface in question
> is standard across the KAME stack and the "fast IPsec" (Keromytis/Leffl=
> stack in most BSD operating systems (in fact, all of them except OpenBS=
> if they've changed it somehow).  AFAICT it offers everything one needs =
> require ESP or AH on a per-socket basis; is the implementation broken, =
> are we talking about an interface change, and if so, why?
> Thor
>  =20
What he's talking about here is some vague handwaving I've done in other
forums about this;  not an interface change, but rather adapting the
tcp-md5 bits to be fully dynamic using (effectively) the same interface
the IPsec stuff has now.  OpenBSD already has this capability (albeit
with their own AP), so what I've actually meant is "use OpenBSD's
working implementation as a guide to how we might implement it in
NetBSD".  Where "ESP/AH" came from, I have no idea - that works fine in
NetBSD.  :)

The primary issue with the TCP_SIGNATURE code ("RFC2385") in NetBSD
right now is that it *requires* the use of an SPI of 0x1000, which
limits associations to per-host granularity (as referenced in setkey(8)).=

I've worked with a proprietary route server that used the OpenBSD API to
get rfc2385-protected BGP sessions working;  my recollection is that
NetBSD's API for rfc2385 just didn't have the flexibility required for
that application (which is why OpenBSD wound up getting chosen as the
platform for that route server).  My goal is to eventually fix the
NetBSD code to add the needed flexibility.  Since I haven't looked
seriously at it in something approaching two years, my advice is for
folks not to hold their breath.  :)   (IE, I'd love to get to it
eventually, but that shouldn't stop anyone who wants it working sooner
from doing something about it)


Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla -