tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

TCP_SIGNATURE in NetBSD 7-STABLE



Hi,

After upgrading from 6-STABLE to 7-STABLE, my TCP-MD5 protected BGP
setup stopped working.

I have TCP_SIGNATURE in my kernel:

options         TCP_SIGNATURE   # RFC 2385 support, used with BGP

I have the following entry in ipsec.conf:

add aaa.bbb.ccc.ddd www.xxx.yyy.zzz tcp 0x1000 -A tcp-md5 "password";

where aaa.bbb.ccc.ddd is my local IP and www.xxx.yyy.zzz is the remote
IP.

`setkey -D' output:

aaa.bbb.ccc.ddd www.xxx.yyy.zzz
        tcp mode=any spi=4096(0x00001000) reqid=0(0x00000000)
        A: tcp-md5  706f6c31 6a656c73 7a30
        seq=0x00000000 replay=0 flags=0x00000040 state=mature
        created: Dec 30 19:40:09 2016   current: Dec 30 19:48:00 2016
        diff: 471(s)    hard: 0(s)      soft: 0(s)
        last: Dec 29 20:18:19 2016      hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=23494 refcnt=1

tcpdump does not show any MD5 checksums on outgoing packets:

19:51:11.679566 IP aaa.bbb.ccc.ddd.56368 > www.xxx.yyy.zzz.179: Flags [S], seq 2207123721, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 13 ecr 0], length 0

this is an incoming packet from the peer - see the correct checksum:

19:52:53.241773 IP www.xxx.yyy.zzz.65198 > aaa.bbb.ccc.ddd.179: Flags [S], seq 893043845, win 16384, options [mss 1460,md5valid,eol], length 0

Do I miss something, or is it broken in 7-STABLE?
The very same config used to work in 6-STABLE.

Thanks,
--
Gergely EGERVARY



Home | Main Index | Thread Index | Old Index