Project

General

Profile

Bug #8407

FRR BGP MD5 support is broken

Added by Anonymous about 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Routing
Target version:
Start date:
03/31/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.3
Affected Architecture:

Description

This is a continuation of #7969

I recently upgraded some systems from 2.3.5 to 2.4.3 and found that FRR BGP MD5 support is now broken. When the outgoing interface is physical / LAGG it was sufficient to enable hardware checksum support to fix the issue. When the outgoing interface is an OpenVPN tunnel there is no such option, so BGP MD5 support is still broken.

I did several tests to confirm the above with peers on 2.3.5 and on 2.4.3.

A new patch in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223835 seems to fix this problem for any interface type by removing the hardware checksum requirement.

Can we have that patch included?

pfsense2.4.4_01 Jul. 05 11.52.jpg (123 KB) pfsense2.4.4_01 Jul. 05 11.52.jpg Andrew Dul, 07/06/2018 11:37 AM

History

#1 Updated by Jim Thompson about 1 year ago

  • Assignee set to Jim Pingle

#2 Updated by Jim Pingle 11 months ago

  • Category set to Routing
  • Status changed from New to Feedback
  • Assignee changed from Jim Pingle to Anonymous

Can you test this again on a current 2.4.4 snapshot which uses a FreeBSD 11.2 base? Looking at the FreeBSD bug you linked, it should be OK there.

#3 Updated by Andrew Dul 11 months ago

I used my previous lab test from #7969 and looks like I was able to establish a BGP session w/ password OK to my arista EOS test VM. Using "FRR and setkey bidirectional"

This was on: pfsense
2.4.4-DEVELOPMENT (amd64)
built on Thu Jul 05 07:39:05 EDT 2018
FreeBSD 11.2-RELEASE

#5 Updated by Jim Pingle 11 months ago

  • Status changed from Feedback to Resolved

Great!

I'll close this out for now. If it breaks again, let us know.

Also available in: Atom PDF