On Apr 23, 2010, at 11:39 , Ondrej Zajicek wrote: > On Fri, Apr 23, 2010 at 10:13:32AM +0200, Wolfgang Hennerbichler wrote: >> now I've setup BIRD to peer on the different source interfaces and from >> different ASes to simulate productive routers: >> >> protocol bgp R1 { >> debug all; >> local as 1120; >> neighbor 193.203.0.3 as 1267; >> import all; >> export none; >> table T1; >> password "xyz"; >> source address 193.203.0.1; >> route limit 15000; >> start delay time 1; >> } >> >> protocol bgp R2 { >> debug all; >> local as 1121; >> neighbor 193.203.0.3 as 1267; >> import all; >> export none; >> table T2; >> password "xyz"; >> source address 193.203.0.2; >> route limit 15000; >> start delay time 1; >> } >> >> ... >> >> nevertheless only the peering with source 193.203.0.1 - the primary IP - >> comes up, source 193.203.0.2 stays down, I see in the tcpdump log that MD5 >> can't be checked. >> This works on IPv6, but it seems that IPv4 somehow doesn't honour the source >> address field when generating the md5 hashes. Can you confirm this is a bug? >> Am I overseeing something? I am using linux 2.6.33.2 > > These two procool sections are a part of one BIRD config?
yes. > Regardless of MD5 password, such config would not probably work as > intended, 'source address' is used for source address of outgoing > connections and for next-hops, but it is not used for a separation > of incoming connections. (The neighbor IP is the same in both > cases, which is a problem.) oh. maybe I misunderstood it in this case. thank you for the clarification. > One possibility is to run two BIRD instances and use 'listen bgp > address' global option to bind them to different addresses, but such > configuration is probably a can of worms. well, it's just a quarantine-setup, it could break without destroying anything. it could be a can of worms. I will think about it... or maybe I'll do some more virtualization, don't know. > For experiments, i would > suggest virtual networks using Netkit software. Unfortunately, their > kernel does not contain MD5 support, but it would be possible to build > another with MD5 support enabled. thanks. the route servers are virtualized anyways. > Another problem is that the kernel interface for MD5 checksum does not > specify local address, only remote address and remote port. Therefore it > is not possible to set two such sessions with a different MD5 password. I thought so :( thanks a lot. Wolfgang > -- > Elen sila lumenn' omentielvo > > Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) > "To err is human -- to blame it on a computer is even more so." -- www.vix.at | www.aco.net w...@univie.ac.at | WH844-RIPE Vienna University Computer Center Tel: +43 1 4277-14031 | Fax: -9140