Re: IP fast forwarding and setkey

Sun, 21 Sep 2014 04:42:07 -0700 

Interesting.
Would you happen to know where I could obtain sources to their version of OpenBGPD, then? 

Thanks!

On 9/21/2014 午後 07:35, Ermal Luçi wrote:




On Sun, Sep 21, 2014 at 12:31 PM, Paul S. <cont...@winterei.se 
<mailto:cont...@winterei.se>> wrote:


    Ermal,

    I'd prefer a raw BSD installation (Call it a comfort thing, if you
    will).

    Has the pfSense project actually managed to patch OpenBGPD to
    remove its dependency on OpenBSD specific bindings for TCP_MD5?

    It might be worth it to just try to build their fork, if that's
    the case.

    Thank you for responding!



Yeah OpenBGPd port of pfSense has the support for installing SPDs 
without setkey.



    On 9/21/2014 午後 07:26, Ermal Luçi wrote:

    If for you is an option pfSense has all the hard work done for
    you and you can use it for such installations.

    On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <cont...@winterei.se
    <mailto:cont...@winterei.se>> wrote:

        Hi folks,

        I plan to make an edge router out of a freebsd system with
        OpenBGPD + FreeBSD 10, or such.

        I've been reading up, and noticed that the
        net.inet.ip.fastforwarding flag provides rather nice
        performance benefits.

        My issue is, my upstream networks insist on using TCP MD5
        authentication on their BGP sessions.

        This is fine, except on FreeBSD -- I'm going to have to use
        the setkey utility to set those since native PF_KEY support
        for OpenBGPD does not seem available.

        Now, since setkey is part of IPSec, and there are countless
        warnings about using IPSec and fastforwarding together in the
        manpage, am I correct in assuming that this will not work if
        I have fastforwarding enabled?

        Is there any way to make it work? Quagga, from what I've
        read, seems to also be in the same boat (Usage of setkey
        required for TCP MD5).

        I tried searching the manpages, but couldn't locate anything
        concrete on this.

        Any assistance/replies are welcome.

        Thank you!
        _______________________________________________
        freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org>
        mailing list
        http://lists.freebsd.org/mailman/listinfo/freebsd-net
        To unsubscribe, send any mail to
        "freebsd-net-unsubscr...@freebsd.org
        <mailto:freebsd-net-unsubscr...@freebsd.org>"





    -- 
    Ermal





--
Ermal


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"





















					Reply via email to