Re: using ifstated(8) to monitor wireless connections?
On Monday, October 28, 2013 6:10 AM, Stefan Sperling s...@openbsd.org wrote: On Sun, Oct 27, 2013 at 10:43:05PM -0700, Fred Snurd wrote: $ sudo ifconfig ath0 nwid my-id wpakey my-password $ ifconfig ath0ath0: flags=8822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST mtu 1500 lladdr a8:54:b2:23:da:80 priority: 4 groups: wlan media: IEEE802.11 autoselect status: no network ieee80211: nwid my-id wpakey not displayed wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip $ ...which still shows that the link has not changed as expected. The interface isn't marked UP in the flags= line. So try 'ifconfig ath0 up' here. dhclient does this automatically before requesting a lease. Thanks Stefan Reyk for replying. Further testing tonight showed that the original /etc/ifstated.conf file did indeed work. I had thought that the link would be re-established quickly, but this was not the case. In fact, re-establishing the link took ~3-4 minutes to complete (but this factors in the time the AP needed to get reinitialized too...). I added logger(1) messages to my ifstated.conf(5) observing that the link state bounces about before stabilizing. I don't know if this peculiarity is associated with the ath(4) driver, WIstron CM9 card, Alix hardware, or the cheap ActionTec AP used. If there is any interest, I can submit a report with more details. I simply would like to take more time determining if there is anything else I can observe. Thanks again for your timely replies.
Re: system seems deadlock
Hi, Just to signal that the last change on spec_vnops.c (1.77) correct my problem: now the system don't deadlock. Thanks a lot. -- Sebastien Marie On Mon, Oct 21, 2013 at 09:59:43AM +0200, Sébastien Marie wrote: On Sat, Oct 19, 2013 at 05:54:22PM +0200, Sébastien Marie wrote: Hi, I fall in a system problem using tmux: the system (OpenBSD -current on i386) freeze (but no panic). The freeze seems to be a dead-lock, and tmux expose it. ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND [...] 13243 1 13243 0 3 0 inode tmux [...] Here, tmux is waiting inode. This wait message is set here: ufs/ext2fs/ext2fs_vfsops.c 831: lockinit(ip-i_lock, PINOD, inode, 0, 0); ufs/ffs/ffs_vfsops.c 1257:lockinit(ip-i_lock, PINOD, inode, 0, 0); And if I let the system running, several others process fall in inode waiting (as cron, or login_passwd if I try login). With ddb, if I check locked vnodes, there are two on root partition. ddb show all mounts flags 5LOCAL,ROOTFS vnodecovered 0x0 syncer 0xd316aa60 data 0xd108a200 vfsconf: ops 0xd098d7a0 name ffs num 1 ref 3 flags 0x1000 statvfs cache: bsize 800 iosize 4000 blocks 403383 free 375320 avail 355151 files 102910 ffiles 100646 favail 100646 f_fsidx {0x400, 0xc8a5ad54} owner 0 ctime 0x52640b1d syncwrites 325 asyncwrites = 340 syncreads 8881 asyncreads = 0 fstype ffs mnton / mntfrom /dev/sd0a mntspec ab8fcda4850f14e9.a locked vnodes: 0xd3165ea8, 0xd316a310 [... others partitions stripped ...] ddb show vnode 0xd3165ea8 tag UFS(1) type VCHR(4) mount 0xd108b400 typedata 0xd0ffb100 data 0xd3161298 usecount 2 writecount 0 holdcnt 0 numoutput 0 ddb show vnode 0xd316a310 tag UFS(1) type VDIR(2) mount 0xd108b400 typedata 0x0 data 0xd31851ec usecount 1 writecount 0 holdcnt 3 numoutput 0 Does someone have any clue, about what to check or how to debug this ? I think I will try the option VFSLCKDEBUG in kernel, but what else ? -- Sébastien Marie
Unattended installation - install.conf per server
Hi, how would we define specific install.conf for specific host? We could you rewrite rules based on client's IP but what based on other attributes (hwaddr...)? I was thinking if it would be possible to pass such values as HTTP headers values but our `ftp' seems to not allow us to define own HTTP headers. So... what is the plan? jirib
Re: nvidia driver what do you recommend
On 10/28/13 11:44, Brett Mahar wrote: On Mon, 28 Oct 2013 11:20:32 +0100 Peter J. Philipp p...@centroid.eu wrote: | I remember someone else writing to this list before saying the nvidia | driver is really slow. I just upgraded my main workstation from 5.3 to | 5.4 and it indeed is. | | So I'm wondering what driver I should use because the choppyness of | moving windows is laughable, a sad kind of laugh. | | Do you recommend I get an ATI/AMD card? What sorts of models would you | recommend? | The ATI Radeon HD 5450 works great with the recently added radeon KMS code, I got one for A$30 a few weeks ago, no problems seen, definitely no chopppyness using mplayer -vo xv in fullscreen 1080p, did have problems with a 96fps 4096x2304 video I tried out, however:-) Brett. Hi Brett, Well I took your advice and bought this card. I'm not a high performance freak when it comes to monitor so I think it'll be alright. I paid 27 euros on amazon.de for it. It does match my MSI N250GTS Twin Frozr 1G in DDR3 1 GB RAM but not sure about performance, I'll have to see. :-) Cheers, -peter
Re: Request to OpenBSD Dev's - Beer on offer
Yea its 24.. Would even be happy to offer some champers.. I think this is more of a Maudite crowd.. Connoisseurs on here... As I understand it you would need to write a small daemon to do the BFD state monitoring for the transmission and reception of the heartbeats with various peers. The protocol is fairly simple so for an experienced dev this should be easy. Then in OpenBGPD you would need to have a way of gracefully and forcefully immediately shutting down the BGP neighbor that matches the BFD peer. This could be achieved by simply having the BFD daemon call 'bgpctl neighbor $bfdpeer down' It is not so important for OSPF as that already has fast convergence time with fast hello's etc.. But for BGP this would make a world of difference to remove the BGP routes immediately (in less than a second) as soon as the BGP neighbor goes down/becomes unreachable (even if not a direct link (multi-hop etc)). On 28/10/13 21:10, Dan Farrell wrote: I'm not sure how much a crate is, but if it's a case (24 bottles), then I'll throw in a case as well for this work. Blanche de Chambly, anyone? Or is this more a Maudite crowd? Sincerely, Dan Farrell On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hi all, Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. The protocol itself seems pretty simple and provides a sub-second keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! I can only offer a crate of beer to anyone who has the skills and is willing :) '+1's welcome from others who would be interested to show signs of support/interest.. Cheers, Andy.
Re: Request to OpenBSD Dev's - Beer on offer
Code snippets can be seen on; http://sourceforge.net/projects/kbfd/ http://sourceforge.net/projects/bfdd/ Editing these to compile and work on OpenBSD and run 'bgpctl neighbor $bfdpeer down' etc is beyond my skills.. Thanks for reading, Andy. On Tue 29 Oct 2013 11:16:20 GMT, Andy wrote: Yea its 24.. Would even be happy to offer some champers.. I think this is more of a Maudite crowd.. Connoisseurs on here... As I understand it you would need to write a small daemon to do the BFD state monitoring for the transmission and reception of the heartbeats with various peers. The protocol is fairly simple so for an experienced dev this should be easy. Then in OpenBGPD you would need to have a way of gracefully and forcefully immediately shutting down the BGP neighbor that matches the BFD peer. This could be achieved by simply having the BFD daemon call 'bgpctl neighbor $bfdpeer down' It is not so important for OSPF as that already has fast convergence time with fast hello's etc.. But for BGP this would make a world of difference to remove the BGP routes immediately (in less than a second) as soon as the BGP neighbor goes down/becomes unreachable (even if not a direct link (multi-hop etc)). On 28/10/13 21:10, Dan Farrell wrote: I'm not sure how much a crate is, but if it's a case (24 bottles), then I'll throw in a case as well for this work. Blanche de Chambly, anyone? Or is this more a Maudite crowd? Sincerely, Dan Farrell On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hi all, Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. The protocol itself seems pretty simple and provides a sub-second keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! I can only offer a crate of beer to anyone who has the skills and is willing :) '+1's welcome from others who would be interested to show signs of support/interest.. Cheers, Andy.
Re: Notifies on CARP failover
Thanks for ideas and examples guys :) Cheers, Andy. On 24/10/13 14:18, Comète wrote: I use ifstated for that. This is my config file: init-state auto carp_up = carp3.link.up carp10.link.up carp101.link.up carp100.link.up carp254.link.up carp2.link.up carp7.link.up carp4.link.up carp_down = carp3.link.down carp10.link.down carp101.link.down carp100.link.down carp254.link.down carp2.link.down carp7.link.down carp4.link.down state auto { if $carp_up { set-state primary } if $carp_down { set-state backup } } state primary { init { run /root/scripts/alert_ifstated.sh MASTER } if $carp_down { set-state backup } } state backup { init { run /root/scripts/alert_ifstated.sh BACKUP } if $carp_up { set-state primary } } This is the little script alert_ifstated.sh too: #/bin/sh ifconfig carp | mail -s [RTR Failover] `hostname` is now $1 m...@address.me Hope this helps... Morgan Le 24/10/2013 10:59, Andy a écrit : Hi, Could anyone point me in the right direction on how to have a script be executed whenever a CARP failover or preempt event occurs? Need to write a script to send an event message into our monitoring systems so we can see when a change has occurred. I haven't used ifstated yet, is this the right tool for this? and if so could someone throw me an example if you have one? Thanks, Andy.
Re: Request to OpenBSD Dev's - Beer on offer
On 10/29/13 13:45, Andy wrote: Code snippets can be seen on; http://sourceforge.net/projects/kbfd/ http://sourceforge.net/projects/bfdd/ Editing these to compile and work on OpenBSD and run 'bgpctl neighbor $bfdpeer down' etc is beyond my skills.. No editing will make the license work in OpenBSD kernel, i think. -Artturi Thanks for reading, Andy. On Tue 29 Oct 2013 11:16:20 GMT, Andy wrote: Yea its 24.. Would even be happy to offer some champers.. I think this is more of a Maudite crowd.. Connoisseurs on here... As I understand it you would need to write a small daemon to do the BFD state monitoring for the transmission and reception of the heartbeats with various peers. The protocol is fairly simple so for an experienced dev this should be easy. Then in OpenBGPD you would need to have a way of gracefully and forcefully immediately shutting down the BGP neighbor that matches the BFD peer. This could be achieved by simply having the BFD daemon call 'bgpctl neighbor $bfdpeer down' It is not so important for OSPF as that already has fast convergence time with fast hello's etc.. But for BGP this would make a world of difference to remove the BGP routes immediately (in less than a second) as soon as the BGP neighbor goes down/becomes unreachable (even if not a direct link (multi-hop etc)). On 28/10/13 21:10, Dan Farrell wrote: I'm not sure how much a crate is, but if it's a case (24 bottles), then I'll throw in a case as well for this work. Blanche de Chambly, anyone? Or is this more a Maudite crowd? Sincerely, Dan Farrell On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hi all, Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. The protocol itself seems pretty simple and provides a sub-second keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! I can only offer a crate of beer to anyone who has the skills and is willing :) '+1's welcome from others who would be interested to show signs of support/interest.. Cheers, Andy.
Re: Unattended installation - install.conf per server
On Tue, Oct 29, 2013 at 06:16:54AM -0400, Jiri B wrote: Hi, how would we define specific install.conf for specific host? We could you rewrite rules based on client's IP but what based on other attributes (hwaddr...)? I was thinking if it would be possible to pass such values as HTTP headers values but our `ftp' seems to not allow us to define own HTTP headers. So... what is the plan? The HTTP GET request can pass query arguments, so it would look like: http://server/install.conf?mac=xx:xx:xx:xx:xx:xx... That way a static file can be served or it can be generated by a CGI script.
Re: Request to OpenBSD Dev's - Beer on offer
On 13-10-28 11:54 AM, Andy wrote: Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. [...] '+1's welcome from others who would be interested to show signs of support/interest.. I can only agree, BFD support would be a very nice thing to have, considering that in other ways OpenBSD is already a very capable router. I'm not in a position right now to pay someone properly to implement it, but I can sustain the cost of another case or three of beer. -- -Adam Thompson athom...@athompso.net
Re: Request to OpenBSD Dev's - Beer on offer
On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote: On 13-10-28 11:54 AM, Andy wrote: Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. [...] '+1's welcome from others who would be interested to show signs of support/interest.. I can only agree, BFD support would be a very nice thing to have, considering that in other ways OpenBSD is already a very capable router. I'm not in a position right now to pay someone properly to implement it, but I can sustain the cost of another case or three of beer. Amazing! So we just need to find an alcoholic developer and we're on our way ;) Could maybe send some caffeine and pro plus in the mean time ..
Re: Request to OpenBSD Dev's - Beer on offer
So this is an ICMP ping with some authentification (on the gateway of a route) ?? Why is this not overkill ? On Tue, Oct 29, 2013 at 11:01 AM, Andy a...@brandwatch.com wrote: On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote: On 13-10-28 11:54 AM, Andy wrote: Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. [...] '+1's welcome from others who would be interested to show signs of support/interest.. I can only agree, BFD support would be a very nice thing to have, considering that in other ways OpenBSD is already a very capable router. I'm not in a position right now to pay someone properly to implement it, but I can sustain the cost of another case or three of beer. Amazing! So we just need to find an alcoholic developer and we're on our way ;) Could maybe send some caffeine and pro plus in the mean time .. -- - () ascii ribbon campaign - against html e-mail /\
Re: Request to OpenBSD Dev's - Beer on offer
On 13-10-29 10:01 AM, Andy wrote: Amazing! So we just need to find an alcoholic developer and we're on our way ;) Could maybe send some caffeine and pro plus in the mean time .. Are there any OpenBSD developers who don't like beer and/or caffeine? Mind you, many of them are getting as old as I am, so large quantities of beer and caffeine may no longer be ideal. -- -Adam Thompson athom...@athompso.net
Re: Request to OpenBSD Dev's - Beer on offer
No this is more than ping.. In essence it is, but is standardised and is supported on many vendors equipment including Cisco and Juniper etc as used by all our Transit providers.. It means that not only do we remove our BGP routes, but it means that our carriers also remove the routes for our ASN immediately allowing inbound traffic destined for us to be instantly rerouted via another one of the redundant Transit links for example instead of waiting a /long/ time for BGP.. http://en.wikipedia.org/wiki/Bidirectional_Forwarding_Detection On 29/10/13 15:05, sven falempin wrote: So this is an ICMP ping with some authentification (on the gateway of a route) ?? Why is this not overkill ? On Tue, Oct 29, 2013 at 11:01 AM, Andy a...@brandwatch.com wrote: On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote: On 13-10-28 11:54 AM, Andy wrote: Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. [...] '+1's welcome from others who would be interested to show signs of support/interest.. I can only agree, BFD support would be a very nice thing to have, considering that in other ways OpenBSD is already a very capable router. I'm not in a position right now to pay someone properly to implement it, but I can sustain the cost of another case or three of beer. Amazing! So we just need to find an alcoholic developer and we're on our way ;) Could maybe send some caffeine and pro plus in the mean time ..
Re: Request to OpenBSD Dev's - Beer on offer
On 10/28/2013 06:54 PM, Andy wrote: Hi all, Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. The protocol itself seems pretty simple and provides a sub-second keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! I can only offer a crate of beer to anyone who has the skills and is willing :) '+1's welcome from others who would be interested to show signs of support/interest.. I still don't see how is this different from ifstated? You can use it to ping your neighbour then issue bgpctl neighbor $your_fallen_neighbour down command. -- With best regards, Gregory Edigarov
Re: Request to OpenBSD Dev's - Beer on offer
On 2013 Oct 29 (Tue) at 17:44:51 +0200 (+0200), Gregory Edigarov wrote: :On 10/28/2013 06:54 PM, Andy wrote: :Hi all, : :Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. : :The protocol itself seems pretty simple and provides a sub-second keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! : :I can only offer a crate of beer to anyone who has the skills and is willing :) : :'+1's welcome from others who would be interested to show signs of support/interest.. : :I still don't see how is this different from ifstated? :You can use it to ping your neighbour then issue bgpctl neighbor $your_fallen_neighbour down command. : : :-- :With best regards, : Gregory Edigarov : A) It's at the router level B) *they* also run it C) This is at ultra-tiny MS resolution D) Somebody got paid a bonus for the RFC -- A little inaccuracy sometimes saves tons of explanation. -- H. H. Munroe, Saki
Re: Help vote for OpenBSD
Don't forget to vote! On 9. oktober 2013 at 2:09 PM, openda...@hushmail.com wrote: Hi, Could you guys help me vote for OpenBSD at Digital Ocean? https://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/3232571-support-bsd-os- Basically it's the only SSD cloud hosting provider (https://www.youtube.com/watch?v=vHZLCahai4Q) in existence and if the response is good enough, they'll start offering OpenBSD. Thanks! O.D.
Re: Request to OpenBSD Dev's - Beer on offer
On Tue, Oct 29, 2013 at 10:15:38AM -0500, Adam Thompson wrote: Are there any OpenBSD developers who don't like beer and/or caffeine? You can try bananas, but only monkeys will step up. -- Antoine
Re: Request to OpenBSD Dev's - Beer on offer
On Tue, Oct 29, 2013 at 4:53 PM, Antoine Jacoutot ajacou...@bsdfrog.org wrote: On Tue, Oct 29, 2013 at 10:15:38AM -0500, Adam Thompson wrote: Are there any OpenBSD developers who don't like beer and/or caffeine? You can try bananas, but only monkeys will step up. masturbating monkeys.
/dev/urandom in chroot
Hello Misc, I have a web program that attempts to access /dev/urandom from within the /var/www chroot. Based on archive searches and googling, I've removed the nodev flag from that mount and have created the random devices in /var/www/dev/* This allows the program to work, but I'm wondering if there is a better way to do this that doesn't involve removing the nodev setting from /var. Would it be preferable to use a language function for getting pseudo random bytes instead of relying on the device? Thanks for your time, gabe.
Re: /dev/urandom in chroot
I have a web program that attempts to access /dev/urandom from within the /var/www chroot. Based on archive searches and googling, I've removed the nodev flag from that mount and have created the random devices in /var/www/dev/* So basically remove a layer of security. Awesome. See what they made you do? The /dev/*random nodes are not specified in any standard, furthermore once you get into chroot all bets are off (like you discovered). This allows the program to work, but I'm wondering if there is a better way to do this that doesn't involve removing the nodev setting from /var. Rewrite it so that it uses other ways to get randomness. The arc4random API is exposed in various programming layers. Would it be preferable to use a language function for getting pseudo random bytes instead of relying on the device? Yes. Definately.
Re: nvidia driver what do you recommend
I have the same problem but on a dell laptop with integrated NVidia chip. The chip is NVidia Geforce 8600M GS and since I upgraded to 5.4 my laptop is unusable (very slow window movement). I'm thinking of reinstall 5.3 to have a working laptop. I can't change GPU chipset. There is a solution to get a working window manager back? Thanks, Gilles Cafedjian. Le 2013-10-29 11:34, Peter J. Philipp a écrit : On 10/28/13 11:44, Brett Mahar wrote: On Mon, 28 Oct 2013 11:20:32 +0100 Peter J. Philipp p...@centroid.eu wrote: | I remember someone else writing to this list before saying the nvidia | driver is really slow. I just upgraded my main workstation from 5.3 to | 5.4 and it indeed is. | | So I'm wondering what driver I should use because the choppyness of | moving windows is laughable, a sad kind of laugh. | | Do you recommend I get an ATI/AMD card? What sorts of models would you | recommend? | The ATI Radeon HD 5450 works great with the recently added radeon KMS code, I got one for A$30 a few weeks ago, no problems seen, definitely no chopppyness using mplayer -vo xv in fullscreen 1080p, did have problems with a 96fps 4096x2304 video I tried out, however:-) Brett. Hi Brett, Well I took your advice and bought this card. I'm not a high performance freak when it comes to monitor so I think it'll be alright. I paid 27 euros on amazon.de for it. It does match my MSI N250GTS Twin Frozr 1G in DDR3 1 GB RAM but not sure about performance, I'll have to see. :-) Cheers, -peter
General question about openbgpd and PF
Hi, Simple and general question : Is it a good thing to run PF on an openbgpd server (for security reasons), or should I de-activate PF ? Regards, Cédric -- OCEANET --- [AGENCE DU MANS] 7, rue des Frênes ZAC de la Pointe 72190 SARGE LES LE MANS [t] +33 (0)2.43.50.26.50 [f] +33 (0)2.43.72.21.14 [AGENCE D'ANGERS] 5, rue Fleming Angers Technopole 49066 ANGERS [t] +33 (0)2.41.19.28.65 [f] +33 (0)2.52.19.22.00 http://www.oceanet.com http://www.oceanet-telecom.com
Re: /dev/urandom in chroot
On 10/29, Theo de Raadt wrote: I have a web program that attempts to access /dev/urandom from within the /var/www chroot. Based on archive searches and googling, I've removed the nodev flag from that mount and have created the random devices in /var/www/dev/* So basically remove a layer of security. Awesome. See what they made you do? Yeah, I didn't feel like that was a great idea. I was fairly sure the nodev flag was put there on purpose. The /dev/*random nodes are not specified in any standard, furthermore once you get into chroot all bets are off (like you discovered). This allows the program to work, but I'm wondering if there is a better way to do this that doesn't involve removing the nodev setting from /var. Rewrite it so that it uses other ways to get randomness. The arc4random API is exposed in various programming layers. Would it be preferable to use a language function for getting pseudo random bytes instead of relying on the device? Yes. Definately. Great, thanks for confirmation on that, I'll fix the program so I don't need to make devices inside my cozy chroot and push the changes upstream. gabe.
Re: Request to OpenBSD Dev's - Beer on offer
On Tue, Oct 29, 2013 at 11:16:20AM +, Andy wrote: Yea its 24.. Would even be happy to offer some champers.. I think this is more of a Maudite crowd.. Connoisseurs on here... As I understand it you would need to write a small daemon to do the BFD state monitoring for the transmission and reception of the heartbeats with various peers. The protocol is fairly simple so for an experienced dev this should be easy. Then in OpenBGPD you would need to have a way of gracefully and forcefully immediately shutting down the BGP neighbor that matches the BFD peer. This could be achieved by simply having the BFD daemon call 'bgpctl neighbor $bfdpeer down' It is not so important for OSPF as that already has fast convergence time with fast hello's etc.. But for BGP this would make a world of difference to remove the BGP routes immediately (in less than a second) as soon as the BGP neighbor goes down/becomes unreachable (even if not a direct link (multi-hop etc)). BFD should be in kernel and it should change the linkstate like the GRE keepalive protocol does. Everything else is pretty much madness and somewhat impossible to do. PS: I think a I have a tree somewhere hiding with some bits added but I never cared enough to move one. So no beer for me (even though I'm just getting free belgium beer). -- :wq Claudio On 28/10/13 21:10, Dan Farrell wrote: I'm not sure how much a crate is, but if it's a case (24 bottles), then I'll throw in a case as well for this work. Blanche de Chambly, anyone? Or is this more a Maudite crowd? Sincerely, Dan Farrell On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hi all, Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. The protocol itself seems pretty simple and provides a sub-second keep-alive mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! I can only offer a crate of beer to anyone who has the skills and is willing :) '+1's welcome from others who would be interested to show signs of support/interest.. Cheers, Andy.
downing vlan(4) doesn't remove routes
(Posted last week to tech@, no bites there. Re-summarizing here.) I've noticed that downing a vlan(4) interface does not remove the associated link-local route from the default routing table. This seems to directly contradict the ifconfig(8) manpage, which says This action automatically disables routes using the interface. I can achieve the desired behaviour by deleting the vlan(4) interface, but I really don't want to do that. I can also achieve the deisred behaviour by setting the IP address to 0.0.0.0, but that also is undesirable. Am I missing something, or is this broken? -- -Adam Thompson athom...@athompso.net
bgpd(8) EGP vs IGP question
I've got two border gateways that peer (eBGP) with the same external AS; they also peer with each other (iBGP) as per normal BGP design. Naturally, the BGP RIB contains two copies of every route; one learned from the external peer and one learned from the internal peer. However, when I run bgpctl show, both routes are marked with origin i (i.e. IGP). Do I have to use set origin egp in the external neighbour's stanza in /etc/bgpd.conf? Doing so works, and produces the expected output, but should it be necessary? -- -Adam Thompson athom...@athompso.net
Re: Request to OpenBSD Dev's - Beer on offer
On Tue, Oct 29, 2013 at 03:01:22PM +, Andy wrote: On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote: On 13-10-28 11:54 AM, Andy wrote: Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. [...] '+1's welcome from others who would be interested to show signs of support/interest.. I can only agree, BFD support would be a very nice thing to have, considering that in other ways OpenBSD is already a very capable router. I'm not in a position right now to pay someone properly to implement it, but I can sustain the cost of another case or three of beer. Amazing! So we just need to find an alcoholic developer and we're on our way ;) Could maybe send some caffeine and pro plus in the mean time .. Finding an alcoholic developer is not a challenge. :-) Ken
Re: General question about openbgpd and PF
Hi, I use PF on some OpenBSD BGP+OSPF routers on Renater (IPv4 + IPv6), it works like a charm. Why this question ? pf rule are simple: pass in quick proto tcp from $bgp_neighbor_1 to $self_peering_1 port 179 pass out quick proto tcp from $self_peering_1 to $bgp_neighbor_1 port 179 -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 29 octobre 2013 à 18:27 +0100, OCEANET - Cédric BASSAGET a écrit : Hi, Simple and general question : Is it a good thing to run PF on an openbgpd server (for security reasons), or should I de-activate PF ? Regards, Cédric [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: bgpd(8) EGP vs IGP question
Adam Thompson(athom...@athompso.net) on 2013.10.29 15:20:04 -0500: I've got two border gateways that peer (eBGP) with the same external AS; they also peer with each other (iBGP) as per normal BGP design. Naturally, the BGP RIB contains two copies of every route; one learned from the external peer and one learned from the internal peer. However, when I run bgpctl show, both routes are marked with origin i (i.e. IGP). Do I have to use set origin egp in the external neighbour's stanza in /etc/bgpd.conf? Doing so works, and produces the expected output, but should it be necessary? The origin attribute doesn't mean what you think it does! It is a information added by the originating router of that route: i stands for IGP (not iBGP) and means the route was redistributed from an IGP (e.g. OSPF) into BGP. e means EGP, meaning the route was learned by an EGP. and ? or incomplete is used for everything else (for example static routes being redistributed). The origin is used in step 5 of the decision process in bgpd (see bgpd(8)), and the set origin option can be used to change the origin of routes to manipulate the process of selecting routes. But you should never just use set origin on all your bgp sessions to other ASes just because they are eBGP sessions. /Benno
Re: bgpd(8) EGP vs IGP question
On 2013-10-29, Sebastian Benoit benoit-li...@fb12.de wrote: It is a information added by the originating router of that route: or in some cases, by a transit provider trying to steer traffic towards them ;)
Re: General question about openbgpd and PF
On 2013-10-29, OCEANET - Cédric BASSAGET ced...@oceanet.com wrote: Hi, Simple and general question : Is it a good thing to run PF on an openbgpd server (for security reasons), or should I de-activate PF ? I use it, partly to mitigate ssh brute-force, partly so I can easily enable pflow if I want to get stats, and partly so I can block crap at the borders without having to send it over wan links.
Re: General question about openbgpd and PF
OCEANET - C?dric BASSAGET(ced...@oceanet.com) on 2013.10.29 18:27:09 +0100: Hi, Simple and general question : Is it a good thing to run PF on an openbgpd server (for security reasons), or should I de-activate PF ? Yes, in general you should: At least to make sure only traffic from your own address space leaves your network, and only traffic to your own address space enters your network, read http://tools.ietf.org/html/bcp38 If you run BGP, chances are that you will have more than one router. In that case you have to consider that a router does not see both directions of the traffic. In that case use either no state or sloppy rules. /Benno
Re: Yubikey login: bad file descriptor.
On 2013-10-28, Pieter Verberne pieterverbe...@xs4all.nl wrote: What I actually wanted to do: I want to use two-factor authentication over ssh using passwd+yubikey. Is this possible? It looks like yubikey will 'replace' passwd authentication, and cannot supplement it. You're right, login_yubikey does replace passwd auth. bsdauth doesn't let you request multiple passwords. Only way I came up with to achieve this was to have a single bsdauth method which requests an otp *and* password, and checks both of them (used for login_totp-and-pwd in the login_oath package).. Off topic: How safe is certificate authentication? I'll use an encrypted private key on my client computers. If someone gets his hands on the encrypted key, they can do an offline password attack, which seems less safe than an online attack. Certainly less noisy.. SSH will let you require 2-factor auth with both a password-like login method which could be a password or a yubikey, and the ssh key. See sshd_config(5): AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists.
Coursera
Hi, I lurk here as I'm learning OpenBSD but I write now because I'm a little alarmed with a feature called Signature Track on Coursera. I'm doing a free online course on the Introduction to Philosophy run from the University of Edinburgh. https://www.coursera.org/course/introphil The course is so good I wanted to give a little something in return. The only way of doing this offered was pay $50.00 for a course certificate. However to get this they want to verify who you are. OK seems reasonable. But on going to the Signature Track to do this https://www.coursera.org/signature/course/introphil/970720?utm_source=sparkutm_medium=bannerbox the verification consists of recording your typing pattern, taking a photo from your webcam and a photo of your drivers ID (the latter is supposed to be deleted when once it is used for verification.) From the FAQ Q. How does typing pattern recognition work? A.We will ask you to type a short phrase. Then we use the characteristics of your unique typing pattern, such as the time (in milliseconds) between your keystrokes and the duration you press a key down, to confirm your identity. Small typos and minor day-to-day changes in your typing pattern are okay. I tried to attach a small screen dump but failed. Now I cannot know how any of this might be used in the future can I? So I'm giving them nothing at this point. Do you think I'm right? Thanks Moss
[Fwd: Coursera]
OK here is the screen dump. Moss - Original Message - Subject: Coursera From:McCarthy, Maurice maurice.mccar...@maerskoil.com Date:Wed, October 30, 2013 12:47 am To: 'm...@mythic-beasts.com' m...@mythic-beasts.com --- Janice Control Room Operator FPU Janice A Maersk Oil North Sea UK Limited Maersk House Crawpeel Road Altens Aberdeen AB12 3LG Tel: +44 (0)1224 242000 Direct: +44 (0)1224 856732 Email: janprodcont...@maerskoil.commailto:janprodcont...@maerskoil.com Maersk Oil North Sea UK Limited, registered in England and Wales No. 03682299. Registered office Maersk House, Braham Street, London E1 8EP. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error please notify the system manager at hotl...@maerskoil.com. [demime 1.01d removed an attachment of type image/gif which had a name of image001.gif] [demime 1.01d removed an attachment of type image/jpeg which had a name of Signature Track.jpg]
Coursera
Yes, I'd forgotten about demime. For anyone who is interested the screen dump is now posted at https://ubuntuone.com/3PBTfO0UENZO8yS8xvVqcF Apologies to Monty, I'd intend to reply to the list and not personally. So this is a resend to the right address. As it happens next week's lecture is on morality. That should be another fine place to raise the issue. As you say though I ought to raise it with Coursera themselves. Thanks Moss On Wed, 30 Oct 2013, Maurice McCarthy wrote: OK here is the screen dump. Demime took those out. But this really isn't the place to discuss this. You might try Coursera's forums instead. They shouldn't mind a rational discussion of risks... m -- Monty Brandenberg
OpenBSD maintenance compared to FreeBSD
I started playing around with FreeBSD back in the 2.2.7 days. I'd describe myself as a casual desktop/workstation user. Back in the day I was attracted to OpenBSD's heavy focus on security but was pulled towards FreeBSD due to a good friend of mine being a FreeBSD contributor (dude, trust me, it's the way to go). Recently I've purchased a handful of servers for a software project I've been working on and have started reconsidering my choice of OS's. Administering a single FreeBSD workstation isn't too much of a headache; I've kind of gotten used to having to rebuild kernel and world every few months as security advisories are released. But now that I'm administering 6 of them I'm really starting to get annoyed by the whole process: rebuild kernel... rebuild world... reboot, and then pray that it doesn't blow up in my face (as it often does). That got me thinking about OpenBSD. Looking at the security advisories the last one I see was from nearly a year and a half ago! That's pretty incredible to me. Does this mean that I could theoretically have gotten away with a year and a half uptime? What's the catch here? I'm sorry but I'm incredulous by how good it sounds so I have to ask. For me the biggest selling points of an operating system are security and maintenance. I've been wowed by ZFS, but really how often do filesystems need to be fsck'd? --and I never take snapshots. I feel like I could do without it. UFS+J is good enough. Given my priorities, does it sound like OpenBSD could be the one for me?
5.4 CDs in New Zealand
Hi, all. CD sets arrived today in Tauranga, New Zealand. Thanks to Theo and all the developers and other people behind OpenBSD - your work is much appreciated.
Looking for a laptop in the Toronto area
Hi, I added an entry to want.html as I am looking for a laptop to replace the laptop I have at the moment which has some really bad heat related issues and I have been hobbling along with it for awhile now. I am in the Toronto area. I thought I would post to misc@ for some greater exposure. Is there anyone that would be able to help me out? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.