[quagga-dev 5485] Re: [quagga-users 9626] MD5 Support - 0.99.10
Michael H. Warfield
mhw at WittsEnd.com
Fri Jun 13 17:13:45 BST 2008
On Fri, 2008-06-13 at 16:09 +0100, paul at clubi.ie wrote:
> Hi Michael,
> On Fri, 13 Jun 2008, Michael H. Warfield wrote:
> > Already done.
> I've made all those suggestions in the diff I sent ;)
Ah, yeah... I guess I really should have examined that diff before
> > Will check this next. This should be fairly straightforward to do if
> > we are not worried about disabling passwords on existing sessions. That
> > will simplify the code.
> See my minor re-edit of your patch, which I had attached :)
> > Ok. I'll look that over and get it done.
> See diff! :)
Yup Saw that.
> > Uh... You mean remove the bug avoidance code entirely or
> > chop it out so it's only included when needed? Right now that code
> > is conditionalized on the IPV6_V6ONLY define, which is present in
> > Linux, OpenBSD and FreeBSD. I could further tighten that condition
> > to Linux only.
> Well, do we need to have this in the initial revision of the TCP-MD5
> support that we put into CVS? I.e. lets treat this is a seperate bug,
> distinct from the RFE work of getting TCP-MD5SIG into Quagga - and
> solve it seperately.
> It could be its a simple bug to fix in the kernels concerned.
Ok... I understand what you're getting at. So, short term we split
this into two patches, one being the md5 password patch itself to be
rolled into CVS and the other being the linux compatibility address bug
patch. That makes sense.
> > I tested this out without the separate sockets on Linux and it does
> > not work.
> Ah, oops - my re-edit sets TCP-MD5SIG on the peer->fd, but not the
> listen socket. My bad. I just tested with multiple local bgpds on a
> Fedora box here and it doesnt work (I presume TCP-MD5SIG works on
> local sockets on Linux).
I'm not sure it ever set TCP-MD5SIG on the listen socket. Or do you
mean the accept socket from the listen? That was one area which was
very confusing when I first looked at the code and looked at the test
suite someone else posted. I'm also not sure (actually, I seriously
doubt) local sockets work. I was never able to get that test suite to
work through localhost either with or without the IPv6 workaround. It
could still have been an operational problem on my part. Once I had
bgpd working, I gave up futzing with the test suite and I never ran bgpd
If you want to test against my Fedora systems, we can set up a peering.
> Let me add that back in.
I was just getting ready to rebuild with your patch. I'll wait for
this. I also have to build up a separate patch for the compatibility
address thing. I guess I should have taken that approach from the
beginning. That would have given me a much more convenient way of
testing with and without the split sockets. Duh...
> > I know the Quagga site has a route server up (strange - that page is
> > blank for me right now).
> Oops, my bad.
> > Would we want to connect up one ore more of my bgp daemons up to
> > that for both v4 and v6 and add passwords for testing?
> Solaris doesn't support TCP-MD5 at the moment. Though, wouldn't be
> too hard to hack it on though (Solaris already has code to run MD5
> over TCP, for ISN, and storing a password with the socket would be
Ah! So you're on Solaris. Ok... I'll still sign up once we get a
little further down the road and we'll worry about passwords and Solaris
some other day.
> Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
> linux: because a PC is a terrible thing to waste
> (ksh at cis.ufl.edu put this on Tshirts in '93)
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Quagga-dev