[quagga-dev 5488] Re: [quagga-users 9626] MD5 Support - 0.99.10
Michael H. Warfield
mhw at WittsEnd.com
Fri Jun 13 20:22:53 BST 2008
On Fri, 2008-06-13 at 17:59 +0100, paul at clubi.ie wrote:
> On Fri, 13 Jun 2008, Michael H. Warfield wrote:
> > Ok... I understand what you're getting at. So, short term
> > we split this into two patches, one being the md5 password patch
> > itself to be rolled into CVS and the other being the linux
> > compatibility address bug patch. That makes sense.
> Yeah. I'd prefer the initial commit to be as clean possible, and add
> hacks seperately.
> > I'm not sure it ever set TCP-MD5SIG on the listen socket.
> > Or do you mean the accept socket from the listen?
> Hmm.. its stashing the listen sockets from bgp_socket() and switching
> those in, in the bgp_md5_set_passive's. So I think I mean the listen
> socket (how would it know the peer on accept?).
How would it know on the listen? It doesn't have a peer at that point,
so what password would you supply to the sockopt? I presume it would
learn the peer after the accept from the address of the peer on the
connection and you would get the connection request off the listen
socket regardless of a password on the initial SYN. Otherwise, you
would have to do an individual listen for each different peer with a
different password, wouldn't you?
I haven't looked real closely at it but that would appear to be the
call to "sockunion_getpeername" in bgp_getsockname in bgp_network.c.
You would have to set the password shortly there after in conjunction
with the accept and initial open.
> Also, possibly esoteric - but is it ever possible to get more than
> two sockets from getaddrinfo?
From the man page on getaddrinfo it would seem that it's possible (they
specifically mention multihomed hosts but I'm not real sure about that).
I would think that would be very esoteric but I see what you're getting
at with those saved sockets in bgp_socket.
> > been an operational problem on my part. Once I had bgpd working, I
> > gave up futzing with the test suite and I never ran bgpd through
> > localhost.
> Running bgpd via localhost is very useful for testing. BGP session
> to/from the /same/ bgpd is useful with multi-instance.. (in lieue of
> support for a virtual peering between views) ;)
Yeah, I haven't done that. I've got 3 production bgp daemons running
and several other test and intelligence deamons I can play with.
> > Ah! So you're on Solaris. Ok... I'll still sign up once we
> > get a little further down the road and we'll worry about passwords
> > and Solaris some other day.
> Ah, a birdy tells me TCP-MD5 for Solaris is in the works:
> Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
> If I could drop dead right now, I'd be the happiest man alive!
> -- Samuel Goldwyn
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 307 bytes
Desc: This is a digitally signed message part
More information about the Quagga-dev