FreeBSD 11 and mixed BGP password issues?

Thomas Johnson tommyj27 at gmail.com
Tue Jul 17 21:12:14 CEST 2018 

I recently updated a couple of my routers from FreeBSD 10.3 to 11.2,
both running BIRD 1.6 (1.6.3 -> 1.6.4). After the upgrade, I noticed
that my BGP protocol instances without a password fail to connect,
while those with a password work as expected.

For reference, my topology is as follows. I have a pair of routers
(matching OS/BIRD versions), each with a BGP session to an upstream
router. These eBGP protocol instances use a BGP password, which was
previously handled by manually configuring the ipsec.conf file
(changed to let BIRD manage while troubleshooting this issue).

Additionally, there is an iBGP session between the two BIRD routers,
which does not utilize a password.

 +-------+      +-------+
 | ISP1  |      | ISP2  |
 +--+----+      +--+----+
    |              |
    |(MD5)         |(MD5)
    |              |
 +--+----+      +--+----+
 | BIRD1 +------+ BIRD2 |
 +-------+      +-------+

IIRC, the IPSec/TCP-MD5 changes in FreeBSD 11 have been discussed here
previously. If I understand their effect on BIRD correctly, setting
TCP_MD5SIG on the BGP listen socket in FreeBSD 11 mandates that all
packets in/out on the socket MUST be MD5-signed (per tcp(4)). By
comparison, the behavior in earlier FreeBSD releases was more of an
opportunistic model.

If my limited understanding of the BIRD code is correct, when the
configuration of a BGP protocol instance specifies a password, the
TCP_MD5SIG option is set on the listen socket (and appropriate connect
sockets). Because of the change in behavior for the TCP_MD5SIG option,
this effectively bars any non-MD5 connections to the listen socket.

If I change the (non-password) iBGP session configuration to use a
password and reconfigure BIRD, the session comes up (as expected).
Interestingly, if I then remove the password from the iBGP instance
and reconfigure (both BIRD hosts), the session is restarted and works
without MD5 (as shown by tcpdump). My guess is that BIRD is removing
the relevant option from the listen socket when the configuration is
re-read? This is not a particularly good solution (or kludge), as
new/restarted sessions that require MD5 would probably fail?

Can anyone confirm if I am on the right track, that FreeBSD 11
changes effectively force all BGP sessions on a given BIRD [1.6]
instance to either use a password, or no password?

Reading the BIRD 2.0 documentation, it appears that there is a partial
solution to be had. The 'strict bind' option appears to allow binding
the listen socket to a specific IP. Would this allow IP address "1" to
listen for sessions with passwords, and address "2" to listen for
sessions without? This still would not address another situation I
have, where multiple BGP sessions connect to the same local IP, some
with passwords, some without (IXP connection).

This would seem to be more of a FreeBSD issue than a BIRD issue.
However, I'm curious if anyone else has run into it, and has some
clever idea that I have overlooked?

Configuration snippet for IPv4 follows, although I see the same
behavior on IPv6 as well (omitted for brevity).

# START BIRD CONFIG

template bgp ebgp {
        local as 12345;
}

template bgp ibgp {
    multihop 2;
}

protocol bgp bgp_uplink from ebgp {
    neighbor 10.20.207.131 as 54321;
    import filter bgp_in_uplink;
    password "a_password";
    #setkey off;
    source address 10.20.207.133;
}

protocol bgp ibgp_border from ibgp {
    local 192.168.166.247 as 12345;
    neighbor 192.168.166.246 as 12345;
    # Password added to allow session to connect.
    password "wtf";
}

# END BIRD CONFIG

% setkey -D
192.168.166.246 192.168.166.247
    tcp mode=any spi=96441423(0x05bf944f) reqid=0(0x00000000)
    A: tcp-md5  777466
    seq=0x00000000 replay=0 flags=0x00000040 state=mature
    created: Jul 17 13:49:03 2018 current: Jul 17 13:49:30 2018
    diff: 27(s) hard: 0(s) soft: 0(s)
    last: Jul 17 13:49:06 2018 hard: 0(s) soft: 0(s)
    current: 1626176(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 2226 hard: 0 soft: 0
    sadb_seq=9 pid=12858 refcnt=1
192.168.166.247 192.168.166.246
    tcp mode=any spi=152346577(0x09149fd1) reqid=0(0x00000000)
    A: tcp-md5  777466
    seq=0x00000000 replay=0 flags=0x00000040 state=mature
    created: Jul 17 13:49:03 2018 current: Jul 17 13:49:30 2018
    diff: 27(s) hard: 0(s) soft: 0(s)
    last: Jul 17 13:49:06 2018 hard: 0(s) soft: 0(s)
    current: 3066573(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 2530 hard: 0 soft: 0
    sadb_seq=8 pid=12858 refcnt=1
10.20.207.131 10.20.207.133
    tcp mode=any spi=146229653(0x08b74995) reqid=0(0x00000000)
    A: tcp-md5  6321794e 783039
    seq=0x00000000 replay=0 flags=0x00000040 state=mature
    created: Jul 17 10:49:14 2018 current: Jul 17 13:49:30 2018
    diff: 10816(s) hard: 0(s) soft: 0(s)
    last: Jul 17 10:49:19 2018 hard: 0(s) soft: 0(s)
    current: 17378925(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 13433 hard: 0 soft: 0
    sadb_seq=7 pid=12858 refcnt=1
10.20.207.133 10.20.207.131
    tcp mode=any spi=128063495(0x07a21807) reqid=0(0x00000000)
    A: tcp-md5  6321794e 783039
    seq=0x00000000 replay=0 flags=0x00000040 state=mature
    created: Jul 17 10:49:14 2018 current: Jul 17 13:49:30 2018
    diff: 10816(s) hard: 0(s) soft: 0(s)
    last: Jul 17 10:49:19 2018 hard: 0(s) soft: 0(s)
    current: 453718(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 7494 hard: 0 soft: 0
    sadb_seq=6 pid=12858 refcnt=1

More information about the Bird-users mailing list