From: Theo Buehler <tb@theobuehler.org>
Subject: Re: bgpd: deconfigure md5 key after config was fully reloaded
To: tech@openbsd.org
Date: Wed, 4 Sep 2024 15:25:20 +0200

On Wed, Sep 04, 2024 at 02:42:57PM +0200, Claudio Jeker wrote:
> Right now we call pfkey_remove() in merge_peers() in the parent process
> before sending the config over to the session engine. The result is that
> the NOTIFICATION sent by the session engine is no longer md5 signed.
> 
> Instead delay deallocation of peers in the config until the session engine
> sent the IMSG_RECONF_DONE message. By that time old sessions have been
> shutdown and any pending notification should have made it out.
> 
> See also https://github.com/openbgpd-portable/openbgpd-portable/issues/82

This all makes sense and reads fine.

ok tb