Date: Thu, 4 Nov 2004 11:39:10 -0800 From: Bruce M Simpson <bms@spc.org> To: SUZUKI Shinsuke <suz@kame.net> Cc: dgilbert@dclg.ca Subject: Re: IPSec on current. Message-ID: <20041104193910.GA719@empiric.icir.org> In-Reply-To: <x74qk6qe2r.wl%suz@crl.hitachi.co.jp> References: <16767.52282.937187.190919@canoe.dclg.ca> <6.1.2.0.0.20041027124606.09c40768@64.7.153.2> <16767.53956.366966.737912@canoe.dclg.ca> <6.1.2.0.0.20041027131824.10140c90@64.7.153.2> <m2fz3ztwct.wl@minion.local.neville-neil.com> <16768.22876.926445.412412@canoe.dclg.ca> <x74qk6qe2r.wl%suz@crl.hitachi.co.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
--bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Thu, Nov 04, 2004 at 04:16:12PM +0900, SUZUKI Shinsuke wrote: > I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's > working fine. (I'll work on TCP-MD5(IPv6) later) >=20 > Please let me know if you have any objection or comment to the > following patch. If it's okay, I'd like to commit it to -current. I don't object to this change being committed now, but it does mean I will have to revise some uncommitted work. Porting it to IPv6 is OK. However, I would prefer people did not bring in itojun's changes to add the input verification path at this time as they may break the semantics of passive open. Basically doing it 'right' requires security policy support for TCP sockets at the MD5 level. There is a risk that bringing in the input changes now would break the semantics of existing programs such as Quagga and XORP. Regards, BMS --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBioVeueUpAYYNtTsRAkxzAJ9OjW+5ffQj0QKC2NOVHGfz+d83UACeMI7L R8ug4OmlprNYaTJojMzxlO4= =govk -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041104193910.GA719>