From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 17:42:13 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B85F106566C for ; Sat, 13 Sep 2008 17:42:13 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id DF8BD8FC14 for ; Sat, 13 Sep 2008 17:42:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 26A1141C6DB for ; Sat, 13 Sep 2008 19:42:11 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id v-xZDX5RRkhy for ; Sat, 13 Sep 2008 19:42:08 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id B7B6541C6A1; Sat, 13 Sep 2008 19:42:08 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 5E61E44487F for ; Sat, 13 Sep 2008 17:41:51 +0000 (UTC) Date: Sat, 13 Sep 2008 17:41:51 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-net@freebsd.org Message-ID: <20080913173441.F65801@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: TCP-MD5 support for IPv6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 17:42:13 -0000 Hi, I just committed IPv6 TCP-MD5 support for HEAD. This gives one the ability to send the TCP signature but as with IPv4 there is no input path validation and we need to enhance the key management, etc.. But that's another story. For now I have an additional hack that enables sending ... for IPv4 and IPv6: - ACK from timewait - inital RST after socket close (as long as possible) For both changes, one needs to hack up TCP in a very bad way as we lose the "signature flag" on the way down. Multiple TCP exit paths do not help with this either. Nick (thanks!) had tried it and given me tcpdumps and they looked sane. In case you can use it as well, the patch, temporary, is here: http://people.freebsd.org/~bz/20080913-02-tcp-md5-ack-rst.diff This is the "more changes" I mentioned in the commit message. Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ---------- Forwarded message ---------- Date: Sat, 13 Sep 2008 17:26:46 +0000 (UTC) From: Bjoern A. Zeeb To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_output.c tcp_subr.c tcp_syncache.c bz 2008-09-13 17:26:46 UTC FreeBSD src repository Modified files: sys/netinet tcp_output.c tcp_subr.c tcp_syncache.c Log: SVN rev 183001 on 2008-09-13 17:26:46Z by bz Implement IPv6 support for TCP MD5 Signature Option (RFC 2385) the same way it has been implemented for IPv4. Reviewed by: bms (skimmed) Tested by: Nick Hilliard (nick netability.ie) (with more changes) MFC after: 2 months Revision Changes Path 1.155 +1 -8 src/sys/netinet/tcp_output.c 1.316 +93 -24 src/sys/netinet/tcp_subr.c 1.156 +1 -1 src/sys/netinet/tcp_syncache.c