From owner-freebsd-net@FreeBSD.ORG Wed Jan 30 03:35:57 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DC7C16A420 for ; Wed, 30 Jan 2008 03:35:57 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7EC13C46B for ; Wed, 30 Jan 2008 03:35:57 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 72FE58E1AD; Tue, 29 Jan 2008 22:35:56 -0500 (EST) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute2.internal (MEProxy); Tue, 29 Jan 2008 22:35:56 -0500 X-Sasl-enc: a+mykZw+ZxPcb29RCyapzB5APv0tYkIf2X4U9PK6xipb 1201664156 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTP id 01E4B25138; Tue, 29 Jan 2008 22:35:55 -0500 (EST) Message-ID: <479FF09B.4050705@FreeBSD.org> Date: Wed, 30 Jan 2008 03:35:55 +0000 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.6 (X11/20070928) MIME-Version: 1.0 To: Ingo Flaschberger References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: tcp-md5 check for incomming connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jan 2008 03:35:57 -0000 Ingo Flaschberger wrote: > Hi, > > linux does already support tcp-md5 checks for incomming connections, > but freebsd not. > > I would like to implement this feature into freebsd. > Any hints/wishes/considerations that I should consider? Someone(tm) keeps threatening to do this every 9-12 months, but I've yet to see patches. - Another example of open sorce (What's missing? U!) Inbound processing for tcp-md5 isn't really that big a deal, I'm amazed it hasn't been deprecated and replaced with something less gnarly, but that's the inertia of stuff at internet exchanges for you and with good reason too. I don't have free time to do any of this (volunteer work doesn't pay the rent, and the costs of living spiral ever upwards), but I can try to make time to review patches if Someone(tm) writes the support. I believe one of the KAME guys took this and ran with it in NetBSD, so look there first, pretty sure it checks the inbound. And of course Kip needs to be in the loop so it works with TOE. One of the things which I didn't finish was integrating TCP-MD5 with the SPD too instead of only the SADB. This meant gnarly syntax for setkey(8). later BMS