From owner-freebsd-current@FreeBSD.ORG Thu Nov 4 19:39:27 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27F8016A4CE for ; Thu, 4 Nov 2004 19:39:27 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6928443D5E for ; Thu, 4 Nov 2004 19:39:26 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 8D8C965464; Thu, 4 Nov 2004 19:39:24 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 21108-03-4; Thu, 4 Nov 2004 19:39:24 +0000 (GMT) Received: from empiric.dek.spc.org (adsl-66-127-57-108.dsl.snfc21.pacbell.net [66.127.57.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id E8E5A65418; Thu, 4 Nov 2004 19:39:21 +0000 (GMT) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id F222B61EF; Thu, 4 Nov 2004 11:39:10 -0800 (PST) Date: Thu, 4 Nov 2004 11:39:10 -0800 From: Bruce M Simpson To: SUZUKI Shinsuke Message-ID: <20041104193910.GA719@empiric.icir.org> Mail-Followup-To: SUZUKI Shinsuke , dgilbert@dclg.ca, gnn@neville-neil.com, freebsd-current@freebsd.org, mike@sentex.net References: <16767.52282.937187.190919@canoe.dclg.ca> <6.1.2.0.0.20041027124606.09c40768@64.7.153.2> <16767.53956.366966.737912@canoe.dclg.ca> <6.1.2.0.0.20041027131824.10140c90@64.7.153.2> <16768.22876.926445.412412@canoe.dclg.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: cc: gnn@neville-neil.com cc: freebsd-current@freebsd.org cc: mike@sentex.net cc: dgilbert@dclg.ca Subject: Re: IPSec on current. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Nov 2004 19:39:27 -0000 --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Thu, Nov 04, 2004 at 04:16:12PM +0900, SUZUKI Shinsuke wrote: > I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's > working fine. (I'll work on TCP-MD5(IPv6) later) >=20 > Please let me know if you have any objection or comment to the > following patch. If it's okay, I'd like to commit it to -current. I don't object to this change being committed now, but it does mean I will have to revise some uncommitted work. Porting it to IPv6 is OK. However, I would prefer people did not bring in itojun's changes to add the input verification path at this time as they may break the semantics of passive open. Basically doing it 'right' requires security policy support for TCP sockets at the MD5 level. There is a risk that bringing in the input changes now would break the semantics of existing programs such as Quagga and XORP. Regards, BMS --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQFBioVeueUpAYYNtTsRAkxzAJ9OjW+5ffQj0QKC2NOVHGfz+d83UACeMI7L R8ug4OmlprNYaTJojMzxlO4= =govk -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--