From owner-freebsd-net@FreeBSD.ORG Thu Jan 31 00:39:28 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3909B16A418 for ; Thu, 31 Jan 2008 00:39:28 +0000 (UTC) (envelope-from if@xip.at) Received: from chile.gbit.at (ns1.xip.at [193.239.188.99]) by mx1.freebsd.org (Postfix) with ESMTP id 8051613C4EB for ; Thu, 31 Jan 2008 00:39:26 +0000 (UTC) (envelope-from if@xip.at) Received: (qmail 13626 invoked from network); 31 Jan 2008 01:39:25 +0100 Received: from unknown (HELO filebunker.xip.at) (86.59.10.180) by chile.gbit.at with (DHE-RSA-AES256-SHA encrypted) SMTP; 31 Jan 2008 01:39:25 +0100 Date: Thu, 31 Jan 2008 01:39:24 +0100 (CET) From: Ingo Flaschberger To: "Bjoern A. Zeeb" In-Reply-To: <20080130083105.S36482@maildrop.int.zabbadoz.net> Message-ID: References: <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> User-Agent: Alpine 1.00 (LFD 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, "Bruce M. Simpson" Subject: Re: tcp-md5 check for incomming connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 00:39:28 -0000 Dear Bjoern, Bruce, Looking trough linux, netbsd and Bruce old patch (which works with minimal modification at my freebsd 6.2) I have 3 ideas how md5 could be integrated. 1) netbsd method: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_input.c?rev=1.277&content-type=text/x-cvsweb-markup Look for TCP_SIGNATURE. The main-code part is handled in tcp_dooptions The have modified the return value of tcp_dooptions from void to int. If md5 fails, -1 is returned (ony md5 use this return feature) and in the tcp_input the return value of tcp_dooptions is checked and handled. -> for freebsd: change the retutn value of tcp_dooptions and add little logic to tcp_input function. 2) linux method: Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c (sorry no weblink..) They check and block md5-packets early in tcp_v4_do_rcv. afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv -> for Freebsd: place some logic early in tcp_input function and call a new function to check md5. 3) Bruce extended method: http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html Use his code and add at severall places in tcp_input function similar checks. Options: *) enable disable it via sysctl *) count total, good and bad packets via sysctl Kind regards, Ingo Flaschberger anytwo(tm)