Date: Thu, 31 Jan 2008 07:58:40 +0200 From: "Niki Denev" <nike_d@cytexbg.com> To: "Bruce M. Simpson" <bms@freebsd.org> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, Ingo Flaschberger <if@xip.at>, freebsd-net@freebsd.org Subject: Re: tcp-md5 check for incomming connection Message-ID: <2e77fc10801302158y7e4d0764s96669bf2dc44881e@mail.gmail.com> In-Reply-To: <47A15A67.9000605@FreeBSD.org> References: <alpine.LFD.1.00.0801291905020.17757@filebunker.xip.at> <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> <alpine.LFD.1.00.0801310106400.723@filebunker.xip.at> <47A15A67.9000605@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 31, 2008 7:19 AM, Bruce M. Simpson <bms@freebsd.org> wrote:
> The bigger issue w/tcp-md5 is getting security policy 'right'.
> bz has more IPSEC hacking experience than I, so I defer to his advice in
> this area.
>
> The way the socket option was originally specified was that once it was
> set, all further activity on the socket had to be tcp-md5'd. For an
> outgoing connect() this is pretty much assumed in the beginning. For a
> listen() and bind(), it means all further sessions on that port must use
> tcp-md5 to be accepted.
>
> However this obviously poses problems if you want to be able to accept
> connections on the same port from non tcp-md5 peers. And for BGP, which
> can open the underlying tcp session in either direction ('passive open',
> jittered) it's also important that the tcp-md5 state of the socket is in
> sync with the routing process's notion of policy.
>
> ospf sidestepped all this by using raw IP datagrams, so there was no
> need to implement authentication in the network transport layer.
>
> So, the SPD seems like the way to go! Trouble is, routing daemons aren't
> IPSEC daemons, nor do they speak the RFC specified protocol for this,
> PF_KEY. I toyed with the idea of rolling one for XORP but there hasn't
> been any demand.
>
OpenBGPD on OpenBSD seems to do exactly this.
It supports the PF_KEY interface and one can configure
either TCP_MD5_SIG or IPSEC security associations
for the bgp peers right in the bgpd.conf config file.
--
Niki
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e77fc10801302158y7e4d0764s96669bf2dc44881e>