From owner-freebsd-net@FreeBSD.ORG Thu Jan 31 05:58:41 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A65C16A417 for ; Thu, 31 Jan 2008 05:58:41 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by mx1.freebsd.org (Postfix) with ESMTP id 1B34913C4D1 for ; Thu, 31 Jan 2008 05:58:40 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so482552rvb.43 for ; Wed, 30 Jan 2008 21:58:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=RPnJfJSI4Mdtt/5cazVkKHKCFG+rYMHGG1R8VMKj9NE=; b=dejbRMw3XTYuxxBKPfma2WU90MgX73ZKbniSo5h919aSLj0tcAGQ6rQV2rwo5xthwlZ4iV45zmQd1B74sCdvoIS8XPZtoO5JtVlh9lDtNM9YtTyBib9sSqxYd2MBGCD0HOo7Wkbv+X8ulSUalX190eu4kIMM9Nhqu39H2eNlyrE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=gUhfndah8DI8k+b9dXCJMAbD/8LcSzNzEAZojWoyPl4lOD6RNsKTJZldUGbxwzFC1mET2rjpwJ294L+lRc1RSIB3oq53vVPtUKjd+X2Ku7Jou8FszN71/1qZgBhUiQHWLn3WTMEAsayl2lI6foVNAbupO7ndkMKarQhmdFawQQA= Received: by 10.141.99.4 with SMTP id b4mr1207784rvm.40.1201759120324; Wed, 30 Jan 2008 21:58:40 -0800 (PST) Received: by 10.141.170.18 with HTTP; Wed, 30 Jan 2008 21:58:40 -0800 (PST) Message-ID: <2e77fc10801302158y7e4d0764s96669bf2dc44881e@mail.gmail.com> Date: Thu, 31 Jan 2008 07:58:40 +0200 From: "Niki Denev" Sender: ndenev@gmail.com To: "Bruce M. Simpson" In-Reply-To: <47A15A67.9000605@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> <47A15A67.9000605@FreeBSD.org> X-Google-Sender-Auth: b4203daf5f2b0246 Cc: "Bjoern A. Zeeb" , Ingo Flaschberger , freebsd-net@freebsd.org Subject: Re: tcp-md5 check for incomming connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 05:58:41 -0000 On Jan 31, 2008 7:19 AM, Bruce M. Simpson wrote: > The bigger issue w/tcp-md5 is getting security policy 'right'. > bz has more IPSEC hacking experience than I, so I defer to his advice in > this area. > > The way the socket option was originally specified was that once it was > set, all further activity on the socket had to be tcp-md5'd. For an > outgoing connect() this is pretty much assumed in the beginning. For a > listen() and bind(), it means all further sessions on that port must use > tcp-md5 to be accepted. > > However this obviously poses problems if you want to be able to accept > connections on the same port from non tcp-md5 peers. And for BGP, which > can open the underlying tcp session in either direction ('passive open', > jittered) it's also important that the tcp-md5 state of the socket is in > sync with the routing process's notion of policy. > > ospf sidestepped all this by using raw IP datagrams, so there was no > need to implement authentication in the network transport layer. > > So, the SPD seems like the way to go! Trouble is, routing daemons aren't > IPSEC daemons, nor do they speak the RFC specified protocol for this, > PF_KEY. I toyed with the idea of rolling one for XORP but there hasn't > been any demand. > OpenBGPD on OpenBSD seems to do exactly this. It supports the PF_KEY interface and one can configure either TCP_MD5_SIG or IPSEC security associations for the bgp peers right in the bgpd.conf config file. -- Niki