From owner-freebsd-net@FreeBSD.ORG Tue Sep 20 15:12:27 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EAC216A41F for ; Tue, 20 Sep 2005 15:12:27 +0000 (GMT) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC10743D46 for ; Tue, 20 Sep 2005 15:12:26 +0000 (GMT) (envelope-from freebsd-net@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1EHjkx-0004o7-6K for freebsd-net@freebsd.org; Tue, 20 Sep 2005 17:10:03 +0200 Received: from mulder.f5.com ([205.229.151.150]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 20 Sep 2005 17:10:03 +0200 Received: from atkin901 by mulder.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 20 Sep 2005 17:10:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: othermark Date: Tue, 20 Sep 2005 07:51:32 -0700 Lines: 35 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: mulder.f5.com User-Agent: KNode/0.9.2 Sender: news Subject: rfc2385 (tcp md5 checksums) in -current broken? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 15:12:27 -0000 I am posting this to -net since I got zip response on -current... Hi, I'm testing rfc2385 support with some of our equipment with current as of a few days ago, and the support seems, well, rather broken. I have the following options in my kernel options TCP_SIGNATURE #include support for RFC 2385 options FAST_IPSEC device crypto and have loaded the following entry via setkey: add 172.16.17.1 172.16.18.164 tcp 0x1000 -A tcp-md5 "password" ; but when I dump a test link to the inetd tcp echo server, I get no connection. The dump shows the sending box 172.16.18.164 has the correct signature for the shared secret (with the tcpdump -M option), but the FreeBSD boxes response shows invalid. 12:46:25.377320 IP 172.16.18.164.50850 > 172.16.17.1.echo: S 371298114:371298114(0) win 4380 12:46:25.377401 IP 172.16.17.1.echo > 172.16.18.164.50850: S 3974454780:3974454780(0) ack 371298115 win 65535 Now it could be that the tcp stack is just sending garbage for the MD5 option when it receives it on a socket that doesn't have some sort of socket option configured (which would be bad). othermark atkin901 at nospam dot yahoo dot com (!wired)?(coffee++):(wired);