From owner-freebsd-net@FreeBSD.ORG Thu Jan 31 10:02:37 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2518D16A46C for ; Thu, 31 Jan 2008 10:02:37 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 7C27013C45A for ; Thu, 31 Jan 2008 10:02:36 +0000 (UTC) (envelope-from andre@freebsd.org) Received: (qmail 8231 invoked from network); 31 Jan 2008 09:22:33 -0000 Received: from localhost (HELO [127.0.0.1]) ([127.0.0.1]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 31 Jan 2008 09:22:33 -0000 Message-ID: <47A19CC2.4070609@freebsd.org> Date: Thu, 31 Jan 2008 11:02:42 +0100 From: Andre Oppermann User-Agent: Thunderbird 1.5.0.14 (Windows/20071210) MIME-Version: 1.0 To: Ingo Flaschberger References: <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , "Bruce M. Simpson" , freebsd-net@freebsd.org Subject: Re: tcp-md5 check for incomming connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 10:02:37 -0000 Ingo Flaschberger wrote: > Dear Bjoern, Bruce, > > Looking trough linux, netbsd and Bruce old patch > (which works with minimal modification at my freebsd 6.2) > I have 3 ideas how md5 could be integrated. > > 1) netbsd method: > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_input.c?rev=1.277&content-type=text/x-cvsweb-markup > > Look for TCP_SIGNATURE. > The main-code part is handled in tcp_dooptions > The have modified the return value of tcp_dooptions from void to > int. If md5 fails, -1 is returned (ony md5 use this return > feature) and in the tcp_input the return value of > tcp_dooptions is checked and handled. > -> for freebsd: change the retutn value of tcp_dooptions and > add little logic to tcp_input function. Please do not use this method. tcp_dooptions should not have any side- effects other than parsing the tcp options. It sets a flag if TCPOPT_SIGNATURE was detected and give you the pointer to the hash in to_signature. > 2) linux method: > Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c > (sorry no weblink..) > They check and block md5-packets early in tcp_v4_do_rcv. > afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv > -> for Freebsd: place some logic early in tcp_input function > and call a new function to check md5. IMHO calling a special function that does the check (like in tcp_output) is the way to go. This function should be run as late as possible after the other segment validity checks to prevent easy cpu exhaustion attacks with packets that only get the port numbers right. In tcp_new there is a natural place to perform the check. tcp_input will show up this weekend. This doesn't prevent your work on the current code at all as tcp_new won't show up in -current for a long time and when it does it will not get MFC'd. > 3) Bruce extended method: > http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html > Use his code and add at severall places in tcp_input function > similar checks. > > Options: > *) enable disable it via sysctl > *) count total, good and bad packets via sysctl This belongs into struct tcpstat, not a new sysctl. -- Andre