From owner-freebsd-net@FreeBSD.ORG Thu Jan 31 12:15:15 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FC6016A41B for ; Thu, 31 Jan 2008 12:15:15 +0000 (UTC) (envelope-from if@xip.at) Received: from chile.gbit.at (ns1.xip.at [193.239.188.99]) by mx1.freebsd.org (Postfix) with ESMTP id E0B1013C45B for ; Thu, 31 Jan 2008 12:15:14 +0000 (UTC) (envelope-from if@xip.at) Received: (qmail 12005 invoked from network); 31 Jan 2008 13:15:12 +0100 Received: from unknown (HELO filebunker.xip.at) (86.59.10.180) by chile.gbit.at with (DHE-RSA-AES256-SHA encrypted) SMTP; 31 Jan 2008 13:15:12 +0100 Date: Thu, 31 Jan 2008 13:15:12 +0100 (CET) From: Ingo Flaschberger To: Andre Oppermann In-Reply-To: <47A19CC2.4070609@freebsd.org> Message-ID: References: <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> <47A19CC2.4070609@freebsd.org> User-Agent: Alpine 1.00 (LFD 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "Bjoern A. Zeeb" , "Bruce M. Simpson" , freebsd-net@freebsd.org Subject: Re: tcp-md5 check for incomming connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 12:15:15 -0000 Dear Andre, >> 2) linux method: >> Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c >> (sorry no weblink..) >> They check and block md5-packets early in tcp_v4_do_rcv. >> afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv >> -> for Freebsd: place some logic early in tcp_input function >> and call a new function to check md5. > > IMHO calling a special function that does the check (like in tcp_output) > is the way to go. This function should be run as late as possible after > the other segment validity checks to prevent easy cpu exhaustion attacks > with packets that only get the port numbers right. > > In tcp_new there is a natural place to perform the check. tcp_input will > show up this weekend. This doesn't prevent your work on the current code > at all as tcp_new won't show up in -current for a long time and when it > does it will not get MFC'd. Ok. I will do the first patch for freebsd 6.2 (as my system uses it) and do the a port to current (and I thing 6.3 too). Regardding Bruce: I would prefer to implement md5 via the old setkey api as I also have todo my daily business. >> 3) Bruce extended method: >> http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html >> Use his code and add at severall places in tcp_input function >> similar checks. >> >> Options: >> *) enable disable it via sysctl >> *) count total, good and bad packets via sysctl > > This belongs into struct tcpstat, not a new sysctl. Ok. With which tool can this counters be read? Should I add the on/off feature? Via which tool? Kind regards, Ingo