Date: Fri, 22 Apr 2005 04:12:41 -0700 From: Bruce M Simpson <bms@spc.org> To: Paul Saab <ps@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet tcp_syncache.c Message-ID: <20050422111241.GD818@empiric.icir.org> In-Reply-To: <200504212009.j3LK992c044126@repoman.freebsd.org>
index | next in thread | previous in thread | raw e-mail
On Thu, Apr 21, 2005 at 08:09:09PM +0000, Paul Saab wrote: > Log: > Fix for 2 bugs related to TCP Signatures : Thanks for committing this, however I would have appreciated a ping before putting it in. The risk is that it may break existing applications; whilst it follows the letter of the RFC, and that is good, we need to refactor the granularity of how TCP-MD5 security associations work in order to not break sessions with peers which don't speak TCP-MD5. Currently the implementation only allows for a single key per distinct peer IP address. For running LDP as well as BGP in an MPLS setup, this isn't going to work. I have had initial (buggy) patches for this which push the logic into the SPD rather than the SADB, which is probably the best way forward. At the moment I don't have free cycles to deal with this. If anyone is interested in taking this task on in the meantime then please do contact me. Regards, BMShome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050422111241.GD818>