From owner-freebsd-net@FreeBSD.ORG  Sat Apr 16 12:18:12 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7342316A4CF
	for <freebsd-net@freebsd.org>; Sat, 16 Apr 2005 12:18:12 +0000 (GMT)
Received: from arginine.spc.org (arginine.spc.org [83.167.185.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CDB9343D45
	for <freebsd-net@freebsd.org>; Sat, 16 Apr 2005 12:18:11 +0000 (GMT)
	(envelope-from bms@spc.org)
Received: from localhost (localhost [127.0.0.1])
	by arginine.spc.org (Postfix) with ESMTP
	id F24D2651F7; Sat, 16 Apr 2005 13:17:44 +0100 (BST)
Received: from arginine.spc.org ([127.0.0.1])
 by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 80819-03; Sat, 16 Apr 2005 13:17:44 +0100 (BST)
Received: from empiric.dek.spc.org (66-117-149-249.rdsl.lmi.net
	[66.117.149.249])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by arginine.spc.org (Postfix) with ESMTP
	id BCF53651F4; Sat, 16 Apr 2005 13:17:43 +0100 (BST)
Received: by empiric.dek.spc.org (Postfix, from userid 1001)
	id 2185C616D; Sat, 16 Apr 2005 05:18:03 -0700 (PDT)
Date: Sat, 16 Apr 2005 05:18:03 -0700
From: Bruce M Simpson <bms@spc.org>
To: Noritoshi Demizu <demizu@dd.iij4u.or.jp>
Message-ID: <20050416121802.GB5452@empiric.icir.org>
Mail-Followup-To: Noritoshi Demizu <demizu@dd.iij4u.or.jp>,
	freebsd-net@freebsd.org
References: <20050415.143521.57443821.Noritoshi@Demizu.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050415.143521.57443821.Noritoshi@Demizu.ORG>
cc: freebsd-net@freebsd.org
Subject: Re: TCP MD5 Signature option handling in tcp_syncache.c
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2005 12:18:12 -0000

On Fri, Apr 15, 2005 at 02:35:21PM +0900, Noritoshi Demizu wrote:
>   2. The TCP MD5 Signature option is used iff an incoming SYN has the
>      TCP MD5 Signature option.  However, RFC2385 says in section 2.0
>      as following.
> 
>      "Unlike other TCP extensions (e.g., the Window Scale option
>       [RFC1323]), the absence of the option in the SYN,ACK segment must not
>       cause the sender to disable its sending of signatures."
> 
>      I am sorry if the current behavior is intentional, but should the
>      condition to turn on SCF_SIGNATURE be (tp->t_flags & TF_SIGNATURE)?

We can't make this change until we fix how security policy is implemented
for listening sockets, otherwise we end up in a situation where for example
a BGP listener can *only* accept MD5 sessions.

Thank you for the other suggested fixes, I will try to review them in more
depth when I have free time.

BMS