From owner-freebsd-net@FreeBSD.ORG Fri Feb 1 05:50:59 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3E6816A41A for ; Fri, 1 Feb 2008 05:50:59 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from outbound0.mx.meer.net (outbound0.mx.meer.net [209.157.153.23]) by mx1.freebsd.org (Postfix) with ESMTP id A23A813C45B for ; Fri, 1 Feb 2008 05:50:59 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from mail.meer.net (mail.meer.net [209.157.152.14]) by outbound0.mx.meer.net (8.12.10/8.12.6) with ESMTP id m115ow7T067118; Thu, 31 Jan 2008 21:50:59 -0800 (PST) (envelope-from gnn@neville-neil.com) Received: from mail2.meer.net (mail2.meer.net [64.13.141.16]) by mail.meer.net (8.13.3/8.13.3/meer) with ESMTP id m115ovKk075537; Thu, 31 Jan 2008 21:50:57 -0800 (PST) (envelope-from gnn@neville-neil.com) Received: from minion.local.neville-neil.com (61.204.211.246.customerlink.pwd.ne.jp [61.204.211.246]) (authenticated bits=0) by mail2.meer.net (8.14.1/8.14.1) with ESMTP id m115ou9W023964; Thu, 31 Jan 2008 21:50:56 -0800 (PST) (envelope-from gnn@neville-neil.com) Date: Fri, 01 Feb 2008 14:50:55 +0900 Message-ID: From: gnn@freebsd.org To: Ingo Flaschberger In-Reply-To: References: <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> <47A19CC2.4070609@freebsd.org> User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1.50 (i386-apple-darwin8.10.1) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: "Bjoern A. Zeeb" , Andre Oppermann , "Bruce M. Simpson" , freebsd-net@freebsd.org Subject: Re: tcp-md5 check for incomming connection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2008 05:50:59 -0000 At Thu, 31 Jan 2008 13:15:12 +0100 (CET), Ingo Flaschberger wrote: > > Dear Andre, > > >> 2) linux method: > >> Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c > >> (sorry no weblink..) > >> They check and block md5-packets early in tcp_v4_do_rcv. > >> afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv > >> -> for Freebsd: place some logic early in tcp_input function > >> and call a new function to check md5. > > > > IMHO calling a special function that does the check (like in tcp_output) > > is the way to go. This function should be run as late as possible after > > the other segment validity checks to prevent easy cpu exhaustion attacks > > with packets that only get the port numbers right. > > > > In tcp_new there is a natural place to perform the check. tcp_input will > > show up this weekend. This doesn't prevent your work on the current code > > at all as tcp_new won't show up in -current for a long time and when it > > does it will not get MFC'd. > > Ok. > I will do the first patch for freebsd 6.2 (as my system uses it) and do > the a port to current (and I thing 6.3 too). > > Regardding Bruce: > I would prefer to implement md5 via the old setkey api as I also have todo > my daily business. > > >> 3) Bruce extended method: > >> http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html > >> Use his code and add at severall places in tcp_input function > >> similar checks. > >> > >> Options: > >> *) enable disable it via sysctl > >> *) count total, good and bad packets via sysctl > > > > This belongs into struct tcpstat, not a new sysctl. > > Ok. > With which tool can this counters be read? > Should I add the on/off feature? Via which tool? > Enable/disable via sysctl. Read via netstat. Best, George