From owner-freebsd-current@FreeBSD.ORG Mon Sep 19 20:00:53 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B89116A41F for ; Mon, 19 Sep 2005 20:00:53 +0000 (GMT) (envelope-from freebsd-current@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A34DC43D45 for ; Mon, 19 Sep 2005 20:00:51 +0000 (GMT) (envelope-from freebsd-current@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1EHRmn-0008Tp-8Z for freebsd-current@freebsd.org; Mon, 19 Sep 2005 21:58:45 +0200 Received: from mulder.f5.com ([205.229.151.150]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 19 Sep 2005 21:58:45 +0200 Received: from atkin901 by mulder.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 19 Sep 2005 21:58:45 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: othermark Date: Mon, 19 Sep 2005 12:56:36 -0700 Lines: 33 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: mulder.f5.com User-Agent: KNode/0.9.2 Sender: news Subject: rfc2385 support broken? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 20:00:53 -0000 Hi, I'm testing rfc2385 support with some of our equipment with current as of a few days ago, and the support seems, well, rather broken. I have the following options in my kernel options TCP_SIGNATURE #include support for RFC 2385 options FAST_IPSEC device crypto and have loaded the following entry via setkey: add 172.16.17.1 172.16.18.164 tcp 0x1000 -A tcp-md5 "password" ; but when I dump a test link to the inetd tcp echo server, I get no connection. The dump shows the sending box 172.16.18.164 has the correct signature for the shared secret (with the tcpdump -M option), but the FreeBSD boxes response shows invalid. 12:46:25.377320 IP 172.16.18.164.50850 > 172.16.17.1.echo: S 371298114:371298114(0) win 4380 12:46:25.377401 IP 172.16.17.1.echo > 172.16.18.164.50850: S 3974454780:3974454780(0) ack 371298115 win 65535 Now it could be that the tcp stack is just sending garbage for the MD5 option when it receives it on a socket that doesn't have some sort of socket option configured (which would be bad). -- othermark atkin901 at nospam dot yahoo dot com (!wired)?(coffee++):(wired);