From owner-freebsd-current@FreeBSD.ORG  Mon Jul 21 06:57:34 2014
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A52D557D
 for <freebsd-current@freebsd.org>; Mon, 21 Jul 2014 06:57:34 +0000 (UTC)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33])
 by mx1.freebsd.org (Postfix) with SMTP id DFCE82C6D
 for <freebsd-current@freebsd.org>; Mon, 21 Jul 2014 06:57:32 +0000 (UTC)
Received: (qmail 7080 invoked from network); 21 Jul 2014 06:57:31 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33)
 by bizet.nethelp.no with SMTP; 21 Jul 2014 06:57:31 -0000
Date: Mon, 21 Jul 2014 08:56:16 +0200 (CEST)
Message-Id: <20140721.085616.74744313.sthaug@nethelp.no>
To: andrnils@gmail.com
Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ?
From: sthaug@nethelp.no
In-Reply-To: <CAPS9+SsSmxZnTF8AEmEmWtGOd_8A+d_8cYUYhuC3OsLYFxGHGQ@mail.gmail.com>
References: <CAPS9+StPJRVSFLjpxgVEewT9fwHHFxw=qODAYa=uOAzb-V=v2Q@mail.gmail.com>
 <20140721.074105.74747815.sthaug@nethelp.no>
 <CAPS9+SsSmxZnTF8AEmEmWtGOd_8A+d_8cYUYhuC3OsLYFxGHGQ@mail.gmail.com>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: max@mxcrypt.com, freebsd-current@freebsd.org, freebsd-questions@freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 06:57:34 -0000

> > > Also, the openbsd stack has some essential features missing in freebsd,
> > > like mpls and md5 auth for bgp sessions.
> >
> > I use MD5 auth for BGP sessions every day (and have been doing so for
> > several releases). One could definitely wish for better integration -
> > having to specify MD5 key both in /etc/ipsec.conf and in the Quagga
> > bgpd config is not nice. But it works.
> >
> As far as I know you can only send out correctly authed stuff but not
> validate incoming. Has that changed?

Have a look at tcp_signature_verify(), called from tcp_input.c. Added
in r221023, see

http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

----------------------------------------------------------------------

Revision 221023 - (view) (download) (annotate) - [select for diffs] 
Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by attilio 
File length: 106717 byte(s) 
Diff to previous 220560
Add the possibility to verify MD5 hash of incoming TCP packets.
As long as this is a costy function, even when compiled in (along with
the option TCP_SIGNATURE), it can be disabled via the
net.inet.tcp.signature_verify_input sysctl.

Sponsored by:			    Sandvine Incorporated
Reviewed by:			    emaste, bz
MFC after:			    2 weeks