From owner-svn-src-user@FreeBSD.ORG Wed Mar 13 15:05:12 2013 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 33EF39A6; Wed, 13 Mar 2013 15:05:12 +0000 (UTC) (envelope-from andre@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 041C2CD6; Wed, 13 Mar 2013 15:05:12 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r2DF5BjL066258; Wed, 13 Mar 2013 15:05:11 GMT (envelope-from andre@svn.freebsd.org) Received: (from andre@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r2DF5BAF066257; Wed, 13 Mar 2013 15:05:11 GMT (envelope-from andre@svn.freebsd.org) Message-Id: <201303131505.r2DF5BAF066257@svn.freebsd.org> From: Andre Oppermann Date: Wed, 13 Mar 2013 15:05:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r248243 - user/andre/tcp-ao/sys/netinet X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 15:05:12 -0000 Author: andre Date: Wed Mar 13 15:05:11 2013 New Revision: 248243 URL: http://svnweb.freebsd.org/changeset/base/248243 Log: Add tcp_ao.c file to contain the implementation. Describe tcp-ao and the steps to implement it. Sponsored by: Juniper Networks Added: user/andre/tcp-ao/sys/netinet/tcp_ao.c Added: user/andre/tcp-ao/sys/netinet/tcp_ao.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/andre/tcp-ao/sys/netinet/tcp_ao.c Wed Mar 13 15:05:11 2013 (r248243) @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2013 Juniper Networks + * All rights reserved. + * + * Written by Andre Oppermann + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +/* + * TCP-AO protects a TCP session and individual segments with a keyed hash + * mechanism. It is specified in RFC5925 and RFC5926. It is intended to + * eventually replace TCP-MD5 RFC2385. + * + * The implementation consists of 4 parts: + * 1. the hash implementation to sign and verify segments. + * 2. changes to the tcp input path to validate incoming segments, + * and changes to the tcp output path to sign outgoing segments. + * 3. key management in the kernel and the exposed userland API. + * 4. test programs to verify the correct operation. + * + * TODO: + * all of the above. + * + * Discussion: + * the key management can be done in two ways: via the ipsec key interface + * or through the setsockopt() api. Analyse which one is better to handle + * in the kernel and for userspace applications. + * + * legacy tcp-md5 can be brought and integrated into the tcp-ao framework. + */ +