netdev
[Top] [All Lists]

Re: TCP MD5 signature option (RFC2385)

To: Andi Kleen <ak@xxxxxxx>
Subject: Re: TCP MD5 signature option (RFC2385)
From: jamal <hadi@xxxxxxxxxx>
Date: Sat, 26 Jan 2002 08:23:41 -0500 (EST)
Cc: Frank Solensky <solenskyf@xxxxxxx>, <netdev@xxxxxxxxxxx>
In-reply-to: <20020126045240.A30893@wotan.suse.de>
Sender: owner-netdev@xxxxxxxxxxx

On Sat, 26 Jan 2002, Andi Kleen wrote:

> On Fri, Jan 25, 2002 at 08:44:48PM -0500, Frank Solensky wrote:
> > I noticed that Linux stack doesn't currently support for RFC2385 (MD5
> > signatures for TCP packets).  This could be useful for the zebra project
> > for authenticating BGP connections with other implementations.
> >
> > I checked various list archives and didn't see any mention of work being
> > underway on this -- what's the best way for me to proceed, download code
> > and just start implementing?
>
> TCP is not very well fitted to add a new 'go over all data in packet'
> pass. It is heavily optimized for copy-csum-and-forget in one go.
> You could add a new pass for MD5, but it would not be nice.
> As TCP MD5 is rather obscure I think I would nearly recommend to not
> touch the core TCP stack for it and instead implement it in a netfilter 
> module.
>

Andi,
This is a TCP option; so should fit well in the slow path.
Of course it brings a whole new meaning to DoS;-> IIRC, not all packets
within a flow will have this option turned on;

cheers,
jamal


<Prev in Thread] Current Thread [Next in Thread>