Received: (from majordomo@localhost)
	by oss.sgi.com (8.11.2/8.11.3) id g0Q5HjJ14268
	for netdev-outgoing; Fri, 25 Jan 2002 21:17:45 -0800
Received: from www.linux.org.uk (IDENT:exim@parcelfarce.linux.theplanet.co.uk [195.92.249.252])
	by oss.sgi.com (8.11.2/8.11.3) with SMTP id g0Q5HfP14259
	for <netdev@oss.sgi.com>; Fri, 25 Jan 2002 21:17:41 -0800
Received: from pakrat by www.linux.org.uk with local (Exim 3.33 #5)
	id 16UKHY-00030I-00; Sat, 26 Jan 2002 04:17:36 +0000
Date: Sat, 26 Jan 2002 04:17:36 +0000
From: Chris Dukes <pakrat@www.uk.linux.org>
To: Andi Kleen <ak@suse.de>
Cc: Frank Solensky <solenskyf@acm.org>, netdev@oss.sgi.com
Subject: Re: TCP MD5 signature option (RFC2385)
Message-ID: <20020126041736.Q21595@parcelfarce.linux.theplanet.co.uk>
References: <1012009515.1850.36.camel@localhost.localdomain> <20020126045240.A30893@wotan.suse.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020126045240.A30893@wotan.suse.de>; from ak@suse.de on Sat, Jan 26, 2002 at 04:52:40AM +0100
Sender: owner-netdev@oss.sgi.com
Precedence: bulk

On Sat, Jan 26, 2002 at 04:52:40AM +0100, Andi Kleen wrote:
> On Fri, Jan 25, 2002 at 08:44:48PM -0500, Frank Solensky wrote:
> > I noticed that Linux stack doesn't currently support for RFC2385 (MD5
> > signatures for TCP packets).  This could be useful for the zebra project
> > for authenticating BGP connections with other implementations.
> > 
> > I checked various list archives and didn't see any mention of work being
> > underway on this -- what's the best way for me to proceed, download code
> > and just start implementing?
> 
> TCP is not very well fitted to add a new 'go over all data in packet' 
> pass. It is heavily optimized for copy-csum-and-forget in one go. 
> You could add a new pass for MD5, but it would not be nice.
> As TCP MD5 is rather obscure I think I would nearly recommend to not
> touch the core TCP stack for it and instead implement it in a netfilter module.

Odd, NetBSD and OpenBSD provide TCP_SIGNATURE as a kernel config option.
I suspect that FreeBSD, BSDI, and BSD/OS do as well.

I've already asked Frank offline if what he is trying to do actually
requires linux (The "I need to get this running" factor vs. the "How about a
little standardization" factor).  Unfortunately, I have no idea if or how AIX,
HPUX, and Solaris do TCP signatures, let alone if their API is similar to 
the BSD interface.

In any case, the average user should almost never need this feature to be
enabled.

-- 
Chris Dukes
"Bert is apparently EEEEVIL, whereas Oscar is just a sysadmin^Wgrouch."
-- gorski