On Sat, Jan 26, 2002 at 04:52:40AM +0100, Andi Kleen wrote:
> On Fri, Jan 25, 2002 at 08:44:48PM -0500, Frank Solensky wrote:
> > I noticed that Linux stack doesn't currently support for RFC2385 (MD5
> > signatures for TCP packets). This could be useful for the zebra project
> > for authenticating BGP connections with other implementations.
> >
> > I checked various list archives and didn't see any mention of work being
> > underway on this -- what's the best way for me to proceed, download code
> > and just start implementing?
>
> TCP is not very well fitted to add a new 'go over all data in packet'
> pass. It is heavily optimized for copy-csum-and-forget in one go.
> You could add a new pass for MD5, but it would not be nice.
> As TCP MD5 is rather obscure I think I would nearly recommend to not
> touch the core TCP stack for it and instead implement it in a netfilter
> module.
Odd, NetBSD and OpenBSD provide TCP_SIGNATURE as a kernel config option.
I suspect that FreeBSD, BSDI, and BSD/OS do as well.
I've already asked Frank offline if what he is trying to do actually
requires linux (The "I need to get this running" factor vs. the "How about a
little standardization" factor). Unfortunately, I have no idea if or how AIX,
HPUX, and Solaris do TCP signatures, let alone if their API is similar to
the BSD interface.
In any case, the average user should almost never need this feature to be
enabled.
--
Chris Dukes
"Bert is apparently EEEEVIL, whereas Oscar is just a sysadmin^Wgrouch."
-- gorski
|