On Sat, 26 Jan 2002, Andi Kleen wrote:
> On Fri, Jan 25, 2002 at 08:44:48PM -0500, Frank Solensky wrote:
> > I noticed that Linux stack doesn't currently support for RFC2385 (MD5
> > signatures for TCP packets). This could be useful for the zebra project
> > for authenticating BGP connections with other implementations.
> >
> > I checked various list archives and didn't see any mention of work being
> > underway on this -- what's the best way for me to proceed, download code
> > and just start implementing?
>
> TCP is not very well fitted to add a new 'go over all data in packet'
> pass. It is heavily optimized for copy-csum-and-forget in one go.
> You could add a new pass for MD5, but it would not be nice.
> As TCP MD5 is rather obscure I think I would nearly recommend to not
> touch the core TCP stack for it and instead implement it in a netfilter
> module.
>
Andi,
This is a TCP option; so should fit well in the slow path.
Of course it brings a whole new meaning to DoS;-> IIRC, not all packets
within a flow will have this option turned on;
cheers,
jamal
|