cvs commit: src/sys/conf files options src/sys/net pfkeyv2.h src/sys/netinet ip.h ip_output.c tcp.h tcp_input.c tcp_output.c tcp_subr.c tcp_syncache.c tcp_usrreq.c tcp_var.h src/sys/netinet6 ipsec.h src/sys/netipsec ipsec.h key.c src/share/man/man4 tcp.4

Bruce M Simpson bms at FreeBSD.org
Tue Feb 10 20:26:05 PST 2004


bms         2004/02/10 20:26:04 PST

  FreeBSD src repository

  Modified files:
    sys/conf             files options 
    sys/net              pfkeyv2.h 
    sys/netinet          ip.h ip_output.c tcp.h tcp_input.c 
                         tcp_output.c tcp_subr.c tcp_usrreq.c 
                         tcp_syncache.c tcp_var.h 
    sys/netinet6         ipsec.h 
    sys/netipsec         ipsec.h key.c 
    share/man/man4       tcp.4 
  Log:
  Initial import of RFC 2385 (TCP-MD5) digest support.
  
  This is the first of two commits; bringing in the kernel support first.
  This can be enabled by compiling a kernel with options TCP_SIGNATURE
  and FAST_IPSEC.
  
  For the uninitiated, this is a TCP option which provides for a means of
  authenticating TCP sessions which came into being before IPSEC. It is
  still relevant today, however, as it is used by many commercial router
  vendors, particularly with BGP, and as such has become a requirement for
  interconnect at many major Internet points of presence.
  
  Several parts of the TCP and IP headers, including the segment payload,
  are digested with MD5, including a shared secret. The PF_KEY interface
  is used to manage the secrets using security associations in the SADB.
  
  There is a limitation here in that as there is no way to map a TCP flow
  per-port back to an SPI without polluting tcpcb or using the SPD; the
  code to do the latter is unstable at this time. Therefore this code only
  supports per-host keying granularity.
  
  Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
  TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
  users of this feature, this will not pose any problem.
  
  This implementation is output-only; that is, the option is honoured when
  responding to a host initiating a TCP session, but no effort is made
  [yet] to authenticate inbound traffic. This is, however, sufficient to
  interwork with Cisco equipment.
  
  Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
  local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
  available from me upon request.
  
  Sponsored by:   sentex.net
  
  Revision  Changes    Path
  1.39      +33 -2     src/share/man/man4/tcp.4
  1.863     +1 -0      src/sys/conf/files
  1.429     +1 -0      src/sys/conf/options
  1.13      +4 -2      src/sys/net/pfkeyv2.h
  1.26      +12 -0     src/sys/netinet/ip.h
  1.206     +1 -0      src/sys/netinet/ip_output.c
  1.22      +3 -0      src/sys/netinet/tcp.h
  1.222     +16 -1     src/sys/netinet/tcp_input.c
  1.86      +37 -0     src/sys/netinet/tcp_output.c
  1.175     +114 -0    src/sys/netinet/tcp_subr.c
  1.53      +40 -0     src/sys/netinet/tcp_syncache.c
  1.93      +19 -0     src/sys/netinet/tcp_usrreq.c
  1.95      +25 -0     src/sys/netinet/tcp_var.h
  1.16      +2 -0      src/sys/netinet6/ipsec.h
  1.7       +1 -0      src/sys/netipsec/ipsec.h
  1.10      +18 -0     src/sys/netipsec/key.c


More information about the cvs-src mailing list