TCP-MD5 support for IPv6

[Bjoern A. Zeeb]

Hi,

I just committed IPv6 TCP-MD5 support for HEAD. This gives one the ability
to send the TCP signature but as with IPv4 there is no input path
validation and we need to enhance the key management, etc.. But that's
another story.


For now I have an additional hack that enables sending ... for IPv4
and IPv6:
- ACK from timewait
- inital RST after socket close (as long as possible)

For both changes, one needs to hack up TCP in a very bad way as we
lose the "signature flag" on the way down.
Multiple TCP exit paths do not help with this either.

Nick (thanks!) had tried it and given me tcpdumps and they looked sane.
In case you can use it as well, the patch, temporary, is here:

http://people.freebsd.org/~bz/20080913-02-tcp-md5-ack-rst.diff

This is the "more changes" I mentioned in the commit message.


Regards,
Bjoern

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

---------- Forwarded message ----------
Date: Sat, 13 Sep 2008 17:26:46 +0000 (UTC)
From: Bjoern A. Zeeb <bz at FreeBSD.org>
To: src-committers at FreeBSD.org, cvs-src at FreeBSD.org, cvs-all at FreeBSD.org
Subject: cvs commit: src/sys/netinet tcp_output.c tcp_subr.c tcp_syncache.c

bz          2008-09-13 17:26:46 UTC

   FreeBSD src repository

   Modified files:
     sys/netinet          tcp_output.c tcp_subr.c tcp_syncache.c
   Log:
   SVN rev 183001 on 2008-09-13 17:26:46Z by bz

   Implement IPv6 support for TCP MD5 Signature Option (RFC 2385)
   the same way it has been implemented for IPv4.

   Reviewed by:    bms (skimmed)
   Tested by:      Nick Hilliard (nick netability.ie) (with more changes)
   MFC after:      2 months

   Revision  Changes    Path
   1.155     +1 -8      src/sys/netinet/tcp_output.c
   1.316     +93 -24    src/sys/netinet/tcp_subr.c
   1.156     +1 -1      src/sys/netinet/tcp_syncache.c