Re: tcp-md5 check for incomming connection

Dear Bjoern, Bruce,

Looking trough linux, netbsd and Bruce old patch
(which works with minimal modification at my freebsd 6.2)
I have 3 ideas how md5 could be integrated.

1) netbsd method:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_input.c?rev=1.277&content-type=text/x-cvsweb-markup
Look for TCP_SIGNATURE.
The main-code part is handled in tcp_dooptions
The have modified the return value of tcp_dooptions from void to
int. If md5 fails, -1 is returned (ony md5 use this return
feature) and in the tcp_input the return value of
tcp_dooptions is checked and handled.
-> for freebsd: change the retutn value of tcp_dooptions and
add little logic to tcp_input function.

2) linux method:
Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c
(sorry no weblink..)
They check and block md5-packets early in tcp_v4_do_rcv.
afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv
-> for Freebsd: place some logic early in tcp_input function
and call a new function to check md5.

3) Bruce extended method:
http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html
Use his code and add at severall places in tcp_input function
similar checks.

Options:
*) enable disable it via sysctl
*) count total, good and bad packets via sysctl


Kind regards,
Ingo Flaschberger
anytwo(tm)

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"