Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Jan 2008 13:15:12 +0100 (CET)
From:      Ingo Flaschberger <if@xip.at>
To:        Andre Oppermann <andre@freebsd.org>
Cc:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, "Bruce M. Simpson" <bms@FreeBSD.org>, freebsd-net@freebsd.org
Subject:   Re: tcp-md5 check for incomming connection
Message-ID:  <alpine.LFD.1.00.0801311311010.4705@filebunker.xip.at>
In-Reply-To: <47A19CC2.4070609@freebsd.org>
References:  <alpine.LFD.1.00.0801291905020.17757@filebunker.xip.at> <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net> <alpine.LFD.1.00.0801310106400.723@filebunker.xip.at> <47A19CC2.4070609@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dear Andre,

>> 2) linux method:
>>     Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c
>>     (sorry no weblink..)
>>     They check and block md5-packets early in tcp_v4_do_rcv.
>>     afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv
>>     -> for Freebsd: place some logic early in tcp_input function
>>         and call a new function to check md5.
>
> IMHO calling a special function that does the check (like in tcp_output)
> is the way to go.  This function should be run as late as possible after
> the other segment validity checks to prevent easy cpu exhaustion attacks
> with packets that only get the port numbers right.
>
> In tcp_new there is a natural place to perform the check.  tcp_input will
> show up this weekend.  This doesn't prevent your work on the current code
> at all as tcp_new won't show up in -current for a long time and when it
> does it will not get MFC'd.

Ok.
I will do the first patch for freebsd 6.2 (as my system uses it) and do 
the a port to current (and I thing 6.3 too).

Regardding Bruce:
I would prefer to implement md5 via the old setkey api as I also have todo 
my daily business.

>> 3) Bruce extended method:
>>     http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html
>>     Use his code and add at severall places in tcp_input function
>>     similar checks.
>> 
>> Options:
>>     *) enable disable it via sysctl
>>     *) count total, good and bad packets via sysctl
>
> This belongs into struct tcpstat, not a new sysctl.

Ok.
With which tool can this counters be read?
Should I add the on/off feature? Via which tool?

Kind regards,
 	Ingo

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LFD.1.00.0801311311010.4705>