Date: Sat, 16 Apr 2005 05:18:03 -0700 From: Bruce M Simpson <bms@spc.org> To: Noritoshi Demizu <demizu@dd.iij4u.or.jp> Cc: freebsd-net@freebsd.org Subject: Re: TCP MD5 Signature option handling in tcp_syncache.c Message-ID: <20050416121802.GB5452@empiric.icir.org> In-Reply-To: <20050415.143521.57443821.Noritoshi@Demizu.ORG> References: <20050415.143521.57443821.Noritoshi@Demizu.ORG>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 15, 2005 at 02:35:21PM +0900, Noritoshi Demizu wrote: > 2. The TCP MD5 Signature option is used iff an incoming SYN has the > TCP MD5 Signature option. However, RFC2385 says in section 2.0 > as following. > > "Unlike other TCP extensions (e.g., the Window Scale option > [RFC1323]), the absence of the option in the SYN,ACK segment must not > cause the sender to disable its sending of signatures." > > I am sorry if the current behavior is intentional, but should the > condition to turn on SCF_SIGNATURE be (tp->t_flags & TF_SIGNATURE)? We can't make this change until we fix how security policy is implemented for listening sockets, otherwise we end up in a situation where for example a BGP listener can *only* accept MD5 sessions. Thank you for the other suggested fixes, I will try to review them in more depth when I have free time. BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050416121802.GB5452>