Date: Fri, 22 Apr 2005 04:12:41 -0700 From: Bruce M Simpson <bms@spc.org> To: Paul Saab <ps@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet tcp_syncache.c Message-ID: <20050422111241.GD818@empiric.icir.org> In-Reply-To: <200504212009.j3LK992c044126@repoman.freebsd.org> References: <200504212009.j3LK992c044126@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 21, 2005 at 08:09:09PM +0000, Paul Saab wrote: > Log: > Fix for 2 bugs related to TCP Signatures : Thanks for committing this, however I would have appreciated a ping before putting it in. The risk is that it may break existing applications; whilst it follows the letter of the RFC, and that is good, we need to refactor the granularity of how TCP-MD5 security associations work in order to not break sessions with peers which don't speak TCP-MD5. Currently the implementation only allows for a single key per distinct peer IP address. For running LDP as well as BGP in an MPLS setup, this isn't going to work. I have had initial (buggy) patches for this which push the logic into the SPD rather than the SADB, which is probably the best way forward. At the moment I don't have free cycles to deal with this. If anyone is interested in taking this task on in the meantime then please do contact me. Regards, BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050422111241.GD818>