Dear Andre,
2) linux method:
Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c
(sorry no weblink..)
They check and block md5-packets early in tcp_v4_do_rcv.
afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv
-> for Freebsd: place some logic early in tcp_input function
and call a new function to check md5.
IMHO calling a special function that does the check (like in tcp_output)
is the way to go. This function should be run as late as possible after
the other segment validity checks to prevent easy cpu exhaustion attacks
with packets that only get the port numbers right.
In tcp_new there is a natural place to perform the check. tcp_input will
show up this weekend. This doesn't prevent your work on the current code
at all as tcp_new won't show up in -current for a long time and when it
does it will not get MFC'd.
Ok.
I will do the first patch for freebsd 6.2 (as my system uses it) and do
the a port to current (and I thing 6.3 too).
Regardding Bruce:
I would prefer to implement md5 via the old setkey api as I also have todo
my daily business.
3) Bruce extended method:
http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html
Use his code and add at severall places in tcp_input function
similar checks.
Options:
*) enable disable it via sysctl
*) count total, good and bad packets via sysctl
This belongs into struct tcpstat, not a new sysctl.
Ok.
With which tool can this counters be read?
Should I add the on/off feature? Via which tool?
Kind regards,
Ingo
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
