Are we talking of providing a socket option to turn on/off the feature.
Basically a flag. So that there is a way to override the weaker system
policy?
If this is the case, then it can be easily achievable.
OR
Are we talking of providing a socket option to push the password/keys to
be used for computing MD5 digest?
In the later case, the server side semantics gets complicated. Let's say
OpenSolaris is used as router server and has hundred peers. Now if each
peer uses different password, then at the route server we need to
push hundred {peer_address, password} pair using socket option. Once we
are done
pushing this info, we could do a lookup to get the key for a connection. But
IPsec already does these kind of things for us, should we again repeat the
same at TCP as well?
Further do we want to allow keys/passwords to be managed by application when
we have utilities like ipseckey(1M) which handles manual-keying and
which can
be run by user with sys_ip_config privilege.
thanks
~Girish
_______________________________________________
networking-discuss mailing list
[email protected]
