On (03/11/08 18:18), James Carlson wrote: > > Girish Moodalbail writes: > > Are we talking of providing a socket option to turn on/off the > > feature. > > Basically a flag. So that there is a way to override the weaker > > system > > policy? > > If the system doesn't have the keys configured, then you can't > meaningfully turn it "on." The only thing you can do is fail if it > isn't available. > > If the system does have keys, and is configured to use TCP-MD5, then > allowing the application to turn it off seems silly to me. > > I don't see a real point to an on/off switch.
Moreover, as we discussed in various hallway conversations, it's a little odd to configure ipsec policy in one way (using ipsecconf) and to configure md5 in another (via on/off switches). > > Are we talking of providing a socket option to push the > > password/keys to > > be used for computing MD5 digest? > > Yes, I think that's what they're asking for, but that gets the client > into the tricky business of handling sensitive key material (including > all the configuration file problems this causes), and doesn't seem to > be necessary. Besides which, if the client really wants to get into the tricky business of handle the key itself, it can use PF_KEY sockets to add the key. --Sowmini _______________________________________________ networking-discuss mailing list [email protected]
