cvs commit: src/sys/netinet tcp_syncache.c
Bruce M Simpson
bms at spc.org
Fri Apr 22 04:12:44 PDT 2005
On Thu, Apr 21, 2005 at 08:09:09PM +0000, Paul Saab wrote:
> Fix for 2 bugs related to TCP Signatures :
Thanks for committing this, however I would have appreciated a ping before
putting it in. The risk is that it may break existing applications; whilst
it follows the letter of the RFC, and that is good, we need to refactor the
granularity of how TCP-MD5 security associations work in order to not break
sessions with peers which don't speak TCP-MD5.
Currently the implementation only allows for a single key per distinct
peer IP address. For running LDP as well as BGP in an MPLS setup, this
isn't going to work.
I have had initial (buggy) patches for this which push the logic into the
SPD rather than the SADB, which is probably the best way forward.
At the moment I don't have free cycles to deal with this. If anyone is
interested in taking this task on in the meantime then please do contact me.
More information about the cvs-all