TCP MD5 Signature option handling in tcp_syncache.c
Bruce M Simpson
bms at spc.org
Sat Apr 16 05:18:12 PDT 2005
On Fri, Apr 15, 2005 at 02:35:21PM +0900, Noritoshi Demizu wrote:
> 2. The TCP MD5 Signature option is used iff an incoming SYN has the
> TCP MD5 Signature option. However, RFC2385 says in section 2.0
> as following.
>
> "Unlike other TCP extensions (e.g., the Window Scale option
> [RFC1323]), the absence of the option in the SYN,ACK segment must not
> cause the sender to disable its sending of signatures."
>
> I am sorry if the current behavior is intentional, but should the
> condition to turn on SCF_SIGNATURE be (tp->t_flags & TF_SIGNATURE)?
We can't make this change until we fix how security policy is implemented
for listening sockets, otherwise we end up in a situation where for example
a BGP listener can *only* accept MD5 sessions.
Thank you for the other suggested fixes, I will try to review them in more
depth when I have free time.
BMS
More information about the freebsd-net
mailing list