tcp-md5 check for incomming connection
Ingo Flaschberger
if at xip.at
Thu Jan 31 04:15:15 PST 2008
Dear Andre,
>> 2) linux method:
>> Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c
>> (sorry no weblink..)
>> They check and block md5-packets early in tcp_v4_do_rcv.
>> afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv
>> -> for Freebsd: place some logic early in tcp_input function
>> and call a new function to check md5.
>
> IMHO calling a special function that does the check (like in tcp_output)
> is the way to go. This function should be run as late as possible after
> the other segment validity checks to prevent easy cpu exhaustion attacks
> with packets that only get the port numbers right.
>
> In tcp_new there is a natural place to perform the check. tcp_input will
> show up this weekend. This doesn't prevent your work on the current code
> at all as tcp_new won't show up in -current for a long time and when it
> does it will not get MFC'd.
Ok.
I will do the first patch for freebsd 6.2 (as my system uses it) and do
the a port to current (and I thing 6.3 too).
Regardding Bruce:
I would prefer to implement md5 via the old setkey api as I also have todo
my daily business.
>> 3) Bruce extended method:
>> http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html
>> Use his code and add at severall places in tcp_input function
>> similar checks.
>>
>> Options:
>> *) enable disable it via sysctl
>> *) count total, good and bad packets via sysctl
>
> This belongs into struct tcpstat, not a new sysctl.
Ok.
With which tool can this counters be read?
Should I add the on/off feature? Via which tool?
Kind regards,
Ingo
More information about the freebsd-net
mailing list