tcp-md5 check for incomming connection
gnn at freebsd.org
gnn at freebsd.org
Thu Jan 31 21:50:59 PST 2008
At Thu, 31 Jan 2008 13:15:12 +0100 (CET),
Ingo Flaschberger wrote:
>
> Dear Andre,
>
> >> 2) linux method:
> >> Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c
> >> (sorry no weblink..)
> >> They check and block md5-packets early in tcp_v4_do_rcv.
> >> afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv
> >> -> for Freebsd: place some logic early in tcp_input function
> >> and call a new function to check md5.
> >
> > IMHO calling a special function that does the check (like in tcp_output)
> > is the way to go. This function should be run as late as possible after
> > the other segment validity checks to prevent easy cpu exhaustion attacks
> > with packets that only get the port numbers right.
> >
> > In tcp_new there is a natural place to perform the check. tcp_input will
> > show up this weekend. This doesn't prevent your work on the current code
> > at all as tcp_new won't show up in -current for a long time and when it
> > does it will not get MFC'd.
>
> Ok.
> I will do the first patch for freebsd 6.2 (as my system uses it) and do
> the a port to current (and I thing 6.3 too).
>
> Regardding Bruce:
> I would prefer to implement md5 via the old setkey api as I also have todo
> my daily business.
>
> >> 3) Bruce extended method:
> >> http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html
> >> Use his code and add at severall places in tcp_input function
> >> similar checks.
> >>
> >> Options:
> >> *) enable disable it via sysctl
> >> *) count total, good and bad packets via sysctl
> >
> > This belongs into struct tcpstat, not a new sysctl.
>
> Ok.
> With which tool can this counters be read?
> Should I add the on/off feature? Via which tool?
>
Enable/disable via sysctl.
Read via netstat.
Best,
George
More information about the freebsd-net
mailing list