IPSec on current.
Bruce M Simpson
bms at spc.org
Thu Nov 4 11:39:27 PST 2004
Hi,
On Thu, Nov 04, 2004 at 04:16:12PM +0900, SUZUKI Shinsuke wrote:
> I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's
> working fine. (I'll work on TCP-MD5(IPv6) later)
>
> Please let me know if you have any objection or comment to the
> following patch. If it's okay, I'd like to commit it to -current.
I don't object to this change being committed now, but it does mean I
will have to revise some uncommitted work.
Porting it to IPv6 is OK. However, I would prefer people did not bring
in itojun's changes to add the input verification path at this time as
they may break the semantics of passive open.
Basically doing it 'right' requires security policy support for TCP
sockets at the MD5 level. There is a risk that bringing in the input
changes now would break the semantics of existing programs such as
Quagga and XORP.
Regards,
BMS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 167 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20041104/1bacfe3d/attachment.bin
More information about the freebsd-current
mailing list