svn commit: r248503 - user/andre/tcp-ao/sys/netinet
Andre Oppermann
andre at FreeBSD.org
Tue Mar 19 13:14:07 UTC 2013
Author: andre
Date: Tue Mar 19 13:14:06 2013
New Revision: 248503
URL: http://svnweb.freebsd.org/changeset/base/248503
Log:
After careful evaluation decide for the setsockopt() method to TCP-AO key
management. A description can be found in the comments to tcp_ao.h.
The IPSEC key interface is only partially suited for use by TCP-AO. The
concepts used by TCP-AO and IPSEC are very different. Requiring the IPSEC
dependency for TCP-AO hinders deployment and considerably complicates the
implementation and creates unnecessary inter-dependencies.
The setsockopt() method to set TCP-AO keys is straight forward for the
user/application and in implementation. It puts everything together at
the socket the configuration applies to.
Add netinet/tcp_ao.h to hold the TCP-AO specific structures. Parts of it
may be move to netinet/tcp.h after the implementation has stabilized.
Sponsored by: Juniper Networks
Added:
user/andre/tcp-ao/sys/netinet/tcp_ao.h
Modified:
user/andre/tcp-ao/sys/netinet/tcp.h
user/andre/tcp-ao/sys/netinet/tcp_ao.c
Modified: user/andre/tcp-ao/sys/netinet/tcp.h
==============================================================================
--- user/andre/tcp-ao/sys/netinet/tcp.h Tue Mar 19 13:13:26 2013 (r248502)
+++ user/andre/tcp-ao/sys/netinet/tcp.h Tue Mar 19 13:14:06 2013 (r248503)
@@ -162,6 +162,7 @@ struct tcphdr {
#define TCP_NOPUSH 4 /* don't push last block of write */
#define TCP_NOOPT 8 /* don't use TCP options */
#define TCP_MD5SIG 16 /* use MD5 digests (RFC2385) */
+#define TCP_AO 17 /* configure TCP-AO digests (RFC5925) */
#define TCP_INFO 32 /* retrieve tcp_info structure */
#define TCP_CONGESTION 64 /* get/set congestion control algorithm */
#define TCP_KEEPINIT 128 /* N, time to establish connection */
Modified: user/andre/tcp-ao/sys/netinet/tcp_ao.c
==============================================================================
--- user/andre/tcp-ao/sys/netinet/tcp_ao.c Tue Mar 19 13:13:26 2013 (r248502)
+++ user/andre/tcp-ao/sys/netinet/tcp_ao.c Tue Mar 19 13:14:06 2013 (r248503)
@@ -45,7 +45,8 @@
* Discussion:
* the key management can be done in two ways: via the ipsec key interface
* or through the setsockopt() api. Analyse which one is better to handle
- * in the kernel and for userspace applications.
+ * in the kernel and for userspace applications. The setsockopt() API is
+ * the winner and will be used.
*
* legacy tcp-md5 can be brought and integrated into the tcp-ao framework.
*/
Added: user/andre/tcp-ao/sys/netinet/tcp_ao.h
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/andre/tcp-ao/sys/netinet/tcp_ao.h Tue Mar 19 13:14:06 2013 (r248503)
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2013 Juniper Networks
+ * All rights reserved.
+ *
+ * Written by Andre Oppermann <andre at FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+/*
+ * TCP-AO key interface through socket options.
+ *
+ * To set one or more keys for one or more peers:
+ * setsockopt(so, IPPROTO_TCP, TCP_AO, tcp_ao_sopt, sizeof(*tcp_ao_sopt));
+ *
+ * An arbitrary number of keys can be specified on an unconnected or listen
+ * socket. The keys can be added, changed or removed at any time. Once an
+ * application has installed at least one key, TCP-AO is enabled on that
+ * socket for the specified peer.
+ *
+ * A listen socket searches for a matching key when it receives a SYN.
+ * After the 3WHS is completed a socket is created for the new connection.
+ * This socket inherits only the keys relevant to this peer address.
+ *
+ * On a connect all keys except those belonging to that peer are removed.
+ *
+ * If a key that is changed that is in active use, packet loss may result.
+ *
+ * Keys are not shared between sockets. Adding and removing keys has to be
+ * done on each socket where the peer address applies. This is not much
+ * overhead to the application and greatly simplifies the kernel implementation.
+ *
+ * Since applications tend to pass the key string unmodified it may be better
+ * to specify the socket interface to be in base64 instead of an array of
+ * uint8_t. That would allow a human readable string to represent more bit
+ * variance per byte.
+ *
+ * Configured keys on a socket can be retrieved as follows:
+ * getsockopt(so, IPPROTO_TCP, TCP_AO, tcp_ao_sopt, sizeof(*tcp_ao_sopt));
+ *
+ * All configured peers and key indexs are returned in the supplied vector.
+ * If the vector is too small the result is truncated. The number of keys
+ * is returned in tao_keycnt. No actual keys are returned or exposed.
+ *
+ * This interface may continue to evolve as the implementation matures and
+ * handling experience is gained. These structs should be moved to tcp.h
+ * once stable.
+ */
+
+/*
+ * TCP-AO key interface struct passed to setsockopt().
+ */
+struct tcp_ao_sopt {
+ int tao_flags; /* flags for this operation */
+ int tao_keycnt; /* number of keys in vector */
+ struct tcp_ao_key *tao_keyv; /* pointer to key vector */
+};
+
+/*
+ * Flags for the tao_flags field.
+ */
+#define TAO_SOPT_REPLACE 0x00000001 /* replace full set */
+
+/*
+ * Per peer structures referenced from tcp_ao_sopt.
+ * The commands normally apply to a particular keyidx and peer combination.
+ */
+struct tcp_ao_key {
+ uint8_t taok_cmd; /* command, add, remove key */
+ uint8_t taok_flags; /* flags for key */
+ uint8_t taok_algo; /* MAC algorithm */
+ uint8_t taok_keyidx; /* key index per peer */
+ int taok_keylen; /* length of key */
+ uint8_t *taok_key; /* key string */
+ struct sockaddr *taok_peer; /* this key applies to ... */
+};
+
+/*
+ * Commands for the taok_cmd field.
+ */
+#define TAOK_CMD_ADD 1 /* add or replace key */
+#define TAOK_CMD_DELETE 2 /* delete key keyidx|peer */
+#define TAOK_CMD_DELETEALL 3 /* delete all idx for peer */
+
+/*
+ * Flags for the taok_flags field.
+ */
+#define TAOK_FLAGS_ACTIVE 0x01 /* active key index for SYN */
+
+/*
+ * MAC and KDF pairs for keys.
+ */
+#define TAOK_ALGO_MD5SIG 1 /* legacy compatibility */
+#define TAOK_ALGO_HMAC-SHA-1-96 2 /* RFC5926, Section 2.2 */
+#define TAOK_ALGO_AES-128-CMAC-96 3 /* RFC5926, Section 2.2 */
+
More information about the svn-src-user
mailing list