[quagga-dev 5497] Re: [quagga-users 9626] MD5 Support - 0.99.10

Michael H. Warfield mhw at WittsEnd.com
Sat Jun 14 04:09:30 BST 2008


On Fri, 2008-06-13 at 16:50 -0400, James Carlson wrote:
> Michael H. Warfield writes:
> > > > 	Ah!  So you're on Solaris.  Ok...  I'll still sign up once we 
> > > > get a little further down the road and we'll worry about passwords 
> > > > and Solaris some other day.
> > 
> > > Ah, a birdy tells me TCP-MD5 for Solaris is in the works:
> > 
> > >   http://www.opensolaris.org/jive/thread.jspa?messageID=214177
> > 
> > 	Interesting...

> Yes, and the design is rather different from what's suggested here.
> Setting a passphrase on the listen socket is (as you rightly note)
> problematic at best, because you don't know the peer yet.

> One possibility would be to associate a list of passphrases and peer
> addresses with the socket.  This quickly gets pretty messy, though,
> especially when you consider that this is key material -- stuff that
> needs to be protected better than the usual configuration bits, and
> stuff that (on a system with hardware key management) may not even be
> directly accessible to the kernel itself.

> The Solaris solution is to treat TCP-MD5 as sort of a variant of
> IPsec: it's just another policy that can be configured, and TCP checks
> for a configured policy and SA when it gets an inbound SYN.  That way,
> you can configure per-peer rules, and not really have to worry about
> socket-level configuration.

	Now THAT sounds remarkably like the code I saw in the OpenBSD case.  I
remarked to Paul that implementation of the BSD code took us most of the
way down the road to implementing the AH method as well.  In the case of
the code that's there, there are some remarks about PFKEY in the
socketopt.c code where I thing someone expected something to be filled
in.  I looked at that and the BSD code and realized I needed a lot more
information passed down to those parameters and would probably need to
store the SA's in the peer structure.

> Girish has had this working for a while now, and we're all eagerly
> waiting for him to integrate.  ;-}

	Now THAT definitely had my attention.

> -- 
> James Carlson, Solaris Networking              <james.d.carlson at sun.com>
> Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
> MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20080613/7936095f/attachment-0001.sig>


More information about the Quagga-dev mailing list