[quagga-dev 5500] Re: [quagga-users 9626] MD5 Support - 0.99.10

James Carlson james.d.carlson at sun.com
Sat Jun 14 20:22:54 BST 2008


paul at clubi.ie writes:
> On Fri, 13 Jun 2008, James Carlson wrote:
> 
> > One possibility would be to associate a list of passphrases and 
> > peer addresses with the socket.
> 
> Hmm, store them with the socket, store them in the SADB. ;)

There are a few important differences, though.

> > for a configured policy and SA when it gets an inbound SYN.  That 
> > way, you can configure per-peer rules, and not really have to worry 
> > about socket-level configuration.
> 
> The one downside is that this makes it difficult to provide a UI for 
> it within bgpd.

True.  I've been thinking about it for a while now, and I'm not sure I
know whether that's a good or a bad thing.  On the plus side, using
the IPsec infrastructure cleanly solves the 'listen' problem,
centralizes keying policies, enables key management hardware, and
avoids some amount of duplication.  On the minus side, you don't get
the same application level control (in fact, the application is just
ignorant of the policy), and making a Cisco-like command line would be
harder.

Besides the listen issue, what really broke it for me was the key
storage: the IPsec guys have already thought long and hard about how
to do that right, and have hardware assist on some platforms, and link
into other security software.  An ad-hoc mechanism in TCP would not do
those things -- at least not easily.

> Perhaps the IP_SEC_OPT policy sockopt could be extended to support 
> tcp_md5sig.. (we have to have a path in bgpd for adding policy to the 
> sockets anyway).

Yes, I think that's possible.

-- 
James Carlson, Solaris Networking              <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677



More information about the Quagga-dev mailing list