[quagga-users 8991] Re: TCP MD5 support

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 15 15:55:01 IST 2007

On Mon, 2007-10-15 at 10:12 -0600, Batsukh Tsendjav wrote:
> Hi All,
> I am trying to use TCP MD5 option to protect a TCP session between two
> machines. 
> I have a simple tcp receiver and a sender program and used setsockopt
> (sockfd, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof(md5sig)) 
> call to setup the md5. 
> But netstat shows that the only the SYN packet is sent and it just
> hangs there. 
> If I comment the MD5 code, then it works just fine. 
> I was looking to find how quagga does this and tried to use it as a
> template but could not really find it. 

	I've seen this problem before.  I was having a similar problem with a
little test routing that was posted on this list a while back.  I never
did get the little test routine to work, but I did finally get quagga to

	The tcp md5 signature stuff is not yet in quagga but a number of
patches do exist.  I updated one such patch to deal with running in an
IPv4/IPv4 dual stack environment.  If you've got IPv6 enabled (you don't
even have to be connected to IPv6), that could well be screwing up your
attempts to use the tcp md5 signature option, since it's IPv4 only.

> Any suggestions as to where to look or what to do from here?

	You can browse through some of the past messages on this list (just
search for md5 and you'll find them).  Or you can download a patch from
my site here:


	That patch is against quagga 0.99.9 and works on Linux 2.6.20 and
above.  I don't think it will work for versions prior to 2.6.20, which
do not have the TCP_MD5SIG option.  Make sure you have
CONFIG_CRYPTO_MD5=y and CONFIG_TCP_MD5SIG=y in your kernel build
(RedHat, Fedora, and most other stock builds have this).  Merely having
"md5" show up in /proc/crypto is insufficient (that only means
CONFIG_CRYPTO_MD5 was compiled or loaded, and says nothing about the
md5sig option).

	Caveat: Per the comments of the previous author (the v7 patch), this
feature is not worked into autoconf and you have to manually add the
configuration option to config.h.  I may look into fixing that, I just
haven't gotten around to it.

> Thanks in advance, 
> Bata

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.quagga.net/pipermail/quagga-users/attachments/20071015/b2772e4d/attachment.bin

More information about the Quagga-users mailing list