Subject: Re: CVS commit: src
To: None <christos@zoulas.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: source-changes
Date: 04/27/2004 02:06:56
> In article <87wu43x7hm.fsf@snark.piermont.com>,
> Perry E. Metzger <perry@piermont.com> wrote:
> >
> >Jonathan Stone <jonathan@netbsd.org> writes:
> >> NOTE: This version has two potential flaws. First, I do see any code
> >> that verifies recieved TCP-MD5 signatures.
> >
> >That's not a "potential flaw" -- that makes it useless. :(
> >
> >Perry
> 
> No, it is still useful because some routers will not accept non-md5 sessions.
> So to interoperate properly the minimum we have to do is send m5 packets and
> accept m5 packets.

	i agree with perry.  if NetBSD side does not check signature
	(in fact, it does not check *the existence* of signature either)
	malicious party can throw bogus packets to NetBSD side, and tear down
	connection (or whatever).

itojun