At 04:59 PM 4/20/2004, Jeff Rizzo wrote:
>So, last summer (Late May) there was some discussion about RFC 2385
>support ("Protection of BGP Sessions via the TCP MD5 Signature") which
>had been written but not committed due to lack of time on the part
>of the developer(s) who had written it.  Is there someone I can buy a
>beer or two to persuade to revisit this?  :)  It would be nice to
>be able to continue to use NetBSD for BGP applications now that many
>peers are demanding MD5 session authentication...
>
>Yes, IPSec would be more appropriate, but since the 500lb gorilla
>supports this way...
>
>Thanks!
>+j

I have an implementation that I did a few years ago.  The real
question is where do you get your MD5 keys from?  Use PF_KEY?  Allow
to be set via a setsockopt?

The latter is nice for a simple use.  But if you have a listener
which needs to use different keys depending on the foreign address
you need something more complex.

Sadly, setkey(8) and PF_KEY will need some work to support MD5 keys.

So what capabilities are needed?

-- 
Matt Thomas                     email: matt@3am-software.com
3am Software Foundry              www: http://3am-software.com/bio/matt/
Cupertino, CA              disclaimer: I avow all knowledge of this message.