Subject: Re: TCP_SIGNATURE (rfc2385) panics and problems
To: Jeff Rizzo <riz@boogers.sf.ca.us>
From: Jonathan Stone <jonathan@dsg.stanford.edu>
List: tech-net
Date: 05/24/2004 10:29:48
In message <20040523011144.GA5956@boogers.sf.ca.us>Jeff Rizzo writes
>So, I've only just found the time to start playing with the new RFC2385
>code (thanks a TON for porting it to Jonathan Stone), and, naturally
>there are some problems. I'm using Bruce M. Simpson's patches to
>quagga 0.96.4, and attempting to peer with a Cisco router. For those
>interested, his patches to quagga are here:
>http://people.freebsd.org/~bms/dump/quagga-tcpmd5/
Jeff,
Thanks for taking the time to test this. Sorry to hear it didn't
work for you.
I haven't had time to look into tcp_signatures since I initially
committed a port of the FreeBSD code. I do a quick implementation of
receive-side verification of the MD5 sums; but my available time
for NetBSD hacking has been taken up with 2.0 release issues.
The reference-counting in the initial commit was all borked up.
someone (Itojun?) reworked the initial commit to work with KAME
IPsec, and make some considerable improvements in the key handling;
but clearly never even tried compiled those changes with FAST_IPSEC
(as the two or three unused variables show).
All I can tell you is that the initial FAST_IPSEC code did work, using
a modified ttcp with command-line switches to set the TCP_MD5 setsockopt().
Since I dont have a Cisco to play with, all I can do is try the same
modified ttcp, between two *BSD machines, later this week.