1cfd4b5326
This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC. For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence. Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB. There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity. Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem. This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment. Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request. Sponsored by: sentex.net
a note to committers about KAME tree $FreeBSD$ KAME project FreeBSD IPv6/IPsec tree is from KAMEproject (http://www.kame.net/). To synchronize KAME tree and FreeBSD better today and in the future, please understand the following: - DO NOT MAKE COSTMETIC CHANGES. "Cosmetic changes" here includes tabify, untabify, removal of space at EOL, minor KNF items, and whatever adds more output lines on "diff freebsd kame". To make future synchronization easier. it is critical to preserve certain statements in the code. Also, as KAME tree supports all 4 BSDs (Free, Open, Net, BSD/OS) in single shared tree, it is not always possible to backport FreeBSD changes into KAME tree. So again, please do not make cosmetic changes. Even if you think it a right thing, that will bite KAME guys badly during upgrade attempts, and prevent us from synchronizing two trees. (you don't usually make cosmetic changes against third-party code, do you?) - REPORT CHANGES/BUGS TO KAME GUYS. It is not always possible for KAME guys to watch all the freebsd mailing list traffic, as the traffic is HUGE. So if possible, please, inform kame guys of changes you made in IPv6/IPsec related portion. Contact path would be snap-users@kame.net or KAME PR database on www.kame.net. (or to core@kame.net if it is necessary to make it confidential) Thank you for your cooperation and have a happy IPv6 life! Note: KAME-origin code is in the following locations. The above notice applies to corresponding manpages too. The list may not be complete. If you see $KAME$ in the code, it is from KAME distribution. If you see some file that is IPv6/IPsec related, it is highly possible that the file is from KAME distribution. include/ifaddrs.h lib/libc/net lib/libc/net/getaddrinfo.c lib/libc/net/getifaddrs.c lib/libc/net/getnameinfo.c lib/libc/net/ifname.c lib/libc/net/ip6opt.c lib/libc/net/map_v4v6.c lib/libc/net/name6.c lib/libftpio lib/libipsec sbin/ip6fw sbin/ping6 sbin/rtsol share/doc/IPv6 share/man/man4/ip6.4 share/man/man4/inet6.4 sys/crypto (except sys/crypto/rc4) sys/kern/uipc_mbuf2.c sys/net/if_faith.[ch] sys/net/if_gif.[ch] sys/net/if_stf.[ch] sys/net/pfkeyv2.h sys/netinet/icmp6.h sys/netinet/in_gif.[ch] sys/netinet/ip6.h sys/netinet/ip_encap.[ch] sys/netinet6 sys/netkey usr.sbin/faithd usr.sbin/gifconfig usr.sbin/ifmcstat usr.sbin/mld6query usr.sbin/ndp usr.sbin/pim6dd usr.sbin/pim6sd usr.sbin/prefix usr.sbin/rip6query usr.sbin/route6d usr.sbin/rrenumd usr.sbin/rtadvd usr.sbin/rtsold usr.sbin/scope6config usr.sbin/setkey usr.sbin/traceroute6