freebsd-skq/sys/netinet6
Bruce M Simpson 1cfd4b5326 Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.

For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.

Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.

There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.

Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.

This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.

Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.

Sponsored by:	sentex.net
2004-02-11 04:26:04 +00:00
..
ah6.h - correct signedness mixups. 2003-10-12 11:08:18 +00:00
ah_aesxcbcmac.c support AES XCBC MAC for AH. 2003-10-13 04:56:04 +00:00
ah_aesxcbcmac.h support AES XCBC MAC for AH. 2003-10-13 04:56:04 +00:00
ah_core.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
ah_input.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
ah_output.c - avoid hardcoded values. 2003-10-12 12:03:25 +00:00
ah.h oops, correct wrong change in previous commit. 2003-11-15 06:16:36 +00:00
dest6.c remove unused variable. 2003-10-12 15:14:33 +00:00
esp6.h
esp_aesctr.c - support AES counter mode for ESP. 2003-10-13 14:57:41 +00:00
esp_aesctr.h - support AES counter mode for ESP. 2003-10-13 14:57:41 +00:00
esp_core.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
esp_input.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
esp_output.c preparation for 64bit sequence number. 2003-11-15 05:41:41 +00:00
esp_rijndael.c cleanup rijndael API. 2003-11-11 18:58:54 +00:00
esp_rijndael.h enable aes-xcbc-mac and aes-ctr, again. 2003-11-10 10:39:14 +00:00
esp.h - support AES counter mode for ESP. 2003-10-13 14:57:41 +00:00
frag6.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
icmp6.c pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
icmp6.h
in6_cksum.c - fix typo in comments. 2003-10-08 18:26:08 +00:00
in6_gif.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
in6_gif.h - fix typo in comments. 2003-10-08 18:26:08 +00:00
in6_ifattach.c Don't execute the code in in6_ifdetach() that removes the link-local 2004-01-10 08:14:27 +00:00
in6_ifattach.h nuku unused functions in6_nigroup_attach() and 2003-10-31 15:51:28 +00:00
in6_pcb.c fix build with FAST_IPSEC. 2004-02-09 16:02:16 +00:00
in6_pcb.h source address selection part of RFC3484. 2003-11-04 20:22:33 +00:00
in6_prefix.c return(code) -> return (code) 2003-10-06 14:02:09 +00:00
in6_prefix.h
in6_proto.c source address selection part of RFC3484. 2003-11-04 20:22:33 +00:00
in6_rmx.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
in6_src.c KNF 2004-02-04 12:55:45 +00:00
in6_var.h add management part of address selection policy described in 2003-10-30 15:29:17 +00:00
in6.c try rtinit() only when the route is not installed. 2004-01-10 08:59:21 +00:00
in6.h byebye in6_ifawithscope(). it was a function for old source 2003-11-05 17:19:31 +00:00
ip6_ecn.h add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ip6_forward.c Remove RTF_PRCLONING from routing table and adjust users of it 2003-11-20 19:47:31 +00:00
ip6_fw.c When calculating the sequence number to use in an ip6fw reset, remember to 2003-12-25 23:39:44 +00:00
ip6_fw.h Replace the if_name and if_unit members of struct ifnet with new members 2003-10-31 18:32:15 +00:00
ip6_id.c add randomtab for ip6_randomflowlabel(). 2003-10-01 21:45:57 +00:00
ip6_input.c Remove RTF_PRCLONING from routing table and adjust users of it 2003-11-20 19:47:31 +00:00
ip6_mroute.c Catch a few places where NULL (pointer) was used where 0 (integer) was 2003-12-23 02:36:43 +00:00
ip6_mroute.h
ip6_output.c - obey ip6po_minmtu. 2004-02-08 18:22:27 +00:00
ip6_var.h source address selection part of RFC3484. 2003-11-04 20:22:33 +00:00
ip6.h
ip6protosw.h - fix typo in comments. 2003-10-08 18:26:08 +00:00
ipcomp6.h
ipcomp_core.c - fix typo in comments. 2003-10-08 18:26:08 +00:00
ipcomp_input.c - typo. found by markus@openbsd 2003-10-09 18:44:54 +00:00
ipcomp_output.c sync with the latest KAME (just a cosmetic change) 2003-04-28 08:21:57 +00:00
ipcomp.h
ipsec6.h pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
ipsec.c pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
ipsec.h Initial import of RFC 2385 (TCP-MD5) digest support. 2004-02-11 04:26:04 +00:00
mld6_var.h rename MLD6_* to MLD_*. 2003-10-31 16:07:15 +00:00
mld6.c rename MLD6_* to MLD_*. 2003-10-31 16:07:15 +00:00
nd6_nbr.c pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
nd6_rtr.c replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREF 2003-11-08 23:36:32 +00:00
nd6.c protect access to ifnet structure with mutex. 2004-01-28 15:01:39 +00:00
nd6.h use arc4random. 2003-10-31 16:06:05 +00:00
pim6_var.h
pim6.h
raw_ip6.c pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
raw_ip6.h
README
route6.c hide m_tag, again. 2003-10-29 12:49:12 +00:00
scope6_var.h - add dom_if{attach,detach} framework. 2003-10-17 15:46:31 +00:00
scope6.c protect sid_default and sid. 2003-10-22 15:13:36 +00:00
tcp6_var.h
udp6_output.c pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
udp6_usrreq.c pass pcb rather than so. it is expected that per socket policy 2004-02-03 18:20:55 +00:00
udp6_var.h

a note to committers about KAME tree
$FreeBSD$
KAME project


FreeBSD IPv6/IPsec tree is from KAMEproject (http://www.kame.net/).
To synchronize KAME tree and FreeBSD better today and in the future,
please understand the following:

- DO NOT MAKE COSTMETIC CHANGES.
  "Cosmetic changes" here includes tabify, untabify, removal of space at EOL,
  minor KNF items, and whatever adds more output lines on "diff freebsd kame".
  To make future synchronization easier. it is critical to preserve certain
  statements in the code.  Also, as KAME tree supports all 4 BSDs (Free, Open,
  Net, BSD/OS) in single shared tree, it is not always possible to backport
  FreeBSD changes into KAME tree.  So again, please do not make cosmetic
  changes.  Even if you think it a right thing, that will bite KAME guys badly
  during upgrade attempts, and prevent us from synchronizing two trees.
  (you don't usually make cosmetic changes against third-party code, do you?)

- REPORT CHANGES/BUGS TO KAME GUYS.
  It is not always possible for KAME guys to watch all the freebsd mailing
  list traffic, as the traffic is HUGE.  So if possible, please, inform
  kame guys of changes you made in IPv6/IPsec related portion.  Contact
  path would be snap-users@kame.net or KAME PR database on www.kame.net.
  (or to core@kame.net if it is necessary to make it confidential)

Thank you for your cooperation and have a happy IPv6 life!


Note: KAME-origin code is in the following locations.
The above notice applies to corresponding manpages too.
The list may not be complete.  If you see $KAME$ in the code, it is from
KAME distribution.  If you see some file that is IPv6/IPsec related, it is
highly possible that the file is from KAME distribution.

include/ifaddrs.h
lib/libc/net
lib/libc/net/getaddrinfo.c
lib/libc/net/getifaddrs.c
lib/libc/net/getnameinfo.c
lib/libc/net/ifname.c
lib/libc/net/ip6opt.c
lib/libc/net/map_v4v6.c
lib/libc/net/name6.c
lib/libftpio
lib/libipsec
sbin/ip6fw
sbin/ping6
sbin/rtsol
share/doc/IPv6
share/man/man4/ip6.4
share/man/man4/inet6.4
sys/crypto (except sys/crypto/rc4)
sys/kern/uipc_mbuf2.c
sys/net/if_faith.[ch]
sys/net/if_gif.[ch]
sys/net/if_stf.[ch]
sys/net/pfkeyv2.h
sys/netinet/icmp6.h
sys/netinet/in_gif.[ch]
sys/netinet/ip6.h
sys/netinet/ip_encap.[ch]
sys/netinet6
sys/netkey
usr.sbin/faithd
usr.sbin/gifconfig
usr.sbin/ifmcstat
usr.sbin/mld6query
usr.sbin/ndp
usr.sbin/pim6dd
usr.sbin/pim6sd
usr.sbin/prefix
usr.sbin/rip6query
usr.sbin/route6d
usr.sbin/rrenumd
usr.sbin/rtadvd
usr.sbin/rtsold
usr.sbin/scope6config
usr.sbin/setkey
usr.sbin/traceroute6