freebsd-skq/sys/conf
bms 903cdeea1a Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.

For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.

Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.

There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.

Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.

This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.

Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.

Sponsored by:	sentex.net
2004-02-11 04:26:04 +00:00
..
defines
files Initial import of RFC 2385 (TCP-MD5) digest support. 2004-02-11 04:26:04 +00:00
files.alpha Forgot ffsl() and flsl() on alpha. 2004-01-13 18:05:49 +00:00
files.amd64 Add crypto implemenation files (C versions (like alpha, unlike i386)) 2004-02-05 01:09:29 +00:00
files.i386 Compiled longrun.c when defined options CPU_ENABLE_LONGRUN, 2004-01-31 20:14:44 +00:00
files.ia64 Add ffsl(), fls() flsl() to platforms that don't already have them. 2004-01-13 15:37:23 +00:00
files.pc98 Fix sort misordering. 2004-01-20 04:37:07 +00:00
files.powerpc Implement UMA_MD_SMALL_ALLOC, since the BAT registers allow direct 2004-01-29 00:32:22 +00:00
files.sparc64 Re-add libkern/ffs.c. I thought sparc64 had an inline version, but 2004-01-14 08:38:13 +00:00
kern.mk Reduce the inline limit from 20000 to 8000 after the previous changes 2004-02-06 20:40:04 +00:00
kern.post.mk Attempt to clean up the emu10k1-alsa.h stuff so that config doesn't 2004-02-05 22:51:16 +00:00
kern.pre.mk Only enforce -fno-strict-aliasing for optimization levels that 2004-01-22 10:01:47 +00:00
kmod_syms.awk
kmod.mk Don't add CWARNFLAGS to CFLAGS here, they were already added by bsd.sys.mk. 2003-12-25 14:07:52 +00:00
ldscript.alpha
ldscript.amd64 Sync up with the files in the hammer branch in the p4 tree to get basic 2003-05-01 02:59:24 +00:00
ldscript.i386 Align the .ctors section correctly. 2003-12-03 07:40:03 +00:00
ldscript.ia64 Load the kernel at a 64M instead of 5M. The advantage of this is that 2003-09-06 05:15:36 +00:00
ldscript.powerpc
ldscript.sparc64 Use the same SEARCH_DIR as other platforms. 2003-06-07 18:23:50 +00:00
majors Allow amr(4) to get a dynamic major number instead of a static one. 2004-02-08 16:07:22 +00:00
majors.awk Add necessary awk magic to create a table of major numbers allocated 2003-02-27 08:52:11 +00:00
Makefile.alpha Garbage-collected some vestiges of objformat support (mainly ${FMT}). 2003-12-29 11:34:33 +00:00
Makefile.amd64 Stop this warning: 2003-09-30 03:49:09 +00:00
Makefile.i386 Bump the config version to force people to upgrade their config(8) 2003-04-15 21:29:11 +00:00
Makefile.ia64 Revamp of the syscall path, exception and context handling. The 2003-05-16 21:26:42 +00:00
Makefile.pc98 Bump the config version to force people to upgrade their config(8) 2003-04-15 21:29:11 +00:00
Makefile.powerpc Remove duplicate script for locore.o 2003-12-09 15:48:20 +00:00
Makefile.sparc64 Bump the config version to force people to upgrade their config(8) 2003-04-15 21:29:11 +00:00
makeLINT.mk Implemented "nooption" and "nomakeoption" config(8) tokens. 2003-02-26 23:36:59 +00:00
makeLINT.sed Implemented "nooption" and "nomakeoption" config(8) tokens. 2003-02-26 23:36:59 +00:00
newvers.sh Stay in sync with src/COPYRIGHT and src/sys/sys/copyright.h, 2004-01-11 14:13:29 +00:00
NOTES Add missing 'device ataraid' to support ATA software RAID. 2004-01-26 16:38:33 +00:00
options Initial import of RFC 2385 (TCP-MD5) digest support. 2004-02-11 04:26:04 +00:00
options.alpha Add option NO_SIO to work-around the hardcoded dependency on sio(4). 2003-08-25 03:43:08 +00:00
options.amd64 Initial landing of SMP support for FreeBSD/amd64. 2003-11-17 08:58:16 +00:00
options.i386 Fixed some style bugs (insertion sort errors, tab lossage, and ornation 2004-01-25 15:27:23 +00:00
options.ia64 Add LOG2_ID_PAGE_SIZE to the mix of options on ia64. 2003-09-09 18:30:20 +00:00
options.pc98 Fixed some style bugs. 2004-01-26 12:28:40 +00:00
options.powerpc Add required GFB options as well as one for ofw/syscons. 2004-01-21 05:20:58 +00:00
options.sparc64 Hook syscons and the creator driver up to the sparc64. This compiles but 2003-08-24 01:54:06 +00:00
systags.sh Fix pathname so 'make tags' in a kernel build directory looks in 2004-01-29 14:58:22 +00:00