Hi, On Thu, Nov 04, 2004 at 04:16:12PM +0900, SUZUKI Shinsuke wrote: > I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's > working fine. (I'll work on TCP-MD5(IPv6) later) > > Please let me know if you have any objection or comment to the > following patch. If it's okay, I'd like to commit it to -current. I don't object to this change being committed now, but it does mean I will have to revise some uncommitted work. Porting it to IPv6 is OK. However, I would prefer people did not bring in itojun's changes to add the input verification path at this time as they may break the semantics of passive open. Basically doing it 'right' requires security policy support for TCP sockets at the MD5 level. There is a risk that bringing in the input changes now would break the semantics of existing programs such as Quagga and XORP. Regards, BMS
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:21 UTC