RFC 2385 Kernel support for 1.2.3

djmizt · Aug 2, 2011, 1:35 PM

can someone from the devel group verify if this kernel option is enabled on the shipping kernel: TCP_SIGNATURE

this is needed by BGP to be able to establish secure sessions via 'tcp md5sig' option RFC 2385

as per /usr/src/sys/conf/NOTES:

TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are

carried in TCP option 19. This option is commonly used to protect

TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.

This is enabled on a per-socket basis using the TCP_MD5SIG socket option.

This requires the use of 'device crypto', 'options IPSEC'

or 'device cryptodev'.

#options TCP_SIGNATURE #include support for RFC 2385

thanks much

djmizt · Aug 6, 2011, 6:00 AM

no updates?? anyone from the Mods??

cmb · Aug 7, 2011, 3:22 AM

Don't bug people via private message for help, it's against our rules (otherwise we'd all be wading through 1000 PMs every day) and definitely not going to encourage answers (I /dev/nulled that and am answering now just because I stumbled across it browsing threads).

That isn't currently supported, you can't use md5sig currently (far more to it than a kernel option).