[ale] TCP_MD5

Michael H. Warfield mhw at WittsEnd.com
Sat Aug 10 10:27:48 EDT 2013


On Fri, 2013-08-09 at 08:09 -0400, Chris Ricker wrote: 
> On 8/8/13 6:00 PM, Chris Fowler wrote:
> >
> > In the kernel I have this enabled:
> > CONFIG_TCP_MD5SIG=y
> >
> > It seems to me that this must be enabled for each application via the 
> > setsockopt(2) using the TCP_MD5SIG option.  For the programs I have 
> > installed I would need to modify them and recompile.
> >
> > Is this correct or is there a way to enable this on all TCP sockets?
> >
> 
> That's correct. It's a per-connection option that can be set by the 
> application once the support framework is present in the kernel

The support framework has been present in the kernel and compiled in by
default in most distributions for YEARS.  I'm the author of the MD5 code
in the Quagga routing suite BGP daemon.  It's not present in RHEL 5 /
CentOS 5 / SL 5 but it is present in version 6 of all.  It's been
present in Fedora since about Fedora 14 and in Ubuntu for ages (2 or 3
years at least).  If you don't have it, you can NOT peer on BGP with any
peer that requires MD5 signatures / passwords (which I have to, which is
why I wrote the code).  This is literally what the Cisco et al IPv4 BGP
passwords use.

Gotchas...  More than merely enabling it, the two ends have to BOTH
enable it and BOTH have to agree on the common shared password or key.
Yes, this is on a socket by socket, connection by connection basis and
the application (client and server) must be MD5 signature aware (I'm
only aware of routing software like BGP actually using this but I could
be wrong).

You also must DISABLE most interface offloading (scatter gather,
assembly/disassembly, fragmentation, and what-not).  While offloading to
the intelligent interface cards helps with some performance for the
host, it will almost invariably break the md5 signatures on the packets.
That's probably the number one source of md5 signature failures when
someone is setting that up for the first time and plagues even me.  That
is on a server-wide basis though.  So needing md5 tcp signatures on even
one connection requires disabling offloading on that interface for
everything.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20130810/fe3b18cc/attachment.sig>


More information about the Ale mailing list