From: John Dykstra <john.dykstra1@gmail.com>
To: "Martin Djernæs" <mdjernaes@pulz8.com>
Cc: netdev@vger.kernel.org
Subject: Re: md5 on listening sockets
Date: Thu, 23 Jul 2009 19:16:13 +0000 [thread overview]
Message-ID: <1248376573.7971.19.camel@Maple> (raw)
In-Reply-To: <aa9682190907230738y23636cc5yd8b4e7a854f7b59c@mail.gmail.com>
On Thu, 2009-07-23 at 16:38 +0200, Martin Djernæs wrote:
> I've been looking at using the md5 keys on a listening socket as one
> means of restricting access to the socket.
MD5 authentication is typically used for BGP sessions. It is not a
particularly strong authentication mechanism, as discussed in RFC 4278,
and there are several better options available as long as you don't have
to be compatible with BGP peers.
> When I specify an md5 key
> (with or without a peer ip address in the option) any tcp connect from
> another IP address will be accepted by this connection if the source
> IP is not found in the "md5sig->keys4" array.
The current behavior is consistent with the way MD5 authentication works
on OpenBSD, and perhaps other BSDs. This behavior is expected by open
source routing applications.
I believe the intent is that the BGP well-known port must be able to
accept connections from both authenticated and non-authenticated peers.
It is up to the application to filter connections based on the address
of the connecting peer.
I agree that this behavior would be unfortunate for a general-purpose
authentication mechanism, but that is not what TCP MD5 authentication
is.
--
John Dykstra
voice: +1 651 484-1098 Yahoo IM: jdykstra72
LinkedIn: http://www.linkedin.com/in/JohnDykstra
Blog: http://johndykstra.blogspot.com/
prev parent reply other threads:[~2009-07-23 19:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-23 14:38 md5 on listening sockets Martin Djernæs
2009-07-23 19:16 ` John Dykstra [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1248376573.7971.19.camel@Maple \
--to=john.dykstra1@gmail.com \
--cc=mdjernaes@pulz8.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).