From: Eric Dumazet <eric.dumazet@gmail.com>
To: Shawn Lu <shawn.lu@ericsson.com>
Cc: "davem@davemloft.net" <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"xiaoclu@gmail.com" <xiaoclu@gmail.com>
Subject: RE: [PATCH] tcp: md5: fix md5 RST when both sides have listener
Date: Wed, 01 Feb 2012 08:53:53 +0100 [thread overview]
Message-ID: <1328082833.22641.9.camel@edumazet-laptop> (raw)
In-Reply-To: <62162DF05402B341B3DB59932A1FA992B5B5B932C9@EUSAACMS0702.eamcs.ericsson.se>
Le mercredi 01 février 2012 à 02:48 -0500, Shawn Lu a écrit :
> Hi, Eric:
>
> How about change the title and log to following:
>
> tcp: md5: RST: getting md5 key from listener
>
> TCP RST mechanism is broken in TCP md5(RFC2385). When
> connection is gone, md5 key is lost, sending RST
> without md5 hash is deem to ignored by peer. This can
> be a problem since RST help protocal like bgp to fast
> recove from peer crash.
>
> In most case, users of tcp md5, such as bgp and ldp,
> have listener on both side to accept connection from peer.
> md5 keys for peers are saved in listening socket.
>
> There are two cases in finding md5 key when connection is
> lost:
> 1.Passive receive RST: The message is send to well known port,
> tcp will associate packet with listener. md5 key can be gotten
> from listener.
>
> 2.Active receive RST (no sock): The message is send to ative
> side, there is no socket associated with message. In this case,
> finding listener from source port, then find md5 key from
> listener.
>
> we are not loosing sercuriy here:
> packet is checked with md5 hash. No RST is generated
> if md5 hash doesn't match or no md5 key can be found.
>
> Note:
> Will send out a new version that is on top of your new patch
> -- "tcp: md5: protects md5sig_info with RCU"
>
Seems good to me !
By the way, is the patch going to work if netfilter conntrack is
enabled ?
next prev parent reply other threads:[~2012-02-01 7:53 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <RE: [PATCH] tcp: md5: fix md5 RST when both sides have listener>
2012-01-31 23:53 ` [PATCH] tcp: md5: fix md5 RST when both sides have listener Shawn Lu
2012-02-01 5:09 ` Eric Dumazet
2012-02-01 7:48 ` Shawn Lu
2012-02-01 7:53 ` Eric Dumazet [this message]
2012-02-01 8:11 ` Shawn Lu
2012-02-01 9:25 ` Eric Dumazet
2012-02-01 8:35 ` [PATCH] tcp: md5: RST: getting md5 key from listener Shawn Lu
2012-02-01 9:54 ` Eric Dumazet
2012-02-01 17:44 ` David Miller
2012-02-01 18:48 ` Shawn Lu
2012-02-01 0:50 (unknown), Shawn Lu
2012-02-01 0:50 ` [PATCH] tcp: md5: fix md5 RST when both sides have listener Shawn Lu
2012-02-01 4:08 ` Eric Dumazet
-- strict thread matches above, loose matches on Subject: below --
2012-01-31 2:07 Shawn Lu
2012-01-31 2:16 ` Eric Dumazet
2012-01-31 2:37 ` Shawn Lu
2012-01-31 8:39 ` Shawn Lu
2012-01-31 9:05 ` Eric Dumazet
2012-01-31 13:33 ` Eric Dumazet
2012-01-31 18:15 ` Shawn Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1328082833.22641.9.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=shawn.lu@ericsson.com \
--cc=xiaoclu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox