Re: RFC2385 (MD5 signature in TCP packets) support

bert hubert (ahu@ds9a.nl)
Sun, 17 Mar 2002 11:00:08 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jörg Prante: "[PATCH] LaCie USB CDRW"
Previous message: Jeff Garzik: "Re: fadvise syscall?"

On Fri, Mar 15, 2002 at 10:57:11PM +0000, David S. Miller wrote:
>
> There is no reason to not be doing this MD5 garbage in
> userspace. Whoever thought to do this in the protocol
> itself was smoking something.

I did a lot of this using an iptables module. Iptables lends itself very
well to these kind of things. Toy code at http://ds9a.nl/sps/

> Maybe I'm missing something, but I see no reason this MD5
> stuff belongs in the protocol and not in the APP.

Some of the idea is cool. You can give a host a 'key' and tell your packet
filter to have it pass packets signed with that key. This way you can grant
or disable access on a very low level without depending on IP addresses,
which can be spoofed.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Jörg Prante: "[PATCH] LaCie USB CDRW"
Previous message: Jeff Garzik: "Re: fadvise syscall?"