On Thu, 2004-04-22 at 14:18, James Aldridge wrote:

--On Thursday, 22 April, 2004 11:17 +0200 Jeroen Massar <jeroen@unfix.org> wrote:

...

As RIS is also using Quagga I was wondering if you have implemented the MD5 passworded TCP sessions, especially also over IPv6.

RFC2385 only defines the TCP MD5 Signature for IP version 4. I guess that the intention was for IPv6 TCP to be protected using other methods such as IPsec.

I don't think that many routers/OS's support IPSEC over IPv6 altough it is one the 'requirements' of IPv6. RFC2385 doesn't specify any IP restrictions though and apparently Juniper and Cisco do MD5 over IPv6, but how exactly is unclear to me... I'll try to adopt the current IPv4 patches to IPv6 as it seems to be only TCP related as they stick the md5 in the option headers of TCP... Greets, Jeroen

On Thu, 2004-04-22 at 14:56, Ronald van der Pol wrote:

On Thu, Apr 22, 2004 at 14:44:06 +0200, Jeroen Massar wrote:

...

I'll try to adopt the current IPv4 patches to IPv6 as it seems to be only TCP related as they stick the md5 in the option headers of TCP...

As far as I know, this is correct. The underlying IP version does not matter. It should work for both v4 and v6.

In that case I have some nice work for this evening ;) I'll build a double Quagga test setup and test between those and then test it using a Cisco on the other end too, if that works I'll upgrade the GRH setup, which should be a good test to see if those peers can work with the patch. After that I think it should be ready for RIS deployment too. Expect some more info after this weekend... Though the RIS boxes have an advantage that there are (afaik) not using multihop BGP's like GRH and thus can be protected largely with ingress filters and the likes on the peering meshes. Another patch I'll add is to be able to 'hide' the local/remote port numbers. Though that is only 2x 65535 tries to get it right and statistically less of course, <1024 not being used etc. Greets, Jeroen