On Mon, May 24, 2004 at 10:29:48AM -0700, Jonathan Stone wrote:
> 
> In message <20040523011144.GA5956@boogers.sf.ca.us>Jeff Rizzo writes
> 
> Jeff,
> 
> Thanks for taking the time to test this. Sorry to hear it didn't
> work for you.

It's more or less what I expected - this is not going to be a
heavily-used feature, so it's up to those of us who will use it
to beat on it as heavily as we can.  I have an interest in getting
this to a point where it can be pulled into a release as soon as
possible, so I can recommend NetBSD to clients who need this functionality.
(One is already moving to OpenBSD for this very issue)

> 
> I haven't had time to look into tcp_signatures since I initially
> committed a port of the FreeBSD code. I do a quick implementation of
>  receive-side  verification of the MD5 sums; but my  available time
> for NetBSD hacking has been taken up with 2.0  release issues. 

As it should be - we're all interested in 2.0  :)

> 
> The reference-counting in the initial commit was all borked up.
> someone (Itojun?)  reworked the initial commit to work with KAME
> IPsec, and make some considerable improvements in the key handling;
> but clearly never even tried compiled those changes with FAST_IPSEC
> (as the two or three unused variables show).

OK, so the initial commit worked with FAST_IPSEC but not (necessarily) KAME?  
I suspected as much because of the work you've been doing with FAST_IPSEC,
but I didn't have much better luck there.  Part of my problem is that
I'm not all that familiar with the TCP code in the first place (which is
something I'm working on rectifying with a little help from the late
W.R. Stevens)

> 
> All I can tell you is that the initial FAST_IPSEC code did work, using
> a modified ttcp with command-line switches to set the TCP_MD5 setsockopt().

Is this modified ttcp something you can send me?  (patches, I assume)
If I can start from a known working state, I'll have a much better
chance of identifying where things are going wrong.  (I suspect
at least some amount of operator error)

> 
> Since I dont have a Cisco to play with, all I can do is try the same
> modified ttcp, between two *BSD machines, later this week.

Anything I can do to help out, I'm happy to.  I certainly understand
that your priorities are elsewhere, but anything you can provide
as far as info would be most helpful - I'll be working with both
BSD-based and Cisco-based pieces over the next couple weeks while I
help a client get their proprietary BGP code and quagga/zebra working
together with the signature code enabled under OpenBSD, and I'd
love to be able to show them that NetBSD is at least coming along.

Thanks for your response -

+j

-- 
Jeff Rizzo                                         http://boogers.sf.ca.us/~riz