Subject: RFC2385 (TCP MD5 signatures) working with patch!
To: None <>
From: Jeff Rizzo <>
List: tech-net
Date: 06/25/2004 16:10:41
I'm happy to report that I managed to find the problems in the 
TCP_SIGNATURE code that were causing my machine to crash, and
with the patches in kern/26062 applied to the NetBSD kernel, and
Bruce M. Simpson's patches to quagga 0.96.4 applied, I am able to
peer quagga's bgpd running on NetBSD-2.0F with a Cisco, using
password-protected sessions.

The only directly-RFC2385 related problem is that the tcp_signature()
function is including the TCP options in the MD5 hash, which violates
the spec and makes interoperability impossible.

With the patch, it works with either FAST_IPSEC or KAME IPSEC code.

my test kernel config looks like this:

include "arch/i386/conf/GENERIC.MP"

options IPSEC
options IPSEC_ESP

options DEBUG
makeoptions     DEBUG="-g"

I would greatly appreciate it if someone with more knowledge than
me could look over the patch and let me know how it could be improved...


Jeff Rizzo