lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Thu, 23 Jul 2009 19:16:13 +0000
From:	John Dykstra <>
To:	Martin Djernæs <>
Subject: Re: md5 on listening sockets

On Thu, 2009-07-23 at 16:38 +0200, Martin Djernæs wrote:
> I've been looking at using the md5 keys on a listening socket as one
> means of restricting access to the socket. 

MD5 authentication is typically used for BGP sessions.  It is not a
particularly strong authentication mechanism, as discussed in RFC 4278,
and there are several better options available as long as you don't have
to be compatible with BGP peers.

> When I specify an md5 key
> (with or without a peer ip address in the option) any tcp connect from
> another IP address will be accepted by this connection if the source
> IP is not found in the "md5sig->keys4" array.

The current behavior is consistent with the way MD5 authentication works
on OpenBSD, and perhaps other BSDs.  This behavior is expected by open
source routing applications.

I believe the intent is that the BGP well-known port must be able to
accept connections from both authenticated and non-authenticated peers.
It is up to the application to filter connections based on the address
of the connecting peer.

I agree that this behavior would be unfortunate for a general-purpose
authentication mechanism, but that is not what TCP MD5 authentication

John Dykstra
voice:           +1 651 484-1098            Yahoo IM:  jdykstra72


To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists