lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <1248376573.7971.19.camel@Maple>
Date:	Thu, 23 Jul 2009 19:16:13 +0000
From:	John Dykstra <john.dykstra1@...il.com>
To:	Martin Djernæs <mdjernaes@...z8.com>
Cc:	netdev@...r.kernel.org
Subject: Re: md5 on listening sockets

On Thu, 2009-07-23 at 16:38 +0200, Martin Djernæs wrote:
> I've been looking at using the md5 keys on a listening socket as one
> means of restricting access to the socket. 

MD5 authentication is typically used for BGP sessions.  It is not a
particularly strong authentication mechanism, as discussed in RFC 4278,
and there are several better options available as long as you don't have
to be compatible with BGP peers.

> When I specify an md5 key
> (with or without a peer ip address in the option) any tcp connect from
> another IP address will be accepted by this connection if the source
> IP is not found in the "md5sig->keys4" array.

The current behavior is consistent with the way MD5 authentication works
on OpenBSD, and perhaps other BSDs.  This behavior is expected by open
source routing applications.

I believe the intent is that the BGP well-known port must be able to
accept connections from both authenticated and non-authenticated peers.
It is up to the application to filter connections based on the address
of the connecting peer.

I agree that this behavior would be unfortunate for a general-purpose
authentication mechanism, but that is not what TCP MD5 authentication
is.

-- 
John Dykstra
voice:           +1 651 484-1098            Yahoo IM:  jdykstra72

LinkedIn:        http://www.linkedin.com/in/JohnDykstra
Blog:            http://johndykstra.blogspot.com/ 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ