TCP MD5 Verification - 2.6.35.14

Nitin Sharma nitinics at gmail.com
Tue Jan 10 12:40:44 EST 2012


Thanks.

I have my kernel compiled with TCP_MD5SIG.

[root at quagga2 ~]# uname -a
Linux quagga2 2.6.35.14-106.49.amzn1.x86_64 #1 SMP Fri Dec 2 18:19:57 UTC
2011 x86_64 x86_64 x86_64 GNU/Linux
[root at quagga2 ~]# grep MD5 /boot/config-2.6.35.14-106.49.amzn1.x86_64
CONFIG_TCP_MD5SIG=y
# CONFIG_SCTP_HMAC_MD5 is not set
CONFIG_CRYPTO_MD5=y

however, I get the following on tcpdump output.

17:32:35.031248 IP (tos 0xc0, ttl 255, id 4621, offset 0, flags [DF], proto
TCP (6), length 72)
    xxxxxxxxxx.37989 > xxxxxxxxxx.bgp: Flags [S], cksum 0x8cb0 (correct),
seq 1652793081, win 5840, options [nop,nop,*md5shared secret not supplied
with -M, can't check - 34c5e4259ac630f773714efcd62cf420*,mss
1460,nop,nop,sackOK,nop,wscale 6], length 0

I wonder if i can disable tcp signature verification using sysctl or
something alike, without recompiling?



On Tue, Jan 10, 2012 at 9:02 AM, richard -rw- weinberger <
richard.weinberger at gmail.com> wrote:

> On Tue, Jan 10, 2012 at 5:05 AM, Nitin Sharma <nitinics at gmail.com> wrote:
> > Is there an equivalent of
> > (freeBSD)
> > sysctl net.inet.tcp.signature_verify_input=0
> >
> > in linux?
> > 2.6.35.14-x
> >
> > How is the MD5 verification of incoming TCP packets done?
>
> See CONFIG_TCP_MD5SIG.
>
> --
> Thanks,
> //richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120110/109a6e7a/attachment.html 


More information about the Kernelnewbies mailing list