• Shawn Lu's avatar
    tcp: md5: RST: getting md5 key from listener · 658ddaaf
    Shawn Lu authored
    TCP RST mechanism is broken in TCP md5(RFC2385). When
    connection is gone, md5 key is lost, sending RST
    without md5 hash is deem to ignored by peer. This can
    be a problem since RST help protocal like bgp to fast
    recove from peer crash.
    
    In most case, users of tcp md5, such as bgp and ldp,
    have listener on both sides to accept connection from peer.
    md5 keys for peers are saved in listening socket.
    
    There are two cases in finding md5 key when connection is
    lost:
    1.Passive receive RST: The message is send to well known port,
    tcp will associate it with listner. md5 key is gotten from
    listener.
    
    2.Active receive RST (no sock): The message is send to ative
    side, there is no socket associated with the message. In this
    case, finding listener from source port, then find md5 key from
    listener.
    
    we are not loosing sercuriy here:
    packet is checked with md5 hash. No RST is generated
    if md5 hash doesn't match or no md5 key can be found.
    Signed-off-by: default avatarShawn Lu <shawn.lu@ericsson.com>
    Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    658ddaaf
tcp_ipv4.c 67.7 KB