On Fri, Jan 6, 2012 at 10:35 AM, Ed Maste <ema...@freebsd.org> wrote: > Thank you very much for this extensive testing and analysis. Would you > care to post your basic echo server somewhere for others to use in > debugging this, just to save time for anyone who can debug further?
With a bit of clean-up to stop people who look at it from instantly going blind in self-defense, I should be able to do that later today. > +Outgoing traffic is digested; digests on incoming traffic are verfied > +if the net.inet.tcp.signature_verify_input sysctl is nonzero. Good change. This bit from tcp(4) may also be inaccurate: "Only IPv4 (AF_INET) sessions are supported." It appears to work with IPv6 as well. (Arguably it should not since tmk the standard was never defined/intended for IPv6, but there is no doubt that having it work is very useful for IPv6 BGP.) > The current default behavior for the system is to respond to a system > advertising this option with TCP-MD5; this may change. This behavior described in the man page did pop up last night. The bit about "this may change" is of concern because currently this answers the question of how a single bound socket is supposed to serve both clients that do and do not use TCP-MD5. It's actually quite easy/convenient, so it would be a shame if that did change. > Yes, your testing clearly demonstrates some kernel issues here. I'll > see if I can find someone to investigate (or can help guide further > debugging). If I can help, I am happy to do so, but in general the kernel is something that happens to other people. :) Thanks! _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"