Shorten the name of the socket option used to enable TCP-MD5 packet
treatment.

Submitted by: Vincent Jardin

Spell tcp_signature_compute correctly.

Initial import of RFC 2385 (TCP-MD5) digest support.

This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and

Initial import of RFC 2385 (TCP-MD5) digest support.

This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.

For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.

Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.

There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.

Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.

This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.

Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.

Sponsored by: sentex.net

show more ...

mdoc(7): Use the new feature of the .In macro.

mdoc(7) police: Tidy up the formatting.

Document the net.inet.tcp.rfc3390 sysctl variable.

Document the net.inet.tcp.rfc3042 sysctl variable.

Fix typos, mostly s/ an / a / where appropriate and a few s/an/and/
Add FreeBSD Id tag where missing.

english(4) police.

Spelling: s/then/than/ where appropriate.

Added xref to syncache(4).

mdoc(7) police: markup and grammar fixes for previous delta.

Change tcp.inflight_min from 1024 to a production default of 6144. Create
a sysctl for the stabilization value for the bandwidth delay product (inflight)
algorithm and document it.

MFC after: 3 days

mdoc(7) police: scheduled sweep.

Approved by: re

Add A section on the retransmit timer sysctls.

MFC after: 3 days

Oops, last manual commit was to -stable, should have been to -current.
No biggy, the code MFC to stable will catch up to the docs in a week.

X-MFC after: -7 days

Describe possible values for net.inet.tcp.log_in_vain
and their effects.

PR: docs/35932
Submitted by: Alex Semenyaka <alexs@ratmir.ru>
MFC after: 1 week

Update documentation relating to sysctls in a post-syncache
world. Goodbye tcp.tcp_lq_overflow and tcp.strict_rfc1948,
hello tcp.syncookies.

MFC after: 3 days

Ispell sweep of share/man/man4.

o Clarify that various sysctl timing values are in milliseconds.

mdoc(7) police: Use the new .In macro for #include statements.

Document two sysctl variables used by RFC 1948 functionality.

While I'm here, fix two markup inconsistencies.

Submitted by: silby

Removed whitespace at end-of-line; no content changes. I simply did
cd src/share; find man[1-9] -type f|xargs perl -pi -e 's/[ \t]+$//'

BTW, what editors are the culprits? I'm using vim and it shows

Removed whitespace at end-of-line; no content changes. I simply did
cd src/share; find man[1-9] -type f|xargs perl -pi -e 's/[ \t]+$//'

BTW, what editors are the culprits? I'm using vim and it shows
me whitespace at EOL in troff files with a thick blue block...

Reviewed by: Silence from cvs diff -b
MFC after: 7 days

show more ...

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2).