|
Hi Alexandre,
Sorry for the delay. I probably need more time to play with your security
extension on syncd.
As for the TTL issues, if we set TTL=255, it may create a lot of
unnecessary multicast traffic, because routers may forward our multicast
messages. So, I set TTL=1 to limit the traffic in the local network. ICV
is usually enough to authenticate incoming sync messages, right? We can
have other ways to avoid some malicious attack from outside, for example,
the front-end router can block this multicast traffic for IPVS multicast
address.
Thanks,
Wensong
On Sat, 27 Mar 2004, Alexandre Cassen wrote:
> Hi Wensong,
>
> As previously discussed, you will find attached patch that add strong
> authentication support to IPVS syncd. This use the Kernel CryptoAPI for
> hmac-md5 computation using incremental updates wihile filling in current
> syncd buffer (curr_sb).
>
> The patch is generated for the last 2.6.4 kernel. The ipvsadm patch apply
> to the last ipvsadm-1.24 present on software pages. Additionally, you will
> find below the short write-up explaining this strong authentication
> extension. I will put this into a sexy pdf file on the LVS website as soon
> as Horms will recover user data.
>
> At the end of the document, I would like to discuss the TTL value present
> in the IP datagram multicasted, and the potential switch from TTL=1 to
> TTL=255. Please give me your opinion on this, I really think this can add
> more security. The current strong authentication patch doesn't implements
> this TTL=255 sanity check.
>
> All comments are welcome,
>
> have a nice week-end,
> Alexandre
>
|
