New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for RFC2385 on Linux #4173

Closed
wants to merge 1 commit into
base: 4.0
from

Conversation

Projects
None yet
3 participants
@ghost

ghost commented Aug 30, 2015

Motivation:

There are protocols (BGP, SXP), which are typically deployed with TCP
MD5 authentication to protect sessions from being hijacked/torn down by
third parties. This facility is not available on most operating systems,
but is typically present on Linux.

Modifications:

  • add a new EpollChannelOption, which is write-only
  • teach Epoll(Server)SocketChannel to track which addresses have keys
    associated
  • teach Native how to set the MD5 signature keys for a socket

Result:

Users of the native-epoll transport can set MD5 signature keys and thus
leverage RFC-2385 protection on TCP connections.

@normanmaurer normanmaurer self-assigned this Aug 30, 2015

@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Aug 30, 2015

Member

will have a look tomorrow

Member

normanmaurer commented Aug 30, 2015

will have a look tomorrow

@normanmaurer

View changes

Show outdated Hide outdated ...epoll/src/main/java/io/netty/channel/epoll/EpollServerChannelConfig.java Outdated
@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/c/io_netty_channel_epoll_Native.c Outdated
@@ -707,6 +715,7 @@ private static NativeInetAddress toNativeInetAddress(InetAddress addr) {
private static native int epollerr();
private static native long ssizeMax();
private static native int tcpMd5SigMaxKeyLen();

This comment has been minimized.

@trustin

trustin Aug 31, 2015

Member

Please insert an empty line below.

@trustin

trustin Aug 31, 2015

Member

Please insert an empty line below.

This comment has been minimized.

@normanmaurer
@normanmaurer

normanmaurer Sep 1, 2015

Member

+1

@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@trustin

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@trustin

View changes

Show outdated Hide outdated ...ve-epoll/src/test/java/io/netty/channel/epoll/EpollSocketTcpMd5Test.java Outdated
@trustin

View changes

Show outdated Hide outdated ...epoll/src/main/java/io/netty/channel/epoll/EpollSocketChannelConfig.java Outdated
@normanmaurer

View changes

Show outdated Hide outdated transport-native-epoll/src/main/c/io_netty_channel_epoll_Native.c Outdated
@normanmaurer

View changes

Show outdated Hide outdated ...epoll/src/main/java/io/netty/channel/epoll/EpollServerSocketChannel.java Outdated
@normanmaurer

View changes

Show outdated Hide outdated ...ative-epoll/src/main/java/io/netty/channel/epoll/EpollSocketChannel.java Outdated
@normanmaurer

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@normanmaurer

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@normanmaurer

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Aug 31, 2015

Member

@vargarob great work! Just a few comments. Please address these + these of @trustin and ping us once done.

Also please sign our ICLA:
http://netty.io/s/icla

Member

normanmaurer commented Aug 31, 2015

@vargarob great work! Just a few comments. Please address these + these of @trustin and ping us once done.

Also please sign our ICLA:
http://netty.io/s/icla

@trustin

View changes

Show outdated Hide outdated ...ative-epoll/src/main/java/io/netty/channel/epoll/EpollSocketChannel.java Outdated
@trustin

View changes

Show outdated Hide outdated ...epoll/src/main/java/io/netty/channel/epoll/EpollServerSocketChannel.java Outdated
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Aug 31, 2015

Should be all addressed except the getOption() and HashMap(size) parts. Also, I have already signed the ICLA back in February this year :)

ghost commented Aug 31, 2015

Should be all addressed except the getOption() and HashMap(size) parts. Also, I have already signed the ICLA back in February this year :)

@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Aug 31, 2015

Member

@vargarob can you please rebase on top of 4.0

Member

normanmaurer commented Aug 31, 2015

@vargarob can you please rebase on top of 4.0

@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Sep 1, 2015

Member

@vargarob let me know once you think it is ready for merge.

Member

normanmaurer commented Sep 1, 2015

@vargarob let me know once you think it is ready for merge.

@normanmaurer

View changes

Show outdated Hide outdated ...src/main/java/io/netty/channel/epoll/EpollServerSocketChannelConfig.java Outdated
addresses.add(e.getKey());
}
return addresses;

This comment has been minimized.

@normanmaurer

normanmaurer Sep 1, 2015

Member

Do we want to wrap this in Collections.unmodifiableList(...) ?

@normanmaurer

normanmaurer Sep 1, 2015

Member

Do we want to wrap this in Collections.unmodifiableList(...) ?

This comment has been minimized.

@ghost

ghost Sep 3, 2015

I do not think it's necessary -- both users take ownership of the collection and they do not leak it outside the package.

@ghost

ghost Sep 3, 2015

I do not think it's necessary -- both users take ownership of the collection and they do not leak it outside the package.

This comment has been minimized.

@normanmaurer

normanmaurer Sep 3, 2015

Member

ok good enough

@normanmaurer

normanmaurer Sep 3, 2015

Member

ok good enough

@normanmaurer

View changes

Show outdated Hide outdated transport-native-epoll/src/main/java/io/netty/channel/epoll/TcpMd5Util.java Outdated
@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Sep 1, 2015

Member

@vargarob just another 3 comments. Thanks!

Member

normanmaurer commented Sep 1, 2015

@vargarob just another 3 comments. Thanks!

Robert Varga
Add support for RFC2385 on Linux
Motivation:

There are protocols (BGP, SXP), which are typically deployed with TCP
MD5 authentication to protect sessions from being hijacked/torn down by
third parties. This facility is not available on most operating systems,
but is typically present on Linux.

Modifications:

- add a new EpollChannelOption, which is write-only
- teach Epoll(Server)SocketChannel to track which addresses have keys
  associated
- teach Native how to set the MD5 signature keys for a socket

Result:

Users of the native-epoll transport can set MD5 signature keys and thus
leverage RFC-2385 protection on TCP connections.
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 3, 2015

@normanmaurer I think it is good to go

ghost commented Sep 3, 2015

@normanmaurer I think it is good to go

@netkins

This comment has been minimized.

Show comment
Hide comment
@netkins

netkins Sep 3, 2015

TeamCity pull requests :: netty Build 170 is now running

netkins commented on afb4677 Sep 3, 2015

TeamCity pull requests :: netty Build 170 is now running

This comment has been minimized.

Show comment
Hide comment
@netkins

netkins Sep 3, 2015

TeamCity pull requests :: netty Build 170 outcome was SUCCESS
Summary: Tests passed: 4764, ignored: 21 Build time: 00:30:16

netkins replied Sep 3, 2015

TeamCity pull requests :: netty Build 170 outcome was SUCCESS
Summary: Tests passed: 4764, ignored: 21 Build time: 00:30:16

@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Sep 3, 2015

Member

Looking

Member

normanmaurer commented Sep 3, 2015

Looking

@normanmaurer

This comment has been minimized.

Show comment
Hide comment
@normanmaurer

normanmaurer Sep 3, 2015

Member

@vargarob thanks a lot!

Cherry-picked into 4.0 (e29ba29), 4.1 (30a7701) and master (f1eddd6)

Member

normanmaurer commented Sep 3, 2015

@vargarob thanks a lot!

Cherry-picked into 4.0 (e29ba29), 4.1 (30a7701) and master (f1eddd6)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment