From 73367b0a16db54dd65d9dbe204469b418053f38a Mon Sep 17 00:00:00 2001 From: Jason McIntyre Date: Thu, 7 Sep 2006 12:38:10 +0000 Subject: improve the tcpmd5 section; ok claudio hshoexer --- sbin/ipsecctl/ipsec.conf.5 | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'sbin') diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index a9def68c2ce..1eb447b966a 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.86 2006/09/07 09:57:02 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.87 2006/09/07 12:38:09 jmc Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -585,6 +585,17 @@ The encryption key is defined similarly to .Ic spi Ar number .Ic authkey Ar keyspec .Xc +TCP MD5 signatures are generally used between BGP daemons, such as +.Xr bgpd 8 . +Since +.Xr bgpd 8 +itself already provides this functionality, +this option is generally not needed. +More information on TCP MD5 signatures can be found in +.Xr tcp 4 , +.Xr bgpd.conf 5 , +and RFC 2385. +.Pp This rule applies for packets with source address .Ar src and destination address @@ -594,12 +605,6 @@ The parameter is a 32-bit value defining the Security Parameter Index (SPI) for this SA. The encryption key is defined similarly to .Ic authkey . -.Pp -For details on how to enable TCP MD5 signatures see -.Xr tcp 4 . -The mechanism of protecting -.Xr tcp 4 -sessions using MD5 is described in RFC 2385. .El .Sh CRYPTO TRANSFORMS It is very important that keys are not guessable. -- cgit v1.2.3