lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <8CB45EFE0258939-2F30-B18@webmail-stg-d07.sysops.aol.com>
Date:	Fri, 16 Jan 2009 07:48:33 -0500
From:	jpo234@...scape.net
To:	andi@...stfloor.org
Cc:	netdev@...r.kernel.org
Subject: Re: Sending complete IPv6 packets without bypassing netfilter/IPsec

Andi,
I read the rationale in RFC 3542. Unfortunately this makes the 
following assumptions:
1) You know the IP protocol value when you open the socket. This is not 
true in my case because I get packets from a tun device.
2) Packet injection using packet sockets/libpcap provides the same 
functionality. Bad luck that this completely bypasses IPsec and 
netfilter.

To overcome 1) I would have to strip off the IPv6 header and then have 
a separate socket for every next-header value I might encounter. Not 
very appealing.

I know I'm partial right now, but at least the suggestion in the RFC 
that "some other technique, such as the datalink interfaces BPF or 
DLPI, must be used" is misguided.

Regards
  Joerg


-----Original Message-----
From: Andi Kleen <andi@...stfloor.org>
To: jpo234@...scape.net
Cc: netdev@...r.kernel.org
Sent: Fri, 16 Jan 2009 1:18 pm
Subject: Re: Sending complete IPv6 packets without bypassing 
netfilter/IPsec

jpo234@...scape.net writes:

> Hello all,
> the IPv4 socket interface had the nifty IP_HDRINCL option. It seems
> that an IPv6 version of this option is not available. The proposed
> solution for this seems to be to use libpcap to inject the
> packet. Unfortunately this completely bypasses both, netfilter and
> IPsec. So, am I lost or is there a way to do what I want/need?

The theory is (the same on IPv4) is that the socket options should
allow you to specify everything legal you could put into a IPv6 header
by hand.

-Andi

--
ak@...ux.intel.com -- Speaking for myself only.





--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists