lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CABjs8yU_+7asT+=FS5CSsZrmkwADUjpVr7+kP2WGcPtsCdFWag@mail.gmail.com>
Date:	Fri, 19 Aug 2011 12:13:01 +0530
From:	krbmit siso <krbmit@...il.com>
To:	Timo Teräs <timo.teras@....fi>
Cc:	netdev@...r.kernel.org, ipsec-tools-users@...ts.sourceforge.net,
	ipsec-tools-devel@...ts.sourceforge.net,
	ikev2-devel@...ts.sourceforge.net
Subject: Re: protect raw sockets

Hi Timo ,
You are absolutely right, I am using it for traffic generator but,
i want it with ESP , so i want to make the best use of underlying kernel
XFRM functionality . It can be provided has an option
in the kernel like eg ..CONFIG_SECURE_RAW for applying IPsec
policy .

Regards
Naveen

2011/8/19 Timo Teräs <timo.teras@....fi>:
> On 08/18/2011 06:01 PM, krbmit siso wrote:
>> After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc()
>> I am able to see packet sent using RAW_SOCKET getting protected .
>>
>> Please  let me know how can it be done better and provide it has a feature
>> , so that others can also use it  if  packet sent using RAW_SOCKET
>> needs to be protected.
>
> Raw sockets are raw sockets. They are used to send out network traffic
> that was captured earlier, or to generate test traffic. I don't think
> it makes any sense to apply XFRM policies to them: it might break the
> usage this API was intended for. The whole purpose of raw sockets is to
> bypass kernel side extra handling.
>
> To generate IPsec protected stuff use the normal APIs: regular UDP/TCP
> sockets.
>
> The same applies for sending/receiving IKE packets. You need regular UDP
> socket with IPsec bypass policy.
>
> What's your point in trying to use raw sockets? You should not need to
> use them unless you are implementing a packet capturer or a network
> traffic generator.
>
> - Timo
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ