lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Dec 2021 16:55:27 -0600
From:   Alex Elder <elder@...aro.org>
To:     Andrew Lunn <andrew@...n.ch>
Cc:     Network Development <netdev@...r.kernel.org>,
        "bjorn.andersson@...aro.org" <bjorn.andersson@...aro.org>
Subject: Re: Port mirroring (RFC)

On 12/14/21 12:27 PM, Andrew Lunn wrote:
> On Tue, Dec 14, 2021 at 08:47:12AM -0600, Alex Elder wrote:
>> I am implementing what amounts to port mirroring functionality
>> for the IPA driver.
>>
>> The IPA hardware isn't exactly a network switch (it's sort of
>> more than that), but it has the ability to supply replicas of
>> packets transferred within it to a special (read only) interface.
> 
> I think you need to explain "within it" in a bit more detail. Where
> are these packets coming from/going to?

Sorry, I didn't want to dive into too much detail up front.

IPA is a device that sits between the main CPU and a modem,
carrying WWAN network data between them.

In addition, there is a small number of other entities that
could be reachable through the IPA hardware, such as a WiFi
device providing access to a WLAN.

Packets can travel "within IPA" between any of these
"connected entities."  So far only the path between the
AP and the modem is supported upstream, but I'm working
on enabling more capability.

Technically, the replicated packets aren't visible on
any one port; the only way to see that traffic is in
using this special port.  To me this seemed like port
mirroring, which is why I suggested that.  I'm want to
use the proper model though, so I appreciate your
response.

>> My plan is to implement this using a new "ipa_mirror" network
>> device, so it could be used with a raw socket to capture the
>> arriving packets.  There currently exists one other netdev,
>> which represents access through a modem to a WWAN network.
>>
>> I would like some advice on how to proceed with this.  I want
>> the result to match "best practice" upstream, and would like
>> this to be as well integrated possible with existing network
>> tools.
>>
>> A few details about the stream of packets that arrive on
>> this hardware interface:
>> - Packet data is truncated if it's larger than a certain size
>> - Each packet is preceded by a fixed-size header describing it
>> - Packets (and their headers) are aggregated into a buffer; i.e.
>>    a single receive might carry a dozen (truncated) packets
> 
> So this sounds something more like what you would attach pcap/tcpdump
> to.  I'm not sure port mirroring is the correct model here. Maybe take
> a look at wifi adaptors and their monitor mode? See if that fits
> better?

Yes, pcap and tcpdump are exactly the model I envisioned.  I had
heard of monitoring but hadn't looked at it closely, so I will.

Thanks a lot for the suggestion.

					-Alex
>   
> 	Andrew
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ