* protect raw sockets
@ 2011-08-18 8:15 Naveen B N (nbn)
2011-08-18 8:28 ` krbmit siso
0 siblings, 1 reply; 5+ messages in thread
From: Naveen B N (nbn) @ 2011-08-18 8:15 UTC (permalink / raw)
To: netdev
Hi All,
Is there a way to enforce IPsec protection for packets sent from
application using RAW_SOCKET.
My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to
call xfrm_policy_check() ..
Is it a good method to proceed or is there a better and smart way to
achieve this .
Hoping for some guide lines ..
Thanks in advance ..
Thanks and Regards
Naveen
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets
2011-08-18 8:15 protect raw sockets Naveen B N (nbn)
@ 2011-08-18 8:28 ` krbmit siso
2011-08-18 15:01 ` krbmit siso
0 siblings, 1 reply; 5+ messages in thread
From: krbmit siso @ 2011-08-18 8:28 UTC (permalink / raw)
To: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel,
Timo Teräs
Hi Timo,
Thanks for your reply .
Yes i did explore this yesterday and i was successful in sending the IKE
messages unprotected after using the below code only for UDP sockets.
int setsockopt_bypass(int fd, int family)
{
struct sadb_x_policy policy;
int level, optname;
switch (family) {
case AF_INET:
level = IPPROTO_IP;
optname = IP_IPSEC_POLICY;
break;
case AF_INET6:
level = IPPROTO_IPV6;
optname = IPV6_IPSEC_POLICY;
break;
default:
return -1;
}
memset(&policy, 0, sizeof(policy));
policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy));
policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
return -1;
}
policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
return -1;
}
return 0;
}
But i did try the same on RAW socket by setting the policy has
policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC;
But the packet is going unprotected .
Please show some light on how to protect RAW packets if there is a Policy
matching in the SPD saying it need to be protected.
I have checked the posting there is no help on this isues , could
you please give some options , if it is possible from Application.
Thanks and Regards
Naveen
On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@cisco.com> wrote:
> Hi All,
> Is there a way to enforce IPsec protection for packets sent from
> application using RAW_SOCKET.
>
> My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to
> call xfrm_policy_check() ..
> Is it a good method to proceed or is there a better and smart way to
> achieve this .
>
> Hoping for some guide lines ..
>
> Thanks in advance ..
>
> Thanks and Regards
> Naveen
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets
2011-08-18 8:28 ` krbmit siso
@ 2011-08-18 15:01 ` krbmit siso
2011-08-19 5:49 ` Timo Teräs
0 siblings, 1 reply; 5+ messages in thread
From: krbmit siso @ 2011-08-18 15:01 UTC (permalink / raw)
To: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel,
Timo Teräs
Hi All,
After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc()
I am able to see packet sent using RAW_SOCKET getting protected .
Please let me know how can it be done better and provide it has a feature
, so that others can also use it if packet sent using RAW_SOCKET
needs to be protected.
/************** net/ipv4/raw.c *************/
struct flowi fl;
struct dst_entry *dst;
int res;
if (xfrm_decode_session(skb, &fl, AF_INET)<0){
printk("\n xfrm_decode_session FAILED \n");
XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
return 0;
}
dst = skb_dst(skb);
printk("\n xfrm_lookup called \n");
res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
skb_dst_set(skb, dst);
err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
dst_output);
/*************************************************/
Thanks and Regards
Naveen
On Thu, Aug 18, 2011 at 1:58 PM, krbmit siso <krbmit@gmail.com> wrote:
> Hi Timo,
>
> Thanks for your reply .
> Yes i did explore this yesterday and i was successful in sending the IKE
> messages unprotected after using the below code only for UDP sockets.
>
> int setsockopt_bypass(int fd, int family)
> {
> struct sadb_x_policy policy;
> int level, optname;
>
> switch (family) {
> case AF_INET:
> level = IPPROTO_IP;
> optname = IP_IPSEC_POLICY;
> break;
> case AF_INET6:
> level = IPPROTO_IPV6;
> optname = IPV6_IPSEC_POLICY;
> break;
> default:
> return -1;
> }
>
> memset(&policy, 0, sizeof(policy));
> policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy));
> policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
> policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
> policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
> if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
> return -1;
> }
> policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
> if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
> return -1;
> }
> return 0;
> }
>
> But i did try the same on RAW socket by setting the policy has
> policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC;
> But the packet is going unprotected .
> Please show some light on how to protect RAW packets if there is a Policy
> matching in the SPD saying it need to be protected.
> I have checked the posting there is no help on this isues , could
> you please give some options , if it is possible from Application.
>
>
> Thanks and Regards
> Naveen
>
> On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@cisco.com> wrote:
>> Hi All,
>> Is there a way to enforce IPsec protection for packets sent from
>> application using RAW_SOCKET.
>>
>> My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to
>> call xfrm_policy_check() ..
>> Is it a good method to proceed or is there a better and smart way to
>> achieve this .
>>
>> Hoping for some guide lines ..
>>
>> Thanks in advance ..
>>
>> Thanks and Regards
>> Naveen
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets
2011-08-18 15:01 ` krbmit siso
@ 2011-08-19 5:49 ` Timo Teräs
2011-08-19 6:43 ` krbmit siso
0 siblings, 1 reply; 5+ messages in thread
From: Timo Teräs @ 2011-08-19 5:49 UTC (permalink / raw)
To: krbmit siso; +Cc: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel
On 08/18/2011 06:01 PM, krbmit siso wrote:
> After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc()
> I am able to see packet sent using RAW_SOCKET getting protected .
>
> Please let me know how can it be done better and provide it has a feature
> , so that others can also use it if packet sent using RAW_SOCKET
> needs to be protected.
Raw sockets are raw sockets. They are used to send out network traffic
that was captured earlier, or to generate test traffic. I don't think
it makes any sense to apply XFRM policies to them: it might break the
usage this API was intended for. The whole purpose of raw sockets is to
bypass kernel side extra handling.
To generate IPsec protected stuff use the normal APIs: regular UDP/TCP
sockets.
The same applies for sending/receiving IKE packets. You need regular UDP
socket with IPsec bypass policy.
What's your point in trying to use raw sockets? You should not need to
use them unless you are implementing a packet capturer or a network
traffic generator.
- Timo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets
2011-08-19 5:49 ` Timo Teräs
@ 2011-08-19 6:43 ` krbmit siso
0 siblings, 0 replies; 5+ messages in thread
From: krbmit siso @ 2011-08-19 6:43 UTC (permalink / raw)
To: Timo Teräs; +Cc: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel
Hi Timo ,
You are absolutely right, I am using it for traffic generator but,
i want it with ESP , so i want to make the best use of underlying kernel
XFRM functionality . It can be provided has an option
in the kernel like eg ..CONFIG_SECURE_RAW for applying IPsec
policy .
Regards
Naveen
2011/8/19 Timo Teräs <timo.teras@iki.fi>:
> On 08/18/2011 06:01 PM, krbmit siso wrote:
>> After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc()
>> I am able to see packet sent using RAW_SOCKET getting protected .
>>
>> Please let me know how can it be done better and provide it has a feature
>> , so that others can also use it if packet sent using RAW_SOCKET
>> needs to be protected.
>
> Raw sockets are raw sockets. They are used to send out network traffic
> that was captured earlier, or to generate test traffic. I don't think
> it makes any sense to apply XFRM policies to them: it might break the
> usage this API was intended for. The whole purpose of raw sockets is to
> bypass kernel side extra handling.
>
> To generate IPsec protected stuff use the normal APIs: regular UDP/TCP
> sockets.
>
> The same applies for sending/receiving IKE packets. You need regular UDP
> socket with IPsec bypass policy.
>
> What's your point in trying to use raw sockets? You should not need to
> use them unless you are implementing a packet capturer or a network
> traffic generator.
>
> - Timo
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-08-19 6:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-18 8:15 protect raw sockets Naveen B N (nbn)
2011-08-18 8:28 ` krbmit siso
2011-08-18 15:01 ` krbmit siso
2011-08-19 5:49 ` Timo Teräs
2011-08-19 6:43 ` krbmit siso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.