All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Andrew Hall" <temp02@bluereef.com.au>
To: <netfilter-devel@lists.netfilter.org>
Subject: Re: [new filter] simple packet authentication
Date: Fri, 23 Jan 2004 11:25:24 +1100	[thread overview]
Message-ID: <0de101c3e147$648fa910$2601010a@bluereef.local> (raw)
In-Reply-To: 200401222204.04861.alexandre.becoulet@epita.fr

This is a neat idea although I'd probably be a bit wary to use the IP ID
field when considering it's use with fragments. Perhaps a better solution
would be to use part of the options field which apparently DoD originally
planned to use for this type of IP partitioning. Also it would be good if it
was payload agnostic (could be used for UDP as well as TCP).

Kind regards,

Andrew.

----- Original Message -----
From: "Alexandre Becoulet" <alexandre.becoulet@epita.fr>
To: <netfilter-devel@lists.netfilter.org>
Sent: Friday, January 23, 2004 8:04 AM
Subject: [new filter] simple packet authentication


>
> Hi,
>
> I have written a new extension to the netfilter project and i would
> like to contribute.
>
> My extension provides both, a new target to mangle packets and a new
> match rule.
>
> The idea is to have a non obvious relationship between the IP id field
> and the TCP header informations. This relationship may then be used to
> authenticate packets sender.
>
> The mangle part of the module is used to recalculate a new value for
> the id field of IP packet header. This new value is based on a hash
> value computed from the TCP sequence numbers and an optional
> passphrase. Of course we have to take care not to mangle already
> fragmented packets to keep all IP fragments with the same id.
>
> The match part of the module is able to check the IP id field against
> the locally recomputed hash value, so we may reject packets without
> correct id field value.
>
> This simple authentication system may be a good mean to avoid TCP ports
> scanning and to prevent non authorized people from connecting to ports
that
> still have to remain open for admin access.
>
> This method should be safer than matching host IP address to allow
> connection, it will allow connections from any host IP having the good
> passphrase and should prevent connections from spoofed/stolen IP
> addresses. It aims to be more simple than heavy packets authentication
> methods and leave TCP/IP packet format untouched.
>
> My implementation use a trivial hash function to remain simple and
> fast. The hash function could be replaced with a stronger digest
> algorithm like those provided in the kernel crypto API.
>
> Here is an example to show how to do simple authentication for
> incoming connections on tcp port 22:
>
>  # Server side
>  iptables -A INPUT -p tcp --syn -m hashseq --key testkey -j ACCEPT
>  iptables -A INPUT -p tcp --syn --dport 22 -j REJECT
>
>  # Client side
>  iptables -t mangle -A OUTPUT -p tcp --syn --dport 22 -j HASHSEQ \
>           --key testkey
>
> I hope my work will be of some interest. :)
>
> I just followed instructions given in the patch-o-matic README file for
the
> netfilter part. Where should i send/post my full netfilter and iptables
> extentions patchs ?
>
> Regards,
>
> --
> Alexandre Becoulet
>
>

  reply	other threads:[~2004-01-23  0:25 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-22 21:04 [new filter] simple packet authentication Alexandre Becoulet
2004-01-23  0:25 ` Andrew Hall [this message]
2004-01-23  1:16   ` Alexandre Becoulet
2004-01-27 10:43     ` Harald Welte
2004-01-23 12:27   ` Henrik Nordstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='0de101c3e147$648fa910$2601010a@bluereef.local' \
    --to=temp02@bluereef.com.au \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.