All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alexandre Becoulet <alexandre.becoulet@epita.fr>
To: netfilter-devel@lists.netfilter.org
Subject: Re: [new filter] simple packet authentication
Date: Fri, 23 Jan 2004 02:16:08 +0100	[thread overview]
Message-ID: <200401230216.08607.alexandre.becoulet@epita.fr> (raw)
In-Reply-To: <0de101c3e147$648fa910$2601010a@bluereef.local>

On Friday 23 January 2004 01:25, Andrew Hall wrote:

> This is a neat idea although I'd probably be a bit wary to use the IP ID
> field when considering it's use with fragments.

Sure, using the IP ID field could be an issue. The module will not mangle 
fragmented packets (offset > 0 or MF flag set). That's why packets have to be 
mangled before being routed. At least, it should work for locally-generated 
packets, and for packets reaching the first gateway. It should not be usefull 
to mangle the packet later.

There is no more problem once the packet has already been mangled because 
fragmentation will duplicate the new IP ID value.

I don't know if a Linux box can locally generate already fragmented IP packets 
when used with a TCP payload and a short MTU.

> Perhaps a better solution
> would be to use part of the options field which apparently DoD originally
> planned to use for this type of IP partitioning.

It could be solution to use the options field but the packet will not appear 
as being a common packet on the wire anymore. I find it nice to have a 
"normal" packet with an hidden authentication information inside ;).

> Also it would be good if
> it was payload agnostic (could be used for UDP as well as TCP).

Yes, it would be great to had support for UDP packets as well. UDP header 
doesn't contain enough varying fields to compute a good hash value for each 
sent packets. I may consider using a part of UDP data to compute the hash 
value...

Regards,

-- 
Alexandre Becoulet

  reply	other threads:[~2004-01-23  1:16 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-22 21:04 [new filter] simple packet authentication Alexandre Becoulet
2004-01-23  0:25 ` Andrew Hall
2004-01-23  1:16   ` Alexandre Becoulet [this message]
2004-01-27 10:43     ` Harald Welte
2004-01-23 12:27   ` Henrik Nordstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200401230216.08607.alexandre.becoulet@epita.fr \
    --to=alexandre.becoulet@epita.fr \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.