* [new filter] simple packet authentication
@ 2004-01-22 21:04 Alexandre Becoulet
2004-01-23 0:25 ` Andrew Hall
0 siblings, 1 reply; 5+ messages in thread
From: Alexandre Becoulet @ 2004-01-22 21:04 UTC (permalink / raw)
To: netfilter-devel
Hi,
I have written a new extension to the netfilter project and i would
like to contribute.
My extension provides both, a new target to mangle packets and a new
match rule.
The idea is to have a non obvious relationship between the IP id field
and the TCP header informations. This relationship may then be used to
authenticate packets sender.
The mangle part of the module is used to recalculate a new value for
the id field of IP packet header. This new value is based on a hash
value computed from the TCP sequence numbers and an optional
passphrase. Of course we have to take care not to mangle already
fragmented packets to keep all IP fragments with the same id.
The match part of the module is able to check the IP id field against
the locally recomputed hash value, so we may reject packets without
correct id field value.
This simple authentication system may be a good mean to avoid TCP ports
scanning and to prevent non authorized people from connecting to ports that
still have to remain open for admin access.
This method should be safer than matching host IP address to allow
connection, it will allow connections from any host IP having the good
passphrase and should prevent connections from spoofed/stolen IP
addresses. It aims to be more simple than heavy packets authentication
methods and leave TCP/IP packet format untouched.
My implementation use a trivial hash function to remain simple and
fast. The hash function could be replaced with a stronger digest
algorithm like those provided in the kernel crypto API.
Here is an example to show how to do simple authentication for
incoming connections on tcp port 22:
# Server side
iptables -A INPUT -p tcp --syn -m hashseq --key testkey -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -j REJECT
# Client side
iptables -t mangle -A OUTPUT -p tcp --syn --dport 22 -j HASHSEQ \
--key testkey
I hope my work will be of some interest. :)
I just followed instructions given in the patch-o-matic README file for the
netfilter part. Where should i send/post my full netfilter and iptables
extentions patchs ?
Regards,
--
Alexandre Becoulet
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [new filter] simple packet authentication
2004-01-22 21:04 [new filter] simple packet authentication Alexandre Becoulet
@ 2004-01-23 0:25 ` Andrew Hall
2004-01-23 1:16 ` Alexandre Becoulet
2004-01-23 12:27 ` Henrik Nordstrom
0 siblings, 2 replies; 5+ messages in thread
From: Andrew Hall @ 2004-01-23 0:25 UTC (permalink / raw)
To: netfilter-devel
This is a neat idea although I'd probably be a bit wary to use the IP ID
field when considering it's use with fragments. Perhaps a better solution
would be to use part of the options field which apparently DoD originally
planned to use for this type of IP partitioning. Also it would be good if it
was payload agnostic (could be used for UDP as well as TCP).
Kind regards,
Andrew.
----- Original Message -----
From: "Alexandre Becoulet" <alexandre.becoulet@epita.fr>
To: <netfilter-devel@lists.netfilter.org>
Sent: Friday, January 23, 2004 8:04 AM
Subject: [new filter] simple packet authentication
>
> Hi,
>
> I have written a new extension to the netfilter project and i would
> like to contribute.
>
> My extension provides both, a new target to mangle packets and a new
> match rule.
>
> The idea is to have a non obvious relationship between the IP id field
> and the TCP header informations. This relationship may then be used to
> authenticate packets sender.
>
> The mangle part of the module is used to recalculate a new value for
> the id field of IP packet header. This new value is based on a hash
> value computed from the TCP sequence numbers and an optional
> passphrase. Of course we have to take care not to mangle already
> fragmented packets to keep all IP fragments with the same id.
>
> The match part of the module is able to check the IP id field against
> the locally recomputed hash value, so we may reject packets without
> correct id field value.
>
> This simple authentication system may be a good mean to avoid TCP ports
> scanning and to prevent non authorized people from connecting to ports
that
> still have to remain open for admin access.
>
> This method should be safer than matching host IP address to allow
> connection, it will allow connections from any host IP having the good
> passphrase and should prevent connections from spoofed/stolen IP
> addresses. It aims to be more simple than heavy packets authentication
> methods and leave TCP/IP packet format untouched.
>
> My implementation use a trivial hash function to remain simple and
> fast. The hash function could be replaced with a stronger digest
> algorithm like those provided in the kernel crypto API.
>
> Here is an example to show how to do simple authentication for
> incoming connections on tcp port 22:
>
> # Server side
> iptables -A INPUT -p tcp --syn -m hashseq --key testkey -j ACCEPT
> iptables -A INPUT -p tcp --syn --dport 22 -j REJECT
>
> # Client side
> iptables -t mangle -A OUTPUT -p tcp --syn --dport 22 -j HASHSEQ \
> --key testkey
>
> I hope my work will be of some interest. :)
>
> I just followed instructions given in the patch-o-matic README file for
the
> netfilter part. Where should i send/post my full netfilter and iptables
> extentions patchs ?
>
> Regards,
>
> --
> Alexandre Becoulet
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [new filter] simple packet authentication
2004-01-23 0:25 ` Andrew Hall
@ 2004-01-23 1:16 ` Alexandre Becoulet
2004-01-27 10:43 ` Harald Welte
2004-01-23 12:27 ` Henrik Nordstrom
1 sibling, 1 reply; 5+ messages in thread
From: Alexandre Becoulet @ 2004-01-23 1:16 UTC (permalink / raw)
To: netfilter-devel
On Friday 23 January 2004 01:25, Andrew Hall wrote:
> This is a neat idea although I'd probably be a bit wary to use the IP ID
> field when considering it's use with fragments.
Sure, using the IP ID field could be an issue. The module will not mangle
fragmented packets (offset > 0 or MF flag set). That's why packets have to be
mangled before being routed. At least, it should work for locally-generated
packets, and for packets reaching the first gateway. It should not be usefull
to mangle the packet later.
There is no more problem once the packet has already been mangled because
fragmentation will duplicate the new IP ID value.
I don't know if a Linux box can locally generate already fragmented IP packets
when used with a TCP payload and a short MTU.
> Perhaps a better solution
> would be to use part of the options field which apparently DoD originally
> planned to use for this type of IP partitioning.
It could be solution to use the options field but the packet will not appear
as being a common packet on the wire anymore. I find it nice to have a
"normal" packet with an hidden authentication information inside ;).
> Also it would be good if
> it was payload agnostic (could be used for UDP as well as TCP).
Yes, it would be great to had support for UDP packets as well. UDP header
doesn't contain enough varying fields to compute a good hash value for each
sent packets. I may consider using a part of UDP data to compute the hash
value...
Regards,
--
Alexandre Becoulet
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [new filter] simple packet authentication
2004-01-23 1:16 ` Alexandre Becoulet
@ 2004-01-27 10:43 ` Harald Welte
0 siblings, 0 replies; 5+ messages in thread
From: Harald Welte @ 2004-01-27 10:43 UTC (permalink / raw)
To: Alexandre Becoulet; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1354 bytes --]
On Fri, Jan 23, 2004 at 02:16:08AM +0100, Alexandre Becoulet wrote:
> On Friday 23 January 2004 01:25, Andrew Hall wrote:
>
> > This is a neat idea although I'd probably be a bit wary to use the IP ID
> > field when considering it's use with fragments.
>
> Sure, using the IP ID field could be an issue. The module will not mangle
> fragmented packets (offset > 0 or MF flag set). That's why packets have to be
> mangled before being routed. At least, it should work for locally-generated
> packets, and for packets reaching the first gateway. It should not be usefull
> to mangle the packet later.
well, there is one problem... once you have IP_DF set, the Fragment ID
is believed to be ueseless. Linux in fact is setting it to zero, at
least in some cases, for performance reasons (contention on the id
counter). So I could imagine some weird implementations that would
then discard the IPid at some later point in the forwarding path of your
packet.
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [new filter] simple packet authentication
2004-01-23 0:25 ` Andrew Hall
2004-01-23 1:16 ` Alexandre Becoulet
@ 2004-01-23 12:27 ` Henrik Nordstrom
1 sibling, 0 replies; 5+ messages in thread
From: Henrik Nordstrom @ 2004-01-23 12:27 UTC (permalink / raw)
To: Andrew Hall; +Cc: netfilter-devel
On Fri, 23 Jan 2004, Andrew Hall wrote:
> This is a neat idea although I'd probably be a bit wary to use the IP ID
> field when considering it's use with fragments. Perhaps a better solution
> would be to use part of the options field which apparently DoD originally
> planned to use for this type of IP partitioning. Also it would be good if it
> was payload agnostic (could be used for UDP as well as TCP).
AH comes in mind if you want to support any payload..
Regards
Henrik
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-01-27 10:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-22 21:04 [new filter] simple packet authentication Alexandre Becoulet
2004-01-23 0:25 ` Andrew Hall
2004-01-23 1:16 ` Alexandre Becoulet
2004-01-27 10:43 ` Harald Welte
2004-01-23 12:27 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.