* protect raw sockets @ 2011-08-18 8:15 Naveen B N (nbn) 2011-08-18 8:28 ` krbmit siso 0 siblings, 1 reply; 5+ messages in thread From: Naveen B N (nbn) @ 2011-08-18 8:15 UTC (permalink / raw) To: netdev Hi All, Is there a way to enforce IPsec protection for packets sent from application using RAW_SOCKET. My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to call xfrm_policy_check() .. Is it a good method to proceed or is there a better and smart way to achieve this . Hoping for some guide lines .. Thanks in advance .. Thanks and Regards Naveen ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets 2011-08-18 8:15 protect raw sockets Naveen B N (nbn) @ 2011-08-18 8:28 ` krbmit siso 2011-08-18 15:01 ` krbmit siso 0 siblings, 1 reply; 5+ messages in thread From: krbmit siso @ 2011-08-18 8:28 UTC (permalink / raw) To: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel, Timo Teräs Hi Timo, Thanks for your reply . Yes i did explore this yesterday and i was successful in sending the IKE messages unprotected after using the below code only for UDP sockets. int setsockopt_bypass(int fd, int family) { struct sadb_x_policy policy; int level, optname; switch (family) { case AF_INET: level = IPPROTO_IP; optname = IP_IPSEC_POLICY; break; case AF_INET6: level = IPPROTO_IPV6; optname = IPV6_IPSEC_POLICY; break; default: return -1; } memset(&policy, 0, sizeof(policy)); policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy)); policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) { return -1; } policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) { return -1; } return 0; } But i did try the same on RAW socket by setting the policy has policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC; But the packet is going unprotected . Please show some light on how to protect RAW packets if there is a Policy matching in the SPD saying it need to be protected. I have checked the posting there is no help on this isues , could you please give some options , if it is possible from Application. Thanks and Regards Naveen On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@cisco.com> wrote: > Hi All, > Is there a way to enforce IPsec protection for packets sent from > application using RAW_SOCKET. > > My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to > call xfrm_policy_check() .. > Is it a good method to proceed or is there a better and smart way to > achieve this . > > Hoping for some guide lines .. > > Thanks in advance .. > > Thanks and Regards > Naveen > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets 2011-08-18 8:28 ` krbmit siso @ 2011-08-18 15:01 ` krbmit siso 2011-08-19 5:49 ` Timo Teräs 0 siblings, 1 reply; 5+ messages in thread From: krbmit siso @ 2011-08-18 15:01 UTC (permalink / raw) To: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel, Timo Teräs Hi All, After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc() I am able to see packet sent using RAW_SOCKET getting protected . Please let me know how can it be done better and provide it has a feature , so that others can also use it if packet sent using RAW_SOCKET needs to be protected. /************** net/ipv4/raw.c *************/ struct flowi fl; struct dst_entry *dst; int res; if (xfrm_decode_session(skb, &fl, AF_INET)<0){ printk("\n xfrm_decode_session FAILED \n"); XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); return 0; } dst = skb_dst(skb); printk("\n xfrm_lookup called \n"); res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0; skb_dst_set(skb, dst); err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev, dst_output); /*************************************************/ Thanks and Regards Naveen On Thu, Aug 18, 2011 at 1:58 PM, krbmit siso <krbmit@gmail.com> wrote: > Hi Timo, > > Thanks for your reply . > Yes i did explore this yesterday and i was successful in sending the IKE > messages unprotected after using the below code only for UDP sockets. > > int setsockopt_bypass(int fd, int family) > { > struct sadb_x_policy policy; > int level, optname; > > switch (family) { > case AF_INET: > level = IPPROTO_IP; > optname = IP_IPSEC_POLICY; > break; > case AF_INET6: > level = IPPROTO_IPV6; > optname = IPV6_IPSEC_POLICY; > break; > default: > return -1; > } > > memset(&policy, 0, sizeof(policy)); > policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy)); > policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; > policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; > policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; > if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) { > return -1; > } > policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; > if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) { > return -1; > } > return 0; > } > > But i did try the same on RAW socket by setting the policy has > policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC; > But the packet is going unprotected . > Please show some light on how to protect RAW packets if there is a Policy > matching in the SPD saying it need to be protected. > I have checked the posting there is no help on this isues , could > you please give some options , if it is possible from Application. > > > Thanks and Regards > Naveen > > On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@cisco.com> wrote: >> Hi All, >> Is there a way to enforce IPsec protection for packets sent from >> application using RAW_SOCKET. >> >> My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to >> call xfrm_policy_check() .. >> Is it a good method to proceed or is there a better and smart way to >> achieve this . >> >> Hoping for some guide lines .. >> >> Thanks in advance .. >> >> Thanks and Regards >> Naveen >> -- >> To unsubscribe from this list: send the line "unsubscribe netdev" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets 2011-08-18 15:01 ` krbmit siso @ 2011-08-19 5:49 ` Timo Teräs 2011-08-19 6:43 ` krbmit siso 0 siblings, 1 reply; 5+ messages in thread From: Timo Teräs @ 2011-08-19 5:49 UTC (permalink / raw) To: krbmit siso; +Cc: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel On 08/18/2011 06:01 PM, krbmit siso wrote: > After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc() > I am able to see packet sent using RAW_SOCKET getting protected . > > Please let me know how can it be done better and provide it has a feature > , so that others can also use it if packet sent using RAW_SOCKET > needs to be protected. Raw sockets are raw sockets. They are used to send out network traffic that was captured earlier, or to generate test traffic. I don't think it makes any sense to apply XFRM policies to them: it might break the usage this API was intended for. The whole purpose of raw sockets is to bypass kernel side extra handling. To generate IPsec protected stuff use the normal APIs: regular UDP/TCP sockets. The same applies for sending/receiving IKE packets. You need regular UDP socket with IPsec bypass policy. What's your point in trying to use raw sockets? You should not need to use them unless you are implementing a packet capturer or a network traffic generator. - Timo ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: protect raw sockets 2011-08-19 5:49 ` Timo Teräs @ 2011-08-19 6:43 ` krbmit siso 0 siblings, 0 replies; 5+ messages in thread From: krbmit siso @ 2011-08-19 6:43 UTC (permalink / raw) To: Timo Teräs; +Cc: netdev, ipsec-tools-users, ipsec-tools-devel, ikev2-devel Hi Timo , You are absolutely right, I am using it for traffic generator but, i want it with ESP , so i want to make the best use of underlying kernel XFRM functionality . It can be provided has an option in the kernel like eg ..CONFIG_SECURE_RAW for applying IPsec policy . Regards Naveen 2011/8/19 Timo Teräs <timo.teras@iki.fi>: > On 08/18/2011 06:01 PM, krbmit siso wrote: >> After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc() >> I am able to see packet sent using RAW_SOCKET getting protected . >> >> Please let me know how can it be done better and provide it has a feature >> , so that others can also use it if packet sent using RAW_SOCKET >> needs to be protected. > > Raw sockets are raw sockets. They are used to send out network traffic > that was captured earlier, or to generate test traffic. I don't think > it makes any sense to apply XFRM policies to them: it might break the > usage this API was intended for. The whole purpose of raw sockets is to > bypass kernel side extra handling. > > To generate IPsec protected stuff use the normal APIs: regular UDP/TCP > sockets. > > The same applies for sending/receiving IKE packets. You need regular UDP > socket with IPsec bypass policy. > > What's your point in trying to use raw sockets? You should not need to > use them unless you are implementing a packet capturer or a network > traffic generator. > > - Timo > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-08-19 6:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-08-18 8:15 protect raw sockets Naveen B N (nbn) 2011-08-18 8:28 ` krbmit siso 2011-08-18 15:01 ` krbmit siso 2011-08-19 5:49 ` Timo Teräs 2011-08-19 6:43 ` krbmit siso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.