Re: net/ipv6/exthdrs.c

[Andras Kis-Szabo <kisza@securityaudit.hu>]

Pekka Savola ........................................ (2002. június 18.)

 Hi!

> > Is there any plan to add the ESP header to the ipv6_ext_hdr() function (as a
> > known header)?
> > (It requires changes in this file and in the icmp.c at the first round.)
> Quickly looking at it, I don't know if adding it would help any (on the 
> countrary).
At the firewall side the ESP is a known extension header. The ESP contains
some field which can be parsed in a strict firewall rule.
When the extension headers and the main header parsed by the Netfilter, the
upper level protocol should be passed to the next level for future parsing.
The implementation follows the standard where the ESP is one of the extension
headers.
BTW, the Netfilter code can be changed to this behaviour. (Minor changes in
some file and a major change in the ESP match.)

The ipv6_ext_hdr() could be exported? It would be usefull at the Netfilter
side.
(And when we are there: the ipv6_skip_exthdr() should be exported, too.)

> The code seems to be used mainly to skip over extension headers
> (forbidden, strictly speaking) when generating ICMP messages; in the case 
> of ESP, the rest of the payload should be encrypted so adding it to the 
> list would probably not change anything?
At first look in the ipv6_skip_exthdr() in the parser loop:
-                if (nexthdr == NEXTHDR_NONE)
+                if ( (nexthdr == NEXTHDR_NONE) || (nexthdr == NEXTHDR_ESP) )
But after this change the ICMPv6 reply won't contain the ESP ...

Regards,

	kisza

-- 
    Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/        Zorp, NetFilter and IPv6
 kisza@SecurityAudit.hu /-----Member of the BUTE-MIS-SEARCHlab---------->