[Top] [All Lists]

Re: skb->security and friends

To: Andi Kleen <ak@xxxxxxx>
Subject: Re: skb->security and friends
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 27 Oct 2001 00:23:02 -0400
Cc: design@xxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: Your message of "Fri, 26 Oct 2001 21:42:35 +0200." <20011026214235.A5375@xxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx

>>>>> "Andi" == Andi Kleen <ak@xxxxxxx> writes:
    >> We are seeking opinions.

    Andi> nfmark has the advantage that the routing code knows about it and
    Andi> can manage the destination cache based on it (very useful for pmtu
    Andi> management)

    Andi> security is basically on its way out; it was for a never completely
    Andi> merged ipsec implementation from the fi/sinus firewalls guys and is
    Andi> largely bitrotted now (e.g. a lot of stack modules won't maintain
    Andi> it correctly anymore and probably never have) If you wanted to use
    Andi> it you would need to fix it first.

  I see.
  What maintenance does it need?
  skb_copy() seems to copy it, and it seems to get initialized to zero.
I think that is sufficient for our use.

    -> cb is free for your use as long as you have the skb queued privately,

    Andi> but it'll be destroyed as soon as you give it away.

1) We wish to set something in netfilter and/or advanced routing and examine
   it in dev xmit.          (for entering the tunnel)

2) We wish to set something in dev recv, and examine it in netfilter.
      (for checking that the packet that exited the tunnel complied to policy)

    Andi> I don't
    Andi> understand your 64k comment.

  We need at least 16 bits of value to set/examine. This is the security
policy identifier :-)

    Andi> I would recommend to use nfmark. as far as I can see you'll need
    Andi> destination cache support anyways, and it gets you that for free.

  Thanks.  We'll use nfmark.

  What will you guys use? We'll need between 16 and 32 bits of nfmark :-)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys


<Prev in Thread] Current Thread [Next in Thread>