netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: skb->security and friends

from [Michael Richardson] [Permanent Link][Original]
To: jleu@xxxxxxxxxxxxxx
Subject: Re: skb->security and friends
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 10 Nov 2001 16:43:41 -0500
Cc: design@xxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: Your message of "Fri, 26 Oct 2001 10:14:37 CDT." <20011026101437.B11973@xxxxxxxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx 
>>>>> "James" == James R Leu <jleu@xxxxxxxxxxxxxx> writes:
    James> I've added a field to skbs called aux_protodata.  Its an array of 
void*.
    James> Auxiliary protocols  (one that don't fit the normal Linux network 
stack
    James> model) can mark interest in a particular protocol and store data here
    James> for later use.  For example, MPLS uses this by coping data from 
fib_nodes
    James> into this field in the skb, at the same time it creates a dst_entry 
that
    James> redirect the skb to an mpls_output function.  There the 
aux_protodata is
    James> used to find the next hop label forwarding entry needed to transmit 
this
    James> packet on a label switched path.
  
  This sounds precisely what IPsec wants.

  We need to attach some auxiliary data to the skb based upon a packet
classifier, and then redirect the packet to our custom xmit routine. 
  It sounds to me like we could very easily use the same, or similar mechanisms.
  (One concern is that we do not use precisely the same mechanism. After all, 
people will want to encrypt packets for a VPN, and then push a label on them
to get them there with low latency, etc...)

    James> The short coming of this model so far is that it should use a 
netfilter like
    James> scheme for redirecting packets at certain points in the network 
stack.
    James> Why not use netfilter?  The places that auxiliary protocols need to
    James> modify skbs or dst_entries are different then those provided by 
netfilter.

  I would argue that you should put netfilter calls into those places instead.

    James> Plus there should be a clear difference between what is being 
accomplished
    James> via netfilter (IPvX packet redirecting/mangling) and aux_protodata
    James> (protocol

  I don't think of netfilter as limited to "redirecting/mangling" --- it does 
classification.
  I'm also not clear that netfilter is limited to IPvX -- it (or rather
iptables) has rather general facilities. You are, presumeable, making
classification decisions on the packets in some way and sending them to MPLS
processing routines.

  When can I expect to see your code in mainstream?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: skb->security and friends, Michael Richardson <=
Previous by Date:  Re: Turning off CRC check in NIC, Carl-Johan Bostorp
Next by Date:  Re: IPV6_HOPOPTS, root
Previous by Thread:  [Patch] fix incorrect jiffies compares, Tim Schmielau
Next by Thread:  dst_entry & rtable in 2.2.12, chuckw
Indexes:  [Date] [Thread] [Top] [All Lists]