On Tue, 10 Aug 2004 10:32:29 +0900 (JST)
YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@xxxxxxxxxxxxxx> wrote:
> Does it make sense to excude IPPPROTO_RAW sockets and/or hdrincl sockets,
> which would be 100% truly raw socket?
> Or, do we add some socket option for this?
>
> Mip6 is required to exchange ipsec'ed datagrams (!= IPPROTO_RAW).
> (as I told you at Networking Summit if I remember correctly),
> so we need some sort of the patch, anyway.
This is what Alexey told me when I last spoke with him
about this:
Return-Path: <kuznet@xxxxxxxxxxxxx>
Received: from localhost (IDENT:davem@xxxxxxxxxxxxxxxxxxxxx [127.0.0.1])
by pizda.ninka.net (8.9.3/8.9.3) with ESMTP id QAA27793
for <davem@localhost>; Sat, 17 May 2003 16:28:26 -0700
From: kuznet@xxxxxxxxxxxxx
Received: from localhost.localdomain [127.0.0.1]
by localhost with POP3 (fetchmail-6.2.2)
for davem@localhost (single-drop); Sat, 17 May 2003 16:28:26 -0700 (PDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254])
by devserv.devel.redhat.com (8.11.6/8.11.0) with ESMTP id h4HNSr500334
for <davem@xxxxxxxxxxxxxxxxxxxxxxxx>; Sat, 17 May 2003 19:28:53 -0400
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
by int-mx1.corp.redhat.com (8.11.6/8.11.6) with SMTP id h4HNSrI11137
for <davem@xxxxxxxxxx>; Sat, 17 May 2003 19:28:53 -0400
Received: from dub.inr.ac.ru (dub.inr.ac.ru [193.233.7.105])
by mx1.redhat.com (8.11.6/8.11.6) with SMTP id h4HNSqH20272
for <davem@xxxxxxxxxx>; Sat, 17 May 2003 19:28:52 -0400
Received: (from kuznet@localhost) by dub.inr.ac.ru (8.6.13/ANK) id DAA10631 for
davem@xxxxxxxxxx; Sun, 18 May 2003 03:28:45 +0400
Message-Id: <200305172328.DAA10631@xxxxxxxxxxxxx>
Subject: Re: dst_pmtu() check in ip_output()
To: davem@xxxxxxxxxx (David S. Miller)
Date: Sun, 18 May 2003 03:28:45 +0400 (MSD)
In-Reply-To: <20030514.184139.55739273.davem@xxxxxxxxxx> from "David S. Miller"
at May 14, 2003 06:41:39 PM
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello!
> Let's ask the following question: What is difference between adding
> transformation locally, and adding it at some hop on the way to
> destination?
>
> I can already hear answers of the form "It is same difference as
> that between tunnel and transport mode." :-)
Exactly.
Plus one more thing: when you noticed pathology with raw socket
you referred to "What does user expect?".
Use of raw socket is pathological itself, f.e. IPv6 does not even
have such a concept. It is used by (and invented by VJ for) traceroute.
And beyond this it is used by various testing and attacker's software.
Shortly, the packet which it generates are _tricky_ by user desire,
when user wants to test (or attack) someone.
So, I would expect the packet is not transformed locally at all.
Remember f.e. that it can be an _IPsec_ packet already.
Alexey
PS. This is the first mail which I send from new account. Please,
tell me if it looks unusual.
|