provide packet header details to a user program for authentication
Is it possible to use ipfw provide packet header details to a user program for authentication? Any clue will be greatly appreciated. ** Henry Su * NTT MCL * ** To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: m_reclaim and a protocol drain
Mike Silbersack wrote: > > On Wed, 26 Dec 2001, Randall Stewart wrote: > > > This comment facinates me. The reason we made SACK's in SCTP > > revokeable is due to the potential DOS attack that someone > > can supposedly lauch if you don't allow the stack to revoke. > > > > I can actually see the reason that Sally made the comments > > and had us change it so that SACK's are revokeable. However > > you argue to the contrary and I wonder which is correct. > > > > If you do not allow revoking it is the same as if a protocol > > does not hold a drain() fucntion. A attacker could easily > > stuff a lot of out-of-order segments at you and thus > > fill up all your mbuf's or clusters (in my current testing > > case). This would then yeild a DOS since you could no longer > > receive any segments and leave you high and dry > > Heh, you nailed the reverse of the problem we've seen: Right now the easy > way to cause exhaustion is to fill up _send_ buffers, via netkill. I > guess if we solve that problem, out of order segments could be used for an > attack too. > Mike: Interesting problem.. but I was thinking in terms of a outside attacker.. not someone who has a login id on your machine. That leads down another path... i.e. local machine security. R > Just FWIW, > > Mike "Silby" Silbersack > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message -- Randall R. Stewart [EMAIL PROTECTED] 815-342-5222 (cell phone) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: m_reclaim and a protocol drain
On Sun, 30 Dec 2001, Randall Stewart wrote: > > Heh, you nailed the reverse of the problem we've seen: Right now the easy > > way to cause exhaustion is to fill up _send_ buffers, via netkill. I > > guess if we solve that problem, out of order segments could be used for an > > attack too. > > > > Mike: > > Interesting problem.. but I was thinking in terms of > a outside attacker.. not someone who has a login id on > your machine. That leads down another path... i.e. local > machine security. > > > R Heh, you don't have to be local to cause a machine to send you something. Just find a service which exists to send data (http, pop3, ftp, irc), and you're in business. Mike "Silby" Silbersack To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: provide packet header details to a user program for authentication
but of course divert doesn't work with bridging (which you are doing) On Sun, 30 Dec 2001, Henry Su wrote: > > Is it possible to use ipfw provide packet header details to a user program > for authentication? Any clue will be greatly appreciated. > > > ** > Henry Su * > NTT MCL * > ** > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: provide packet header details to a user program for authentication
Hi, Julian: Do you know this code in ip_fw.c? #define BRIDGED (cookie == &bridgeCookie) hlen = ip->ip_hl << 2; Is this cause bridging fwd or divert problem? If so, how can we change it for bridging ipfw fwd or divert? Thanks. ** Henry Su * NTT MCL * ** On Sun, 30 Dec 2001, Julian Elischer wrote: > > > but of course divert doesn't work with bridging (which you are doing) > > > On Sun, 30 Dec 2001, Henry Su wrote: > > > > > Is it possible to use ipfw provide packet header details to a user program > > for authentication? Any clue will be greatly appreciated. > > > > > > ** > > Henry Su * > > NTT MCL * > > ** > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
