Date: Tue, 6 Apr 2004 19:02:34 +0200 From: Eric AUGE <e.auge@moon-system.com> To: "JINMEI Tatuya / ?$B?@L@C#:H" <jinmei@isl.rdc.toshiba.co.jp> Cc: freebsd-net@freebsd.org Subject: Re: SOCK_RAW sockets and IPPROTO_AH Message-ID: <20040406170234.GB23125@flufme.sequences-infos.ch> Resent-Message-ID: <200404080915.i389FtA9097933@stalingrad.moon-sytem.com> In-Reply-To: <y7v7jwt6skc.wl@ocean.jinmei.org> References: <003b01c41b0f$b1e4fc90$bc0a270a@bum.sub.fr.hsbc> <y7v8yh9al0x.wl@ocean.jinmei.org> <003001c41baf$5316dad0$6400a8c0@a91821794s3ti7g> <y7v7jwt6skc.wl@ocean.jinmei.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--DBIVS5p969aUjpLe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2004 at 12:21:07AM +0900, JINMEI Tatuya / ?$B?@L@C#:H wrote: > >>>>> On Tue, 6 Apr 2004 10:15:29 +0200,=20 > >>>>> "Sebastien Petit" <spe@selectbourse.net> said: >=20 > > Unfortunatly, I can't use bpf/pcap solution because I must do some > > setsockopts (like IP_MULTICAST_IF, IP_MULTICAST_TTL, IP_MULTICAST_ADD_M= EMBER > > etc.) and this can't be done on bpf/pcap. > > When I'm using IPPROTO_VRRP (ip proto 112), All work fine (and other ip > > proto type I think). What is the reason that SOCK_RAW don't work with > > IPPROTO_AH (ip proto 51). > > For me, it's an IP packet in two cases. >=20 > Let me check, why do you have to include AH by the application in the > first place? Is that related to the question you made the other day > (attached below)? the question made the other day related to the fact that we wanted to send AH authenticated packets for VRRP (multicast) traffic, so=20 at first we decided to use the PF_KEY API (RFC 2367) implementation of=20 freebsd KAME IPSEC to "protect" outgoing VRRP advertisements packets genera= ted=20 by our application (freevrrpd). After some tests, we decided to implement VRRP/AH the same way as keepalive= d did, that allow portability and could be implemented pretty fast without having to deal with the PF_KEY API and problems we faced with it for multicast traffic, etc...(the old post you mention speak about this) So the fact is we build our "AH enabled" VRRP header and wish to send/recv = using SOCK_RAW sockets for IPPROTO_AH (51), we can send out packets without any t= roubles=20 using this socket but receiving on the same socket is impossible, the quest= ion is=20 why ? why can we receive SOCK_RAW and IPPROTO_VRRP and not IPPROTO_AH ?=20 (socket() returns EPROTONOSUPPORT). Best Regards, Eric. >=20 > JINMEI, Tatuya > Communication Platform Lab. > Corporate R&D Center, Toshiba Corp. > jinmei@isl.rdc.toshiba.co.jp > Date: Sun, 21 Mar 2004 12:26:13 +0100 > From: Sebastien Petit <spe@selectbourse.net> > Subject: IPSec and setsockopt MULTICAST_IF interaction > To: freebsd-net@freebsd.org >=20 > Hi Team, >=20 > I want to use IPsec engine with AH Security Association and SPD on multic= ast=20 > destination adress. When I comment the setsockopt MULTICAST_IF option, al= l=20 > work fine and destination packets to the multicast adress have AH added= =20 > before IP Header. But when I use the setsockopt MULTICAST_IF, no packets = are=20 > sended from the interface (packet seems to be destroyed silently by kerne= l). > Is there an issue about using MUTLICAST_IF option and IPsec ? >=20 > Any help will be greatly appreciated. >=20 > Regards, > spe. > --=20 > spe@selectbourse.net >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --DBIVS5p969aUjpLe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAcuKqQ3cZPIwqFHwRAn95AJ9tuor8fkJwj7lNQD65dM5/poLJLwCgrFdb IKsgxHe/9i5X7G7AjCkiKQs= =C5mi -----END PGP SIGNATURE----- --DBIVS5p969aUjpLe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040406170234.GB23125>