From owner-freebsd-net  Sun Jul 30 18:48:18 2000
Delivered-To: freebsd-net@freebsd.org
Received: from crufty.research.bell-labs.com (crufty.research.bell-labs.com [204.178.16.49])
	by hub.freebsd.org (Postfix) with SMTP
	id 3B33137B95F; Sun, 30 Jul 2000 18:48:07 -0700 (PDT)
	(envelope-from pingpan@research.bell-labs.com)
Received: from bronx.dnrc.bell-labs.com ([135.180.160.8]) by crufty; Sun Jul 30 21:47:18 EDT 2000
Received: from research.bell-labs.com (pingpan.lra.lucent.com [135.255.38.196])
	by bronx.dnrc.bell-labs.com (8.9.3/8.9.3) with ESMTP id VAA15974;
	Sun, 30 Jul 2000 21:47:15 -0400 (EDT)
Message-ID: <3984DA10.636ACA1A@research.bell-labs.com>
Date: Sun, 30 Jul 2000 21:44:48 -0400
From: Ping Pan <pingpan@research.bell-labs.com>
Organization: Bell Labs, Lucent
X-Mailer: Mozilla 4.73 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Kris Kennaway <kris@freebsd.org>
Cc: Jeroen Ruigrok/Asmodai <asmodai@wxs.nl>, freebsd-net@freebsd.org
Subject: Re: Fwd: A new kernel extension to deal with IP option packets
References: <Pine.BSF.4.21.0007301817480.26452-100000@freefall.freebsd.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Kris Kennaway wrote:
> 
> On Sun, 30 Jul 2000, Jeroen Ruigrok/Asmodai wrote:
> 
> > We have designed and developed a new socket protocol family to support
> > IP option packets in BSD. It allows the users to intercept any IP option
> > packet (source routing, router-alert...) from socket interface. So users
> > can play fancy tricks with packets.
> 
> Can't we do this already with ipfw and divert sockets? ipfw can already
> match IP packets containing options.
>

Yes, except that to have a security system, we need to put the IP option
filters to be the *last* ones to check. That could be somewhat tricky
during the filter configuration. Also since filter lookup (for divert)
is quite extensive on several packet fields, I am not sure using the
divert mechanism would give the best performance results. 

Regards,

- Ping


> Kris
> 
> --
> In God we Trust -- all others must submit an X.509 certificate.
>     -- Charles Forsythe <forsythe@alum.mit.edu>
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message