From owner-freebsd-net@FreeBSD.ORG Thu Apr 8 02:16:31 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2816F16A4CE; Thu, 8 Apr 2004 02:16:31 -0700 (PDT) Received: from aurora-borealis.phear.org (phear.org [194.177.32.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D4A143D49; Thu, 8 Apr 2004 02:16:30 -0700 (PDT) (envelope-from spot@phear.org) Received: (from rival@localhost) by aurora-borealis.phear.org id i389GSDn003973; Thu, 8 Apr 2004 11:16:28 +0200 Resent-From: rival@phear.org Resent-Date: Thu, 8 Apr 2004 11:16:28 +0200 Resent-Message-ID: <20040408091628.GA3963@phear.org> Resent-To: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Received: from stalingrad.moon-sytem.com ([195.15.59.99]) by aurora-borealis.phear.org with ESMTP id i389FGjP003947 for ; Thu, 8 Apr 2004 11:15:17 +0200 Received: (from eau@localhost)i389FtA9097933 for eau@phear.org; Thu, 8 Apr 2004 11:15:55 +0200 (CEST) (envelope-from eau) Resent-Message-Id: <200404080915.i389FtA9097933@stalingrad.moon-sytem.com> Date: Tue, 6 Apr 2004 19:02:34 +0200 From: Eric AUGE To: "JINMEI Tatuya / ?$B?@L@C#:H" Message-ID: <20040406170234.GB23125@flufme.sequences-infos.ch> References: <003b01c41b0f$b1e4fc90$bc0a270a@bum.sub.fr.hsbc> <003001c41baf$5316dad0$6400a8c0@a91821794s3ti7g> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-GPG-PUBLIC_KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8C2A147C X-GPG-Fingerprint: F15C BFC2 4C78 0F03 3A07 952B 4377 193C 8C2A 147C Resent-From: eau@flufme.sequences-infos.ch Resent-Date: Thu, 8 Apr 2004 11:15:54 +0200 Resent-To: eau@phear.org X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on aurora-borealis.phear.org cc: Sebastien Petit cc: freebsd-hackers@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: SOCK_RAW sockets and IPPROTO_AH X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 09:16:31 -0000 --DBIVS5p969aUjpLe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2004 at 12:21:07AM +0900, JINMEI Tatuya / ?$B?@L@C#:H wrote: > >>>>> On Tue, 6 Apr 2004 10:15:29 +0200,=20 > >>>>> "Sebastien Petit" said: >=20 > > Unfortunatly, I can't use bpf/pcap solution because I must do some > > setsockopts (like IP_MULTICAST_IF, IP_MULTICAST_TTL, IP_MULTICAST_ADD_M= EMBER > > etc.) and this can't be done on bpf/pcap. > > When I'm using IPPROTO_VRRP (ip proto 112), All work fine (and other ip > > proto type I think). What is the reason that SOCK_RAW don't work with > > IPPROTO_AH (ip proto 51). > > For me, it's an IP packet in two cases. >=20 > Let me check, why do you have to include AH by the application in the > first place? Is that related to the question you made the other day > (attached below)? the question made the other day related to the fact that we wanted to send AH authenticated packets for VRRP (multicast) traffic, so=20 at first we decided to use the PF_KEY API (RFC 2367) implementation of=20 freebsd KAME IPSEC to "protect" outgoing VRRP advertisements packets genera= ted=20 by our application (freevrrpd). After some tests, we decided to implement VRRP/AH the same way as keepalive= d did, that allow portability and could be implemented pretty fast without having to deal with the PF_KEY API and problems we faced with it for multicast traffic, etc...(the old post you mention speak about this) So the fact is we build our "AH enabled" VRRP header and wish to send/recv = using SOCK_RAW sockets for IPPROTO_AH (51), we can send out packets without any t= roubles=20 using this socket but receiving on the same socket is impossible, the quest= ion is=20 why ? why can we receive SOCK_RAW and IPPROTO_VRRP and not IPPROTO_AH ?=20 (socket() returns EPROTONOSUPPORT). Best Regards, Eric. >=20 > JINMEI, Tatuya > Communication Platform Lab. > Corporate R&D Center, Toshiba Corp. > jinmei@isl.rdc.toshiba.co.jp > Date: Sun, 21 Mar 2004 12:26:13 +0100 > From: Sebastien Petit > Subject: IPSec and setsockopt MULTICAST_IF interaction > To: freebsd-net@freebsd.org >=20 > Hi Team, >=20 > I want to use IPsec engine with AH Security Association and SPD on multic= ast=20 > destination adress. When I comment the setsockopt MULTICAST_IF option, al= l=20 > work fine and destination packets to the multicast adress have AH added= =20 > before IP Header. But when I use the setsockopt MULTICAST_IF, no packets = are=20 > sended from the interface (packet seems to be destroyed silently by kerne= l). > Is there an issue about using MUTLICAST_IF option and IPsec ? >=20 > Any help will be greatly appreciated. >=20 > Regards, > spe. > --=20 > spe@selectbourse.net >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --DBIVS5p969aUjpLe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAcuKqQ3cZPIwqFHwRAn95AJ9tuor8fkJwj7lNQD65dM5/poLJLwCgrFdb IKsgxHe/9i5X7G7AjCkiKQs= =C5mi -----END PGP SIGNATURE----- --DBIVS5p969aUjpLe--