Date: Sun, 25 Jul 1999 12:41:47 -0400 (EDT) From: wpaul@comet.columbia.edu (Bill Paul) To: jflowers@ezo.net (Jim Flowers) Cc: skip-info@skip-vpn.org, security@freebsd.org Subject: Re: wi driver with SKIP Message-ID: <199907251641.MAA08658@comet.columbia.edu> In-Reply-To: <Pine.BSI.3.91.990725113208.4553B-100000@lily.ezo.net> from Jim Flowers at "Jul 25, 1999 12:12:34 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Of all the gin joints in all the towns in all the world, Jim Flowers had to walk into mine and say: > Comments below. > > Jim Flowers <jflowers@ezo.net> > #4 ISP on C|NET, #1 in Ohio > > On Fri, 23 Jul 1999, Bill Paul wrote: > > > > Ideally what you ought to do is run tcpdump -n -e -p -x -s1514 -i wi0 > > on both sides. This will avoid putting the interface into promiscuous > > mode (changes the operation of the NIC slightly) and will dump out the > > packet contents. At this point, you show me the packet contents so I can > > see for myself the difference between how the frame should look and how > > it ultimately does look. > > OK the results are at the end of this email. Tests with SKIP turned off > show identical packets are copied to bpf at each end. These are > unencrypted so you can see the packet within the packet starting in the > sixth line. Grrrrr! You've changed the test conditions again! In your last mail, you said the two hosts both had WaveLAN/IEEE ISA cards in them! Now you're telling me that one side has a WaveLAN/EC and a PNIC-based ethernet card instead! These two concepts are *not* interchangeable, do you understand? An ethernet card + WaveLAN/EC is *not* the same as an ISA WaveLAN/IEEE card! Now look: take the WaveLAN/EC thing and put it away. Don't touch it again before this exchange is through or I'm going to hurt you. I mean it. You can not switch back and forth between two different hardware configurations and expect to obtain any useful data! Now try the test *again* with actual, honest to gosh WaveLAN/IEEE cards this time. > >From these tests, it seems conclusive that sometime after the outbound > packets are copied to bpf in the wi driver but before they are copied to > bpf in the pn driver, they are truncated to 64 bytes following the IP > header. Beyond that, the packet before it is truncated looks pretty > normal so I'm at a dead end. Maybe something will leap out at you. No! That's not the conclusion to draw at all! Look closely at the second host! It receives 306 bytes, but it sends back only 202 bytes! Now, in theory the ICMP echo request and ICMP echo reply packets should be exactly the same size, but clearly the other side is only sending 202 bytes: tcpdump shows us this. I don't understand why SKIP would be causing the ICMP echo reply packet to be so much smaller than the received request packet. > > > > Furthermore, what happens when you ping W2 from W1? > > > > Same thing, only there is no turnaround as the initial ping-request > cannot be de-encapsulated. Grrr. But again, you're not really using two WaveLAN/IEEE ISA cards like you said you were. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Department of Electrical Engineering Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "Mulder, toads just fell from the sky!" "I guess their parachutes didn't open." ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907251641.MAA08658>