Re: [Ryu-devel] Multiple Extension Headers

Sat, 19 Oct 2013 13:20:27 -0700 

I'm sorry, I forgot to mention that the remaining code is the
simple_switch.py example

Gabriele

2013/10/19, Gabriele Gerbino <[email protected]>:
> Hi,
> I'm trying to implement a RA Guard-like solution, improving it with the
> possibility of detect the presence of a RA Header into an extension header
> chain. I can detect it, but seems like there is some problem about the
> forwarding procedure: if the RA header is the first of chain I can filter
> it based on the prefix announced (packet dropped if it carries an untrusted
> prefix, delivered otherwise), but it doesn't work if the RA header is not
> the first one. I can still drop it based on the prefix, but I cannot
> deliver it even if the code "goes" into the right "if ramification" and
> according to that the packet should be flooded, like shown by the LOG
>
> Code:
>   def _packet_in_handler(self, ev):
>         msg = ev.msg
>         datapath = msg.datapath
>         ofproto = datapath.ofproto
>         suspicious = 0
>
>         pkt = packet.Packet(msg.data)
>         eth = pkt.get_protocol(ethernet.ethernet)
>
>         dst = eth.dst
>         src = eth.src
>
>         try:
>                 ippiv6 = pkt.get_protocol(ipv6.ipv6)
>                 ipv6s = ippiv6.src
>         except:
>                 ipv6s = "not assigned yet"
>
>         print "PACCHETTO ", ippiv6
>         try:
>                 icimpv6 = pkt.get_protocol(icmpv6.icmpv6)
>                 icmpv6type = icimpv6.type_
>         except:
>                 print "non e' un ICMPv6"
>                 icmpv6type = ""
>         if (icmpv6type == 134):
>                 icidata = icimpv6.data
>                 #self.logger.info("[DATA ND_OPTION] %s: ", icidata)
>                 print("EXTENSION HEADER: ", ippiv6)
>                 print("GNE GNE: ", ippiv6.ext_hdrs)
>                 try:
>                         dict1 = icidata.data[1]
>                         self.logger.info("[PREFIX] %s ", dict1.prefix)
>                 except:
>                         try:
>                                 dict1 = icidata.data[0]
>                                 self.logger.info("[PREFIX] %s ",
> dict1.prefix)
>                                 suspicious = 0
>                         except:
>                                 self.logger.info("[ALERT] ND_OPTION_PI not
> found, irregular structure. Packet Dropped.")
>                                 dict1=0 #se i due sopra falliscono, gli
> diamo un intero per l'if sotto.
>                                 suspicious = 1
>                                 self.logger.info("[SUSPECT] SUSPICIOUS
> state has changed!")
>
>                 '''if isinstance(dict1, icmpv6.nd_option_pi):
>                         self.logger.info("[ALERT] I'm IN! :)")
>                 else:
>                         self.logger.info("[ALERT] I'm OUT! :(")'''
>
>                 if isinstance(icidata, icmpv6.nd_router_advert):
>                         self.logger.info("Router Advert Instance
> Detected!")
>                         suspicious = 0
>
>                 self.logger.info("[ALERT] packet contains a Router
> Advertisement!")
>
>                 if (dict1.prefix not in prefixtrusted):
>                         self.logger.info("[WARNING] Intrusion Detection
> System detected a Rogue Router Advertisement!\n %s != %s \n", dict1.prefix,
> prefixtrusted)
>                         suspicious = 1
>                         self.logger.info("[SUSPECT] SUSPICIOUS state has
> changed!")
>
>         dpid = datapath.id
>         self.mac_to_port.setdefault(dpid, {})
>         self.logger.info("packet in %s ipv6:%s %s %s %s", dpid, ipv6s, src,
> dst, msg.in_port)
>
>         # learn a mac address to avoid FLOOD next time.
>         self.mac_to_port[dpid][src] = msg.in_port
>
>         if suspicious:
>                 self.logger.info("\n[DROP] SUSPICIOUS packet was dropped!")
>                 out_port = ofproto.OFPP_NONE
>         elif (dst in self.mac_to_port[dpid]):
>                 out_port = self.mac_to_port[dpid][dst]
>                 print "OUT_PORT = MAC_TO_PORT"
>         else:
>                 out_port = ofproto.OFPP_FLOOD
>                 print "FLOOD---------------"
>         self.logger.info (" %s", out_port)
>         actions = [datapath.ofproto_parser.OFPActionOutput(out_port)]
>
>
>
> LOG:
>
> PACCHETTO
> ipv6(dst='ff02::1',ext_hdrs=[fragment(id_=0,more=0,nxt=58,offset=0)],flow_label=0,hop_limit=64,nxt=44,payload_length=56,src='fe80::200:ff:fe00:1',traffic_class=0,version=6)
> ('EXTENSION HEADER: ',
> ipv6(dst='ff02::1',ext_hdrs=[fragment(id_=0,more=0,nxt=58,offset=0)],flow_label=0,hop_limit=64,nxt=44,payload_length=56,src='fe80::200:ff:fe00:1',traffic_class=0,version=6))
> ('GNE GNE: ', [fragment(id_=0,more=0,nxt=58,offset=0)])
> [PREFIX] 2001::
> Router Advert Instance Detected!
> [ALERT] packet contains a Router Advertisement!
> packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 33:33:00:00:00:01 1
> FLOOD---------------
>  65531
>
> Scapy:
> packet =
> IPv6(dst="ff02::1")/IPv6ExtHdrFragment()/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefixlen
> = 64, prefix = "2001::")
> send(packet)
>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Reply via email to