Re: [Ryu-devel] Multiple Extension Headers

Gabriele Gerbino Sun, 20 Oct 2013 23:16:48 -0700

Hi,
don't worry, your english is good enough :)

IPv6 is designed so that you can add multiple headers into a single packet
(basically, that's a different way to implement the old "options" IPv4
header field) and I called "chain" this configuration. What I want to do is
to find a solution for the problem highlighted in this IETF Draft


http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-05#section-2.1


2013/10/21 Yuichi Ito <[email protected]>

> Hi, if it is alright, please tell me.
>
>
> On Sat, 19 Oct 2013 18:53:53 +0200
> Gabriele Gerbino <[email protected]> wrote:
>
>  Hi,
>> I'm trying to implement a RA Guard-like solution, improving it with the
>> possibility of detect the presence of a RA Header into an extension header
>> chain.
>>
>
> Do you mean that 'RA Header' is 'Router Advertisement message' ?
> If so, it is not related to 'extension headers' in IPv6 header.
> It is one of the type of ICMPv6 messages.
>
>
>
>  I can detect it, but seems like there is some problem about the
>> forwarding procedure: if the RA header is the first of chain I can filter
>> it based on the prefix announced (packet dropped if it carries an untrusted
>> prefix, delivered otherwise), but it doesn't work if the RA header is not
>> the first one.
>>
>
> What does 'chain' mean ?
> ICMPv6 messages are not chain structures.
> Do you suggest that operations differ by the existence of 'extension
> headers' ?
>
> I hope that my bad English is understood.
>
>
>  I can still drop it based on the prefix, but I cannot deliver it even if
>> the code "goes" into the right "if ramification" and according to that the
>> packet should be flooded, like shown by the LOG
>>
>> Code:
>>    def _packet_in_handler(self, ev):
>>          msg = ev.msg
>>          datapath = msg.datapath
>>          ofproto = datapath.ofproto
>>          suspicious = 0
>>
>>          pkt = packet.Packet(msg.data)
>>          eth = pkt.get_protocol(ethernet.**ethernet)
>>
>>          dst = eth.dst
>>          src = eth.src
>>
>>          try:
>>                  ippiv6 = pkt.get_protocol(ipv6.ipv6)
>>                  ipv6s = ippiv6.src
>>          except:
>>                  ipv6s = "not assigned yet"
>>
>>          print "PACCHETTO ", ippiv6
>>          try:
>>                  icimpv6 = pkt.get_protocol(icmpv6.**icmpv6)
>>                  icmpv6type = icimpv6.type_
>>          except:
>>                  print "non e' un ICMPv6"
>>                  icmpv6type = ""
>>          if (icmpv6type == 134):
>>                  icidata = icimpv6.data
>>                  #self.logger.info <http://self.logger.info>("[**DATA
>> ND_OPTION] %s: ", icidata)
>>
>>                  print("EXTENSION HEADER: ", ippiv6)
>>                  print("GNE GNE: ", ippiv6.ext_hdrs)
>>                  try:
>>                          dict1 = icidata.data[1]
>> self.logger.info <http://self.logger.info>("[**PREFIX] %s ",
>> dict1.prefix)
>>
>>                  except:
>>                          try:
>>                                  dict1 = icidata.data[0]
>> self.logger.info <http://self.logger.info>("[**PREFIX] %s ",
>> dict1.prefix)
>>                                  suspicious = 0
>>                          except:
>> self.logger.info <http://self.logger.info>("[**ALERT] ND_OPTION_PI not
>> found, irregular structure. Packet Dropped.")
>>
>>                                  dict1=0 #se i due sopra falliscono, gli
>> diamo un intero per l'if sotto.
>>                                  suspicious = 1
>> self.logger.info <http://self.logger.info>("[**SUSPECT] SUSPICIOUS state
>> has changed!")
>>
>>                  '''if isinstance(dict1, icmpv6.nd_option_pi):
>> self.logger.info <http://self.logger.info>("[**ALERT] I'm IN! :)")
>>                  else:
>> self.logger.info <http://self.logger.info>("[**ALERT] I'm OUT! :(")'''
>>
>>                  if isinstance(icidata, icmpv6.nd_router_advert):
>> self.logger.info <http://self.logger.info>("**Router Advert Instance
>> Detected!")
>>                          suspicious = 0
>>
>> self.logger.info <http://self.logger.info>("[**ALERT] packet contains a
>> Router Advertisement!")
>>
>>
>>                  if (dict1.prefix not in prefixtrusted):
>> self.logger.info <http://self.logger.info>("[**WARNING] Intrusion
>> Detection System detected a Rogue Router Advertisement!\n %s != %s \n",
>> dict1.prefix, prefixtrusted)
>>                          suspicious = 1
>> self.logger.info <http://self.logger.info>("[**SUSPECT] SUSPICIOUS state
>> has changed!")
>>
>>          dpid = datapath.id <http://datapath.id>
>>          self.mac_to_port.setdefault(**dpid, {})
>> self.logger.info <http://self.logger.info>("**packet in %s ipv6:%s %s %s
>> %s", dpid, ipv6s, src, dst, msg.in_port)
>>
>>          # learn a mac address to avoid FLOOD next time.
>>          self.mac_to_port[dpid][src] = msg.in_port
>>
>>          if suspicious:
>> self.logger.info <http://self.logger.info>("\n[**DROP] SUSPICIOUS packet
>> was dropped!")
>>
>>                  out_port = ofproto.OFPP_NONE
>>          elif (dst in self.mac_to_port[dpid]):
>>                  out_port = self.mac_to_port[dpid][dst]
>>                  print "OUT_PORT = MAC_TO_PORT"
>>          else:
>>                  out_port = ofproto.OFPP_FLOOD
>>                  print "FLOOD---------------"
>> self.logger.info <http://self.logger.info> (" %s", out_port)
>>
>>          actions = [datapath.ofproto_parser.**OFPActionOutput(out_port)]
>>
>>
>>
>> LOG:
>>
>> PACCHETTO  ipv6(dst='ff02::1',ext_hdrs=[**fragment(id_=0,more=0,nxt=58,**
>> offset=0)],flow_label=0,hop_**limit=64,nxt=44,payload_**
>> length=56,src='fe80::200:ff:**fe00:1',traffic_class=0,**version=6)
>> ('EXTENSION HEADER: ', ipv6(dst='ff02::1',ext_hdrs=[**
>> fragment(id_=0,more=0,nxt=58,**offset=0)],flow_label=0,hop_**
>> limit=64,nxt=44,payload_**length=56,src='fe80::200:ff:**
>> fe00:1',traffic_class=0,**version=6))
>> ('GNE GNE: ', [fragment(id_=0,more=0,nxt=58,**offset=0)])
>> [PREFIX] 2001::
>> Router Advert Instance Detected!
>> [ALERT] packet contains a Router Advertisement!
>> packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 33:33:00:00:00:01 1
>> FLOOD---------------
>>   65531
>>
>> Scapy:
>> packet = IPv6(dst="ff02::1")/**IPv6ExtHdrFragment()/ICMPv6ND_**
>> RA()/ICMPv6NDOptPrefixInfo(**prefixlen = 64, prefix = "2001::")
>> send(packet)
>>
>>
>> ------------------------------**------------------------------**
>> ------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.**net/gampad/clk?id=60135031&iu=**
>> /4140/ostg.clktrk<http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk>
>>
>>
>>
>> ______________________________**_________________
>> Ryu-devel mailing list
>> [email protected].**net <[email protected]>
>> https://lists.sourceforge.net/**lists/listinfo/ryu-devel<https://lists.sourceforge.net/lists/listinfo/ryu-devel>
>>
>>
>
>
>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk

_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Re: [Ryu-devel] Multiple Extension Headers

Reply via email to