Hi, thank you for your reply. On Mon, 21 Oct 2013 08:15:15 +0200 Gabriele Gerbino <[email protected]> wrote:
> Hi, > don't worry, your english is good enough :) > > IPv6 is designed so that you can add multiple headers into a single packet > (basically, that's a different way to implement the old "options" IPv4 header > field) and I called "chain" this configuration. What I want to do is to find > a solution for the problem highlighted in this IETF Draft > > http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-05#section-2.1 Yes, I know about extension headers. In that figure, Destination Option Header is an extension header. I understood your following remark as the ICMPv6 RA header which appears after an IPv6 header with some extension headers: > the RA header is not the first one. like this: > Scapy: > packet = > IPv6(dst="ff02::1")/IPv6ExtHdrFragment()/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefixlen > = 64, prefix = "2001::") > send(packet) > 2013/10/21 Yuichi Ito <[email protected] <mailto:[email protected]>> > > Hi, if it is alright, please tell me. > > > On Sat, 19 Oct 2013 18:53:53 +0200 > Gabriele Gerbino <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > I'm trying to implement a RA Guard-like solution, improving it with > the possibility of detect the presence of a RA Header into an extension > header chain. > > > Do you mean that 'RA Header' is 'Router Advertisement message' ? > If so, it is not related to 'extension headers' in IPv6 header. > It is one of the type of ICMPv6 messages. > > > > I can detect it, but seems like there is some problem about the > forwarding procedure: if the RA header is the first of chain I can filter it > based on the prefix announced (packet dropped if it carries an untrusted > prefix, delivered otherwise), but it doesn't work if the RA header is not the > first one. > > > What does 'chain' mean ? > ICMPv6 messages are not chain structures. > Do you suggest that operations differ by the existence of 'extension > headers' ? > > I hope that my bad English is understood. > > > I can still drop it based on the prefix, but I cannot deliver it even > if the code "goes" into the right "if ramification" and according to that the > packet should be flooded, like shown by the LOG > > Code: > def _packet_in_handler(self, ev): > msg = ev.msg > datapath = msg.datapath > ofproto = datapath.ofproto > suspicious = 0 > > pkt = packet.Packet(msg.data) > eth = pkt.get_protocol(ethernet.__ethernet) > > dst = eth.dst > src = eth.src > > try: > ippiv6 = pkt.get_protocol(ipv6.ipv6) > ipv6s = ippiv6.src > except: > ipv6s = "not assigned yet" > > print "PACCHETTO ", ippiv6 > try: > icimpv6 = pkt.get_protocol(icmpv6.__icmpv6) > icmpv6type = icimpv6.type_ > except: > print "non e' un ICMPv6" > icmpv6type = "" > if (icmpv6type == 134): > icidata = icimpv6.data > #self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__DATA ND_OPTION] %s: ", icidata) > > print("EXTENSION HEADER: ", ippiv6) > print("GNE GNE: ", ippiv6.ext_hdrs) > try: > dict1 = icidata.data[1] > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__PREFIX] %s ", dict1.prefix) > > except: > try: > dict1 = icidata.data[0] > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__PREFIX] %s ", dict1.prefix) > suspicious = 0 > except: > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__ALERT] ND_OPTION_PI not found, irregular > structure. Packet Dropped.") > > dict1=0 #se i due sopra falliscono, > gli diamo un intero per l'if sotto. > suspicious = 1 > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__SUSPECT] SUSPICIOUS state has changed!") > > '''if isinstance(dict1, icmpv6.nd_option_pi): > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__ALERT] I'm IN! :)") > else: > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__ALERT] I'm OUT! :(")''' > > if isinstance(icidata, icmpv6.nd_router_advert): > self.logger.info <http://self.logger.info> > <http://self.logger.info>("__Router Advert Instance Detected!") > suspicious = 0 > > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__ALERT] packet contains a Router Advertisement!") > > > if (dict1.prefix not in prefixtrusted): > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__WARNING] Intrusion Detection System detected a > Rogue Router Advertisement!\n %s != %s \n", dict1.prefix, prefixtrusted) > suspicious = 1 > self.logger.info <http://self.logger.info> > <http://self.logger.info>("[__SUSPECT] SUSPICIOUS state has changed!") > > dpid = datapath.id <http://datapath.id> <http://datapath.id> > self.mac_to_port.setdefault(__dpid, {}) > self.logger.info <http://self.logger.info> > <http://self.logger.info>("__packet in %s ipv6:%s %s %s %s", dpid, ipv6s, > src, dst, msg.in_port) > > # learn a mac address to avoid FLOOD next time. > self.mac_to_port[dpid][src] = msg.in_port > > if suspicious: > self.logger.info <http://self.logger.info> > <http://self.logger.info>("\n[__DROP] SUSPICIOUS packet was dropped!") > > out_port = ofproto.OFPP_NONE > elif (dst in self.mac_to_port[dpid]): > out_port = self.mac_to_port[dpid][dst] > print "OUT_PORT = MAC_TO_PORT" > else: > out_port = ofproto.OFPP_FLOOD > print "FLOOD---------------" > self.logger.info <http://self.logger.info> <http://self.logger.info> > (" %s", out_port) > > actions = > [datapath.ofproto_parser.__OFPActionOutput(out_port)] > > > > LOG: > > PACCHETTO > ipv6(dst='ff02::1',ext_hdrs=[__fragment(id_=0,more=0,nxt=58,__offset=0)],flow_label=0,hop___limit=64,nxt=44,payload___length=56,src='fe80::200:ff:__fe00:1',traffic_class=0,__version=6) > ('EXTENSION HEADER: ', > ipv6(dst='ff02::1',ext_hdrs=[__fragment(id_=0,more=0,nxt=58,__offset=0)],flow_label=0,hop___limit=64,nxt=44,payload___length=56,src='fe80::200:ff:__fe00:1',traffic_class=0,__version=6)) > ('GNE GNE: ', [fragment(id_=0,more=0,nxt=58,__offset=0)]) > [PREFIX] 2001:: > Router Advert Instance Detected! > [ALERT] packet contains a Router Advertisement! > packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 > 33:33:00:00:00:01 1 > FLOOD--------------- > 65531 > > Scapy: > packet = > IPv6(dst="ff02::1")/__IPv6ExtHdrFragment()/ICMPv6ND___RA()/ICMPv6NDOptPrefixInfo(__prefixlen > = 64, prefix = "2001::") > send(packet) > > > > ------------------------------__------------------------------__------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > most from > the latest Intel processors and coprocessors. See abstracts and > register > > > http://pubads.g.doubleclick.__net/gampad/clk?id=60135031&iu=__/4140/ostg.clktrk > <http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk> > > > > _________________________________________________ > Ryu-devel mailing list > [email protected].__net > <mailto:[email protected]> > https://lists.sourceforge.net/__lists/listinfo/ryu-devel > <https://lists.sourceforge.net/lists/listinfo/ryu-devel> > > > > > ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
