> Hi, > don't worry, your english is good enough :) > > IPv6 is designed so that you can add multiple headers into a single packet > (basically, that's a different way to implement the old "options" IPv4 > header field) and I called "chain" this configuration. What I want to do is > to find a solution for the problem highlighted in this IETF Draft > > http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-05#section-2.1
you should not need to worry about the specific attack vector as far as you use get_protocol to look up the icmpv6 header. the packet library is expected to follow and skip ext headers. the following example is with the latest master. (commit 97aff06df429d7067e481a52bbf1e6ee63a43a80) >>> p=IPv6(dst="ff02::1")/IPv6ExtHdrFragment()/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefixlen= >>> 64, prefix = "2001::") >>> x=packet.Packet(str(p), parse_cls=ipv6.ipv6) >>> x ipv6(dst='ff02::1',ext_hdrs=[fragment(id_=0,more=0,nxt=58,offset=0)],flow_label=0,hop_limit=64,nxt=44,payload_length=56,src='fe80:1::a60:6eff:fe7f:74e7',traffic_class=0,version=6), icmpv6(code=0,csum=9331,data=nd_router_advert(ch_l=0,data=[nd_option_pi(pl=64,pre_l=4294967295,prefix='2001::',res1=192,res2=0,val_l=4294967295)],length=[4],rea_t=0,res=0,ret_t=0,rou_l=1800,type_=[3]),type_=134) >>> x.get_protocol(icmpv6.icmpv6).data.data[0].prefix '2001::' >>> >> I can still drop it based on the prefix, but I cannot deliver it even if >>> the code "goes" into the right "if ramification" and according to that the >>> packet should be flooded, like shown by the LOG can you tell us the exact symptom of "cannot deliver"? YAMAMOTO Takashi > > > 2013/10/21 Yuichi Ito <[email protected]> > >> Hi, if it is alright, please tell me. >> >> >> On Sat, 19 Oct 2013 18:53:53 +0200 >> Gabriele Gerbino <[email protected]> wrote: >> >> Hi, >>> I'm trying to implement a RA Guard-like solution, improving it with the >>> possibility of detect the presence of a RA Header into an extension header >>> chain. >>> >> >> Do you mean that 'RA Header' is 'Router Advertisement message' ? >> If so, it is not related to 'extension headers' in IPv6 header. >> It is one of the type of ICMPv6 messages. >> >> >> >> I can detect it, but seems like there is some problem about the >>> forwarding procedure: if the RA header is the first of chain I can filter >>> it based on the prefix announced (packet dropped if it carries an untrusted >>> prefix, delivered otherwise), but it doesn't work if the RA header is not >>> the first one. >>> >> >> What does 'chain' mean ? >> ICMPv6 messages are not chain structures. >> Do you suggest that operations differ by the existence of 'extension >> headers' ? >> >> I hope that my bad English is understood. >> >> >> I can still drop it based on the prefix, but I cannot deliver it even if >>> the code "goes" into the right "if ramification" and according to that the >>> packet should be flooded, like shown by the LOG >>> >>> Code: >>> def _packet_in_handler(self, ev): >>> msg = ev.msg >>> datapath = msg.datapath >>> ofproto = datapath.ofproto >>> suspicious = 0 >>> >>> pkt = packet.Packet(msg.data) >>> eth = pkt.get_protocol(ethernet.**ethernet) >>> >>> dst = eth.dst >>> src = eth.src >>> >>> try: >>> ippiv6 = pkt.get_protocol(ipv6.ipv6) >>> ipv6s = ippiv6.src >>> except: >>> ipv6s = "not assigned yet" >>> >>> print "PACCHETTO ", ippiv6 >>> try: >>> icimpv6 = pkt.get_protocol(icmpv6.**icmpv6) >>> icmpv6type = icimpv6.type_ >>> except: >>> print "non e' un ICMPv6" >>> icmpv6type = "" >>> if (icmpv6type == 134): >>> icidata = icimpv6.data >>> #self.logger.info <http://self.logger.info>("[**DATA >>> ND_OPTION] %s: ", icidata) >>> >>> print("EXTENSION HEADER: ", ippiv6) >>> print("GNE GNE: ", ippiv6.ext_hdrs) >>> try: >>> dict1 = icidata.data[1] >>> self.logger.info <http://self.logger.info>("[**PREFIX] %s ", >>> dict1.prefix) >>> >>> except: >>> try: >>> dict1 = icidata.data[0] >>> self.logger.info <http://self.logger.info>("[**PREFIX] %s ", >>> dict1.prefix) >>> suspicious = 0 >>> except: >>> self.logger.info <http://self.logger.info>("[**ALERT] ND_OPTION_PI not >>> found, irregular structure. Packet Dropped.") >>> >>> dict1=0 #se i due sopra falliscono, gli >>> diamo un intero per l'if sotto. >>> suspicious = 1 >>> self.logger.info <http://self.logger.info>("[**SUSPECT] SUSPICIOUS state >>> has changed!") >>> >>> '''if isinstance(dict1, icmpv6.nd_option_pi): >>> self.logger.info <http://self.logger.info>("[**ALERT] I'm IN! :)") >>> else: >>> self.logger.info <http://self.logger.info>("[**ALERT] I'm OUT! :(")''' >>> >>> if isinstance(icidata, icmpv6.nd_router_advert): >>> self.logger.info <http://self.logger.info>("**Router Advert Instance >>> Detected!") >>> suspicious = 0 >>> >>> self.logger.info <http://self.logger.info>("[**ALERT] packet contains a >>> Router Advertisement!") >>> >>> >>> if (dict1.prefix not in prefixtrusted): >>> self.logger.info <http://self.logger.info>("[**WARNING] Intrusion >>> Detection System detected a Rogue Router Advertisement!\n %s != %s \n", >>> dict1.prefix, prefixtrusted) >>> suspicious = 1 >>> self.logger.info <http://self.logger.info>("[**SUSPECT] SUSPICIOUS state >>> has changed!") >>> >>> dpid = datapath.id <http://datapath.id> >>> self.mac_to_port.setdefault(**dpid, {}) >>> self.logger.info <http://self.logger.info>("**packet in %s ipv6:%s %s %s >>> %s", dpid, ipv6s, src, dst, msg.in_port) >>> >>> # learn a mac address to avoid FLOOD next time. >>> self.mac_to_port[dpid][src] = msg.in_port >>> >>> if suspicious: >>> self.logger.info <http://self.logger.info>("\n[**DROP] SUSPICIOUS packet >>> was dropped!") >>> >>> out_port = ofproto.OFPP_NONE >>> elif (dst in self.mac_to_port[dpid]): >>> out_port = self.mac_to_port[dpid][dst] >>> print "OUT_PORT = MAC_TO_PORT" >>> else: >>> out_port = ofproto.OFPP_FLOOD >>> print "FLOOD---------------" >>> self.logger.info <http://self.logger.info> (" %s", out_port) >>> >>> actions = [datapath.ofproto_parser.**OFPActionOutput(out_port)] >>> >>> >>> >>> LOG: >>> >>> PACCHETTO ipv6(dst='ff02::1',ext_hdrs=[**fragment(id_=0,more=0,nxt=58,** >>> offset=0)],flow_label=0,hop_**limit=64,nxt=44,payload_** >>> length=56,src='fe80::200:ff:**fe00:1',traffic_class=0,**version=6) >>> ('EXTENSION HEADER: ', ipv6(dst='ff02::1',ext_hdrs=[** >>> fragment(id_=0,more=0,nxt=58,**offset=0)],flow_label=0,hop_** >>> limit=64,nxt=44,payload_**length=56,src='fe80::200:ff:** >>> fe00:1',traffic_class=0,**version=6)) >>> ('GNE GNE: ', [fragment(id_=0,more=0,nxt=58,**offset=0)]) >>> [PREFIX] 2001:: >>> Router Advert Instance Detected! >>> [ALERT] packet contains a Router Advertisement! >>> packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 33:33:00:00:00:01 1 >>> FLOOD--------------- >>> 65531 >>> >>> Scapy: >>> packet = IPv6(dst="ff02::1")/**IPv6ExtHdrFragment()/ICMPv6ND_** >>> RA()/ICMPv6NDOptPrefixInfo(**prefixlen = 64, prefix = "2001::") >>> send(packet) >>> >>> >>> ------------------------------**------------------------------** >>> ------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register > >>> http://pubads.g.doubleclick.**net/gampad/clk?id=60135031&iu=** >>> /4140/ostg.clktrk<http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk> >>> >>> >>> >>> ______________________________**_________________ >>> Ryu-devel mailing list >>> [email protected].**net <[email protected]> >>> https://lists.sourceforge.net/**lists/listinfo/ryu-devel<https://lists.sourceforge.net/lists/listinfo/ryu-devel> ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
