>can you tell us the exact symptom of "cannot deliver"?
I have a code like this into the __init__ class
input = open('/home/user/ryu/ryu/app/prtr','r')
global prefixtrusted
prefixtrusted = (input.readline())
input.close()
When I extract the prefix from the packet_in, it is compared to the prefix
contained into the "prtr" file and then ryu should decide to drop or
deliver (send out/flood) it based on the results of that comparison.
Everything looks fine (it prints the "FLOOD" word, meaning it goes to the
right method), except the fact that the packet is not sent out
The correct output should be something like:
packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 33:33:00:00:00:01 1
FLOOD---------------
65531
packet in 1 ipv6::: 00:00:00:00:00:03 33:33:ff:00:00:03 3
packet in 1 ipv6::: 00:00:00:00:00:02 33:33:ff:00:00:02 2
instead of this:
packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 33:33:00:00:00:01 1
FLOOD---------------
65531
2013/10/21 YAMAMOTO Takashi <[email protected]>
> > Hi,
> > don't worry, your english is good enough :)
> >
> > IPv6 is designed so that you can add multiple headers into a single
> packet
> > (basically, that's a different way to implement the old "options" IPv4
> > header field) and I called "chain" this configuration. What I want to do
> is
> > to find a solution for the problem highlighted in this IETF Draft
> >
> >
> http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-05#section-2.1
>
> you should not need to worry about the specific attack vector
> as far as you use get_protocol to look up the icmpv6 header.
> the packet library is expected to follow and skip ext headers.
>
> the following example is with the latest master.
> (commit 97aff06df429d7067e481a52bbf1e6ee63a43a80)
>
> >>>
> p=IPv6(dst="ff02::1")/IPv6ExtHdrFragment()/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefixlen=
> 64, prefix = "2001::")
> >>> x=packet.Packet(str(p), parse_cls=ipv6.ipv6)
> >>> x
> ipv6(dst='ff02::1',ext_hdrs=[fragment(id_=0,more=0,nxt=58,offset=0)],flow_label=0,hop_limit=64,nxt=44,payload_length=56,src='fe80:1::a60:6eff:fe7f:74e7',traffic_class=0,version=6),
> icmpv6(code=0,csum=9331,data=nd_router_advert(ch_l=0,data=[nd_option_pi(pl=64,pre_l=4294967295,prefix='2001::',res1=192,res2=0,val_l=4294967295)],length=[4],rea_t=0,res=0,ret_t=0,rou_l=1800,type_=[3]),type_=134)
> >>> x.get_protocol(icmpv6.icmpv6).data.data[0].prefix
> '2001::'
> >>>
>
> >> I can still drop it based on the prefix, but I cannot deliver it even
> if
> >>> the code "goes" into the right "if ramification" and according to that
> the
> >>> packet should be flooded, like shown by the LOG
>
> can you tell us the exact symptom of "cannot deliver"?
>
> YAMAMOTO Takashi
>
> >
> >
> > 2013/10/21 Yuichi Ito <[email protected]>
> >
> >> Hi, if it is alright, please tell me.
> >>
> >>
> >> On Sat, 19 Oct 2013 18:53:53 +0200
> >> Gabriele Gerbino <[email protected]> wrote:
> >>
> >> Hi,
> >>> I'm trying to implement a RA Guard-like solution, improving it with the
> >>> possibility of detect the presence of a RA Header into an extension
> header
> >>> chain.
> >>>
> >>
> >> Do you mean that 'RA Header' is 'Router Advertisement message' ?
> >> If so, it is not related to 'extension headers' in IPv6 header.
> >> It is one of the type of ICMPv6 messages.
> >>
> >>
> >>
> >> I can detect it, but seems like there is some problem about the
> >>> forwarding procedure: if the RA header is the first of chain I can
> filter
> >>> it based on the prefix announced (packet dropped if it carries an
> untrusted
> >>> prefix, delivered otherwise), but it doesn't work if the RA header is
> not
> >>> the first one.
> >>>
> >>
> >> What does 'chain' mean ?
> >> ICMPv6 messages are not chain structures.
> >> Do you suggest that operations differ by the existence of 'extension
> >> headers' ?
> >>
> >> I hope that my bad English is understood.
> >>
> >>
> >> I can still drop it based on the prefix, but I cannot deliver it even
> if
> >>> the code "goes" into the right "if ramification" and according to that
> the
> >>> packet should be flooded, like shown by the LOG
> >>>
> >>> Code:
> >>> def _packet_in_handler(self, ev):
> >>> msg = ev.msg
> >>> datapath = msg.datapath
> >>> ofproto = datapath.ofproto
> >>> suspicious = 0
> >>>
> >>> pkt = packet.Packet(msg.data)
> >>> eth = pkt.get_protocol(ethernet.**ethernet)
> >>>
> >>> dst = eth.dst
> >>> src = eth.src
> >>>
> >>> try:
> >>> ippiv6 = pkt.get_protocol(ipv6.ipv6)
> >>> ipv6s = ippiv6.src
> >>> except:
> >>> ipv6s = "not assigned yet"
> >>>
> >>> print "PACCHETTO ", ippiv6
> >>> try:
> >>> icimpv6 = pkt.get_protocol(icmpv6.**icmpv6)
> >>> icmpv6type = icimpv6.type_
> >>> except:
> >>> print "non e' un ICMPv6"
> >>> icmpv6type = ""
> >>> if (icmpv6type == 134):
> >>> icidata = icimpv6.data
> >>> #self.logger.info <http://self.logger.info>("[**DATA
> >>> ND_OPTION] %s: ", icidata)
> >>>
> >>> print("EXTENSION HEADER: ", ippiv6)
> >>> print("GNE GNE: ", ippiv6.ext_hdrs)
> >>> try:
> >>> dict1 = icidata.data[1]
> >>> self.logger.info <http://self.logger.info>("[**PREFIX] %s ",
> >>> dict1.prefix)
> >>>
> >>> except:
> >>> try:
> >>> dict1 = icidata.data[0]
> >>> self.logger.info <http://self.logger.info>("[**PREFIX] %s ",
> >>> dict1.prefix)
> >>> suspicious = 0
> >>> except:
> >>> self.logger.info <http://self.logger.info>("[**ALERT] ND_OPTION_PI not
> >>> found, irregular structure. Packet Dropped.")
> >>>
> >>> dict1=0 #se i due sopra falliscono,
> gli
> >>> diamo un intero per l'if sotto.
> >>> suspicious = 1
> >>> self.logger.info <http://self.logger.info>("[**SUSPECT] SUSPICIOUS
> state
> >>> has changed!")
> >>>
> >>> '''if isinstance(dict1, icmpv6.nd_option_pi):
> >>> self.logger.info <http://self.logger.info>("[**ALERT] I'm IN! :)")
> >>> else:
> >>> self.logger.info <http://self.logger.info>("[**ALERT] I'm OUT! :(")'''
> >>>
> >>> if isinstance(icidata, icmpv6.nd_router_advert):
> >>> self.logger.info <http://self.logger.info>("**Router Advert Instance
> >>> Detected!")
> >>> suspicious = 0
> >>>
> >>> self.logger.info <http://self.logger.info>("[**ALERT] packet contains
> a
> >>> Router Advertisement!")
> >>>
> >>>
> >>> if (dict1.prefix not in prefixtrusted):
> >>> self.logger.info <http://self.logger.info>("[**WARNING] Intrusion
> >>> Detection System detected a Rogue Router Advertisement!\n %s != %s \n",
> >>> dict1.prefix, prefixtrusted)
> >>> suspicious = 1
> >>> self.logger.info <http://self.logger.info>("[**SUSPECT] SUSPICIOUS
> state
> >>> has changed!")
> >>>
> >>> dpid = datapath.id <http://datapath.id>
> >>> self.mac_to_port.setdefault(**dpid, {})
> >>> self.logger.info <http://self.logger.info>("**packet in %s ipv6:%s %s
> %s
> >>> %s", dpid, ipv6s, src, dst, msg.in_port)
> >>>
> >>> # learn a mac address to avoid FLOOD next time.
> >>> self.mac_to_port[dpid][src] = msg.in_port
> >>>
> >>> if suspicious:
> >>> self.logger.info <http://self.logger.info>("\n[**DROP] SUSPICIOUS
> packet
> >>> was dropped!")
> >>>
> >>> out_port = ofproto.OFPP_NONE
> >>> elif (dst in self.mac_to_port[dpid]):
> >>> out_port = self.mac_to_port[dpid][dst]
> >>> print "OUT_PORT = MAC_TO_PORT"
> >>> else:
> >>> out_port = ofproto.OFPP_FLOOD
> >>> print "FLOOD---------------"
> >>> self.logger.info <http://self.logger.info> (" %s", out_port)
> >>>
> >>> actions =
> [datapath.ofproto_parser.**OFPActionOutput(out_port)]
> >>>
> >>>
> >>>
> >>> LOG:
> >>>
> >>> PACCHETTO
> ipv6(dst='ff02::1',ext_hdrs=[**fragment(id_=0,more=0,nxt=58,**
> >>> offset=0)],flow_label=0,hop_**limit=64,nxt=44,payload_**
> >>> length=56,src='fe80::200:ff:**fe00:1',traffic_class=0,**version=6)
> >>> ('EXTENSION HEADER: ', ipv6(dst='ff02::1',ext_hdrs=[**
> >>> fragment(id_=0,more=0,nxt=58,**offset=0)],flow_label=0,hop_**
> >>> limit=64,nxt=44,payload_**length=56,src='fe80::200:ff:**
> >>> fe00:1',traffic_class=0,**version=6))
> >>> ('GNE GNE: ', [fragment(id_=0,more=0,nxt=58,**offset=0)])
> >>> [PREFIX] 2001::
> >>> Router Advert Instance Detected!
> >>> [ALERT] packet contains a Router Advertisement!
> >>> packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01
> 33:33:00:00:00:01 1
> >>> FLOOD---------------
> >>> 65531
> >>>
> >>> Scapy:
> >>> packet = IPv6(dst="ff02::1")/**IPv6ExtHdrFragment()/ICMPv6ND_**
> >>> RA()/ICMPv6NDOptPrefixInfo(**prefixlen = 64, prefix = "2001::")
> >>> send(packet)
> >>>
> >>>
> >>> ------------------------------**------------------------------**
> >>> ------------------
> >>> October Webinars: Code for Performance
> >>> Free Intel webinars can help you accelerate application performance.
> >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
> most
> >>> from
> >>> the latest Intel processors and coprocessors. See abstracts and
> register >
> >>> http://pubads.g.doubleclick.**net/gampad/clk?id=60135031&iu=**
> >>> /4140/ostg.clktrk<
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> >
> >>>
> >>>
> >>>
> >>> ______________________________**_________________
> >>> Ryu-devel mailing list
> >>> [email protected].**net <[email protected]>
> >>> https://lists.sourceforge.net/**lists/listinfo/ryu-devel<
> https://lists.sourceforge.net/lists/listinfo/ryu-devel>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
