SOCK_RAW sockets and IPPROTO_AH

Eric AUGE e.auge at moon-system.com
Thu Apr 8 02:16:31 PDT 2004 

On Wed, Apr 07, 2004 at 12:21:07AM +0900, JINMEI Tatuya / ?$B?@L at C#:H wrote:
> >>>>> On Tue, 6 Apr 2004 10:15:29 +0200, 
> >>>>> "Sebastien Petit" <spe at selectbourse.net> said:
> 
> > Unfortunatly, I can't use bpf/pcap solution because I must do some
> > setsockopts (like IP_MULTICAST_IF, IP_MULTICAST_TTL, IP_MULTICAST_ADD_MEMBER
> > etc.) and this can't be done on bpf/pcap.
> > When I'm using IPPROTO_VRRP (ip proto 112), All work fine (and other ip
> > proto type I think). What is the reason that SOCK_RAW don't work with
> > IPPROTO_AH (ip proto 51).
> > For me, it's an IP packet in two cases.
> 
> Let me check, why do you have to include AH by the application in the
> first place?  Is that related to the question you made the other day
> (attached below)?

the question made the other day related to the fact that we wanted
to send AH authenticated packets for VRRP (multicast) traffic, so 
at first we decided to use the PF_KEY API (RFC 2367) implementation of 
freebsd KAME IPSEC to "protect" outgoing VRRP advertisements packets generated 
by our application (freevrrpd).

After some tests, we decided to implement VRRP/AH the same way as keepalived did,
that allow portability and could be implemented pretty fast without having
to deal with the PF_KEY API and problems we faced with it for multicast
traffic, etc...(the old post you mention speak about this)

So the fact is we build our "AH enabled" VRRP header and wish to send/recv using
SOCK_RAW sockets for IPPROTO_AH (51), we can send out packets without any troubles 
using this socket but receiving on the same socket is impossible, the question is 
why ? why can we receive SOCK_RAW and IPPROTO_VRRP and not IPPROTO_AH ? 
(socket() returns EPROTONOSUPPORT).

Best Regards,
Eric.

> 
> 					JINMEI, Tatuya
> 					Communication Platform Lab.
> 					Corporate R&D Center, Toshiba Corp.
> 					jinmei at isl.rdc.toshiba.co.jp

> Date: Sun, 21 Mar 2004 12:26:13 +0100
> From: Sebastien Petit <spe at selectbourse.net>
> Subject: IPSec and setsockopt MULTICAST_IF interaction
> To: freebsd-net at freebsd.org
> 
> Hi Team,
> 
> I want to use IPsec engine with AH Security Association and SPD on multicast 
> destination adress. When I comment the setsockopt MULTICAST_IF option, all 
> work fine and destination packets to the multicast adress have AH added 
> before IP Header. But when I use the setsockopt MULTICAST_IF, no packets are 
> sended from the interface (packet seems to be destroyed silently by kernel).
> Is there an issue about using MUTLICAST_IF option and IPsec ?
> 
> Any help will be greatly appreciated.
> 
> Regards,
> spe.
> -- 
> spe at selectbourse.net
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20040406/f601a293/attachment.bin

More information about the freebsd-net mailing list