'Re: IP Masquerading (checksums)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-net
Subject:    Re: IP Masquerading (checksums)
From:       Matthias Urlichs <smurf () smurf ! noris ! de>
Date:       1996-09-28 7:46:48
[Download RAW message or body]

In linux.dev.net, article <m0v6eC8-000BFeC@dingo.theplanet.co.uk>,
  Nigel Metheringham <Nigel.Metheringham@theplanet.net> writes:
> 
>   That is the right way to go on - and will stop these 
> messages since you will never know if the data is corrupt (but the 
> end point should detect it).
> 
This requires passivity, i.e. you don't depend on the correctness of the
packet itself. For instance, this works when decrementing a packet's TTL
because you don't actually do anything with the packet and your local state
does not change.

On the other hand, I'd recommend to _always_ check the checksum of incoming
packets whenever you need to work with a packet's data, even if you only
look at them.

Whether to recalculate or to fudge the checksum of modified packets should
depend only on the extent of modifications made to the data.

IMHO, an application helper will usually do something more than just look
at and modify packets. It's probably easier for an application to just pass
the data to another socket. I don't think we need a "look at that packet,
possibly modify it, and tell the kernel what to do with it, all in one
or two rather complex system calls" interface.

Again IMHO, helper applications should be done with the masquerading code
in the incoming firewall which we have now, and kernel helpers should be
done with the masquerading code which we also have now. The only problem is
that the kernel code has access to internals, such as being able to
correctly set up a reverse connection for FTP. We currently can't do that
with a helper application, and piping gigabyte data streams through a
helper application is just plain stupid. 

However, adding an appropriate interface should not be too difficult.

-- 
I'll speak to it though hell itself should gape, and bid me hold my
peace.
                                        -- Shakespeare
-- 
Matthias Urlichs         \  noris network GmbH  /  Xlink-POP Nürnberg 
Schleiermacherstraße 12   \   Linux+Internet   /   EMail: urlichs@noris.de
90491 Nürnberg (Germany)   \    Consulting+Programming+Networking+etc'ing
   PGP: 1024/4F578875   1B 89 E2 1C 43 EA 80 44  15 D2 29 CF C6 C7 E0 DE
       Click <A HREF="http://info.noris.de/~smurf/finger">here</A>.    42

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic