On Tue, May 09, 2006 at 11:43:38AM -0700, Erik Nordmark wrote: > Nicolas Williams wrote: > >>Isn't "observability" a bit too broad here? I would assume observability > >>includes packet counters (e.g., netstat -i) in addition to being able to > >>look at the packet content. > > > >Looking at counters does not typically require privilege, but maybe it > >should require some basic privilege, as counters might leak useful data. > > My comment was merely that the name for the privilege seems a bit too broad.
Ah. > >Well, if you mean ICMP ECHO REQUEST/REPLY, having a syscall (socket?) > >interface to do that would save us the bother with privileges for > >distinguishing those types of packets from other uses of raw networking, > >no? > > For sending "raw" I can see many different degrees of raw. A > non-exhaustive list: > - being able to send packets with different IPPROTO than TCP, UDP, ICMP Yup, this one I expect to be useful in loopback situations. > - being able to send IP packets with an arbitrary IP source address, > with an arbitrary IP ident field (IPPROTO_RAW allows this) This too, particularly given Crossbow. (Hmmm, the ability to simulate large networks using Zones is appealing, isn't it?) > - being able to send datalink packets with arbitrary Ethernet type, > arbitrary Ethernet source address > - being able to send Ethernet packets with bad CRC Not useful in loopback situations ever, I think, or am I missing something. > >Sending and receiving are different things. And for loopback, does > >anyone ever want to be able to send packets using a rawip socket? Why? > >Because of missing non-raw interfaces or for fault injection? > > SOCK_RAW is used by ping, and I'm sure some people ping another zone. Yes, but I'm still mystified as to why there is not a better API for ping all these years later. > I agree that two separate privileges for packet capture makes sense. Cool. _______________________________________________ networking-discuss mailing list [email protected]
