Hi, if it is alright, please tell me. On Sat, 19 Oct 2013 18:53:53 +0200 Gabriele Gerbino <[email protected]> wrote:
> Hi, > I'm trying to implement a RA Guard-like solution, improving it with the > possibility of detect the presence of a RA Header into an extension header > chain. Do you mean that 'RA Header' is 'Router Advertisement message' ? If so, it is not related to 'extension headers' in IPv6 header. It is one of the type of ICMPv6 messages. > I can detect it, but seems like there is some problem about the forwarding > procedure: if the RA header is the first of chain I can filter it based on > the prefix announced (packet dropped if it carries an untrusted prefix, > delivered otherwise), but it doesn't work if the RA header is not the first > one. What does 'chain' mean ? ICMPv6 messages are not chain structures. Do you suggest that operations differ by the existence of 'extension headers' ? I hope that my bad English is understood. > I can still drop it based on the prefix, but I cannot deliver it even if the > code "goes" into the right "if ramification" and according to that the packet > should be flooded, like shown by the LOG > > Code: > def _packet_in_handler(self, ev): > msg = ev.msg > datapath = msg.datapath > ofproto = datapath.ofproto > suspicious = 0 > > pkt = packet.Packet(msg.data) > eth = pkt.get_protocol(ethernet.ethernet) > > dst = eth.dst > src = eth.src > > try: > ippiv6 = pkt.get_protocol(ipv6.ipv6) > ipv6s = ippiv6.src > except: > ipv6s = "not assigned yet" > > print "PACCHETTO ", ippiv6 > try: > icimpv6 = pkt.get_protocol(icmpv6.icmpv6) > icmpv6type = icimpv6.type_ > except: > print "non e' un ICMPv6" > icmpv6type = "" > if (icmpv6type == 134): > icidata = icimpv6.data > #self.logger.info <http://self.logger.info>("[DATA > ND_OPTION] %s: ", icidata) > print("EXTENSION HEADER: ", ippiv6) > print("GNE GNE: ", ippiv6.ext_hdrs) > try: > dict1 = icidata.data[1] > self.logger.info <http://self.logger.info>("[PREFIX] %s ", dict1.prefix) > except: > try: > dict1 = icidata.data[0] > self.logger.info <http://self.logger.info>("[PREFIX] %s ", dict1.prefix) > suspicious = 0 > except: > self.logger.info <http://self.logger.info>("[ALERT] ND_OPTION_PI not found, > irregular structure. Packet Dropped.") > dict1=0 #se i due sopra falliscono, gli > diamo un intero per l'if sotto. > suspicious = 1 > self.logger.info <http://self.logger.info>("[SUSPECT] SUSPICIOUS state has > changed!") > > '''if isinstance(dict1, icmpv6.nd_option_pi): > self.logger.info <http://self.logger.info>("[ALERT] I'm IN! :)") > else: > self.logger.info <http://self.logger.info>("[ALERT] I'm OUT! :(")''' > > if isinstance(icidata, icmpv6.nd_router_advert): > self.logger.info <http://self.logger.info>("Router Advert Instance Detected!") > suspicious = 0 > > self.logger.info <http://self.logger.info>("[ALERT] packet contains a Router > Advertisement!") > > if (dict1.prefix not in prefixtrusted): > self.logger.info <http://self.logger.info>("[WARNING] Intrusion Detection > System detected a Rogue Router Advertisement!\n %s != %s \n", dict1.prefix, > prefixtrusted) > suspicious = 1 > self.logger.info <http://self.logger.info>("[SUSPECT] SUSPICIOUS state has > changed!") > > dpid = datapath.id <http://datapath.id> > self.mac_to_port.setdefault(dpid, {}) > self.logger.info <http://self.logger.info>("packet in %s ipv6:%s %s %s %s", > dpid, ipv6s, src, dst, msg.in_port) > # learn a mac address to avoid FLOOD next time. > self.mac_to_port[dpid][src] = msg.in_port > > if suspicious: > self.logger.info <http://self.logger.info>("\n[DROP] SUSPICIOUS packet was > dropped!") > out_port = ofproto.OFPP_NONE > elif (dst in self.mac_to_port[dpid]): > out_port = self.mac_to_port[dpid][dst] > print "OUT_PORT = MAC_TO_PORT" > else: > out_port = ofproto.OFPP_FLOOD > print "FLOOD---------------" > self.logger.info <http://self.logger.info> (" %s", out_port) > actions = [datapath.ofproto_parser.OFPActionOutput(out_port)] > > > > LOG: > > PACCHETTO > ipv6(dst='ff02::1',ext_hdrs=[fragment(id_=0,more=0,nxt=58,offset=0)],flow_label=0,hop_limit=64,nxt=44,payload_length=56,src='fe80::200:ff:fe00:1',traffic_class=0,version=6) > ('EXTENSION HEADER: ', > ipv6(dst='ff02::1',ext_hdrs=[fragment(id_=0,more=0,nxt=58,offset=0)],flow_label=0,hop_limit=64,nxt=44,payload_length=56,src='fe80::200:ff:fe00:1',traffic_class=0,version=6)) > ('GNE GNE: ', [fragment(id_=0,more=0,nxt=58,offset=0)]) > [PREFIX] 2001:: > Router Advert Instance Detected! > [ALERT] packet contains a Router Advertisement! > packet in 1 ipv6:fe80::200:ff:fe00:1 00:00:00:00:00:01 33:33:00:00:00:01 1 > FLOOD--------------- > 65531 > > Scapy: > packet = > IPv6(dst="ff02::1")/IPv6ExtHdrFragment()/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefixlen > = 64, prefix = "2001::") > send(packet) > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Ryu-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ryu-devel > ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Ryu-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ryu-devel
