Re: Is ndo_do_ioctl still acceptable?

2015-11-12 Thread Austin S Hemmelgarn 

On 2015-11-12 11:58, Jason A. Donenfeld wrote:

Hi Stephen,

Thanks for your response.

On Thu, Nov 12, 2015 at 5:34 PM, Stephen Hemminger
 wrote:

The problem is ioctl's are device specific, and therefore create dependency
on the unique features supported by your device.
The question always comes up, why is this new API not something general?


In this case, it really is for unique features of my device. My device
has its own unique notion of a "peer" based on a particular elliptic
curve point and some other interesting things. It's not something
generalizable to other devices. The thing that makes my particular
device special is these attributes that I need to make configurable. I
think then, by your criteria, ioctl would actually be perfect. In
other words, I interpret what you wrote to mean "generalizable:
netlink. device-specific: ioctl." If that's a decent summary, then
ioctl is certainly good for me.

On the other hand, based on what you are saying about your device, it 
sounds like you are working on some kind of cryptographically secured 
(either authenticated or encrypted or both) tunnel, in which case the 
fact that security is easier to handle with netlink than ioctls becomes 
important.  If you can't ensure security of the endpoint configuration, 
you can't ensure security of the tunnel itself.





smime.p7s
Description: S/MIME Cryptographic Signature

Re: [PATCH v2] add stealth mode

2015-07-13 Thread Austin S Hemmelgarn 

On 2015-07-12 19:13, Matteo Croce wrote:

2015-07-08 15:32 GMT+02:00 Austin S Hemmelgarn ahferro...@gmail.com:

On 2015-07-06 15:44, Matteo Croce wrote:
Just to name a few that I know of off the top of my head:
1. IP packets with any protocol number not supported by your current kernel
(these return a special ICMP message).


Right, I'll handle them


2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the
kernel.


Well, I've never played with SCTP before
It should still be checked, as should DCCP and RDS (those are the only 
other Layer 3 protocols that I have ever actually seen people try to 
scan hosts with besides TCP/UDP/SCTP).  SCTP itself is not hugely 
prevalent outside of some clustering uses, but it is still seen on the 
internet sometimes (for example, Gentoo has optional patches for OpenSSH 
to use SCTP).



3. Theoretically, some IGMP messages.
4. NDP messages.
5. ARP queries looking for the machine's IP addresses.


Yes I know, but it's unlikely to receive this packets from WAN, right?
My flag is intended to be used mostly on WAN interfaces,
machines in LAN should be easily discoverable IMHO.
In theory it's unlikely, but if you use any kind of IPv4 multicast on 
the WAN you will get IGMP (and MLD for IPv6 multicast).  You may also 
get some NDP queries also if you are using IPv6 and your WAN is itself 
behind a NAT router (and yes, there are ISP's who do that).



6. Certain odd flag combinations on single TCP packets (check the
documentation for Nmap for more info regarding these), which I believe
(although I may be reading the code wrong) you aren't accounting for.


I've tried many TCP flags combination with hping3, NUL, SYN/ACK, ACK,
SYN/FIN, etc.
They doesn't get any response when the flag is set

How about FIN/ACK and FIN/PSH/URG?



7. DAD queries.


Never looked at this packets, are a subset of NDP?
Kind of, it's an ICMPv6 extension for detecting if SLACC configured 
address is already in use.  Most distro's have support for it enabled by 
default.

8. ICMP address mask queries (which you also don't appear to account for).


It's deprecated and actually it doesn't get any response already
Just because it's deprecated doesn't mean you shouldn't account for it, 
although it does appear to get dropped by default by the kernel.


You should also test how different combinations of sysctls under 
/proc/sys/net affect this (there are for example already sysctls for 
ignoring certain types of ICMP packets).




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [PATCH v2] add stealth mode

2015-07-08 Thread Austin S Hemmelgarn 

On 2015-07-06 15:44, Matteo Croce wrote:

2015-07-06 12:49 GMT+02:00  valdis.kletni...@vt.edu:

On Thu, 02 Jul 2015 10:56:01 +0200, Matteo Croce said:

Add option to disable any reply not related to a listening socket,
like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
Also disables ICMP replies to echo request and timestamp.
The stealth mode can be enabled selectively for a single interface.


A few notes.

2) You *do* realize that this isn't anywhere near sufficient in order
to actually make your machine invisible, right?  (Hint: What *other*
packets can be sent to a machine to provoke a response?)


Other than ICMP, UDP and TCP excluding open TCP/UDP ports?


Just to name a few that I know of off the top of my head:
1. IP packets with any protocol number not supported by your current 
kernel (these return a special ICMP message).
2. SCTP INIT and COOKIE_ECHO chunks when you have SCTP enabled in the 
kernel.

3. Theoretically, some IGMP messages.
4. NDP messages.
5. ARP queries looking for the machine's IP addresses.
6. Certain odd flag combinations on single TCP packets (check the 
documentation for Nmap for more info regarding these), which I believe 
(although I may be reading the code wrong) you aren't accounting for.

7. DAD queries.
8. ICMP address mask queries (which you also don't appear to account for).

This is by no means an exhaustive list, but all of them really should be 
addressed if you want to do this properly.





smime.p7s
Description: S/MIME Cryptographic Signature