RE: [Users] options field in inner ip header

From: George Hadjichristofi (ghadjich_at_vt.edu)
Date: Fri Nov 15 2002 - 21:12:09 CET

• Next message: Ken Bantoft: "[Users] ANNOUNCE: Major structural file changes to www.freeswan.ca"
• Previous message: JuanJo Ciarlante: "Re: [Users] Pluto compile error `__fswab32'"
• Maybe in reply to: Stephen J. Bevan: "[Users] options field in inner ip header"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Stephen,

Do I need to do the change in coding even when I just want to preserve
the options field in the inner IP header? I am no longer interested in
copying it to the outer IP header.

What is the reasoning behind dropping outbound packets with the options
field enabled in the ip header. Is is strictly for security or was it
just not implemented by freeswan?

Thank you,

George

-----Original Message-----
From: users-admin_at_lists.freeswan.org
[mailto:users-admin_at_lists.freeswan.org] On Behalf Of Stephen J. Bevan
Sent: Tuesday, October 29, 2002 4:01 PM
To: ghadjich_at_adelphia.net
Cc: Freeswan; Users_at_lists.freeswan.org
Subject: [Users] options field in inner ip header

George Hadjichristofi writes:
> I want to use the Options field in the IP header of a packet.
However, I
> am wondering whether an IPSec tunnel will "hide" the options field.
Is the
> inner IP header's options field copied to the outer's in the current
> implementation of freeswan ipsec?

The following is from near the start of
klips/net/ipsec/ipsec_tunnel.c:ipsec_tunnel_start_xmit

        if ((iph->ihl << 2) != sizeof (struct iphdr)) {
                KLIPS_PRINT(debug_tunnel,
                            "klips_debug:ipsec_tunnel_start_xmit: "
                            "cannot process IP header options yet. May
be mal-formed packet.\n"); /* XXX */
                stats->tx_dropped++;
                goto cleanup;
        }

As you can see, any outbound packet with IP options is dropped.

> If not, will it be complicated to implement that?

At a minimum you'd need remove the above check and modify other parts
of ipsec_tunnel_start_xmit to allocate enough space for the IP header
and options (i.e. not just sizeof(struct iphdr) as is there now) and
copy over the options when the new header is created rather than just
filling in selected fields as is done now. That's a pretty small
change. I have no idea if that is all that is required.

> Also, can the options field be added/modified on the outer IP header
of
> a packet after it enters the IPSec tunnel?

Assuming you make the above changes so that IP options are allowed at
all, then you are free to alter/modify the options as you see fit.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "[Users] ANNOUNCE: Major structural file changes to www.freeswan.ca"
• Previous message: JuanJo Ciarlante: "Re: [Users] Pluto compile error `__fswab32'"
• Maybe in reply to: Stephen J. Bevan: "[Users] options field in inner ip header"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Nov 16 2002 - 05:20:41 CET