• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Intercepting IPv6 ND packets
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intercepting IPv6 ND packets

  • Subject: Re: Intercepting IPv6 ND packets
  • From: Josh Graessley <email@hidden>
  • Date: Tue, 1 Nov 2005 17:51:27 -0800

On MacOSX, the way to do this would be an in kernel IP filter (yeah, it works for IPv6 too). You get full packets after fragments have been reassembled. Since ND works over IPv6 instead of as it's own protocol (like arp), you can just implement a simple IP filter. See kpi_ipfilter.h somewhere in the kernel framework. Once you've got the packets, you can pass them to your user space piece using a kernel control socket. See kern_control.h in the kernel framework. The same kernel control can be used to send the packets back to your kext and your kext can inject those packets in to the stack at the IP layer.

For one example of an ip filter, you can check out the SharedIP sources from Darwin. It's a slightly elaborate example since it has to do a bunch of other stuff.

-josh

On Nov 1, 2005, at 5:41 PM, Jonathan Wood wrote:


On Nov 1, 2005, at 1:22 PM, Peter Lovell wrote:

The reason the packets need to be processed in user space is because
the processing involves asymmetric crypto, X509 certificate chain
processing, and lots of ASN.1.



What's wrong with doing all this in-kernel ?? (duck)


:-)
Putting aside the issues of architectural cleanliness and porting complexity...
I in fact already have the implementation complete for Linux and FreeBSD,
and I am now looking at getting it working on OSX. (For the curious - I am
implementing RFC3971, Secure Neighbor Discovery). The packet interception
mechanism is the only missing piece; the rest of the code is portable and
works fine on OSX.

What about a kext that sits between the network device and IP stack, and
exchanges packets with a user space process via a character device?
Would this work? Is there some cleaner way?

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40apple.com

This email sent to email@hidden

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Intercepting IPv6 ND packets
      • From: Jonathan Wood <email@hidden>
    • Re: Intercepting IPv6 ND packets
      • From: Jonathan Wood <email@hidden>
    • udp tunneling works but doesn't
      • From: email@hidden
References: 
 >Intercepting IPv6 ND packets (From: Jonathan Wood <email@hidden>)
 >Re: Intercepting IPv6 ND packets (From: "Peter Lovell" <email@hidden>)
 >Re: Intercepting IPv6 ND packets (From: Jonathan Wood <email@hidden>)

  • Prev by Date: Re: Intercepting IPv6 ND packets
  • Next by Date: udp tunneling works but doesn't
  • Previous by thread: Re: Intercepting IPv6 ND packets
  • Next by thread: udp tunneling works but doesn't
  • Index(es):
    • Date
    • Thread