• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
NKE stacking order
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NKE stacking order

  • Subject: NKE stacking order
  • From: "Peter Sichel" <email@hidden>
  • Date: Wed, 30 Nov 2005 11:14:58 -0500
I'm trying to help a potential customer use Internet sharing with the
Cisco VPN client which illuminates a gap in the Tiger NKE mechanism.
Specifically, there is no way to examine or specify the required network
stack order when inserting NKEs.

To use Internet sharing (NAT) with a VPN, the VPN needs to sit below NAT
in the network stack so the NAT can examine and modify the unencrypted
packets.  As I understand it, the Cisco VPN client is implemented as an
NKE, presumably an Interface Filter as opposed to a Protocol Filter so
it applies to both native and Classic network applications (protocol
filters sit above SharedIP so do not apply to Classic applications).

Apple's built-in Internet Sharing is based on UNIX natd which uses an
ipfw divert socket.  As I understand it, divert sockets use a BPF tap
which is applied at the IOKit layer below any interface filter NKEs.
This precludes using an NKE based VPN with UNIX natd.

Another possibility is to use Mac OS X's built-in VPN tools, but I'm not
sure where these reside in the network stack order.  If they use a BPF
tap, I need a way to ensure this tap is below the divert socket used by
natd.  Performance might also be crippled by shuffling packets between
address spaces (kernel, VPN, kernel, natd, kernel).

Finally, I've implemented an NKE based NAT engine in IPNetRouterX which
could stack above the Cisco VPN client but there's no way to examine or
specify this explicitly.  In my own testing, it appears that interface
filter NKEs are executed in the order they were inserted in both the
inbound and outbound directions, which is not a valid network stack
order.  If I insert the VPN first, followed by NAT.  I get this:

    IP layer of BSD stack

    outbound
     |       ^
     V       |
    VPN     NAT
     |       ^
     V       |
    NAT     VPN
     |       ^
     V       |
           inbound

    IOKit layer

If this is indeed the current implementation, how do we get this fixed?

Notice this problem was solved ages ago in Open Transport (STREAMs)
since you could walk any stream up or down to see the stacking order,
and explicitly request where your own module was to be inserted.

Help me Obi-Wan,

- Peter Sichel
  Sustainable Softworks
  www.sustworks.com


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: NKE stacking order
      • From: Josh Graessley <email@hidden>
    • Re: NKE stacking order
      • From: "Peter Lovell" <email@hidden>
References: 
 >Socket problem using linux as server (From: Per Jespersen <email@hidden>)
 >Re: Socket problem using linux as server (From: "Justin C. Walker" <email@hidden>)

  • Prev by Date: Re: Socket problem using linux as server
  • Next by Date: Re: NKE stacking order
  • Previous by thread: Re: Socket problem using linux as server
  • Next by thread: Re: NKE stacking order
  • Index(es):
    • Date
    • Thread