tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Thought on IPv6 support for NPF.
Hello, all.
I am going to apply for this project and i would like to discuss it
with the community.
"Add support for IPv6 filtering criteria (userland + kernel)."
This will be the part where the most options for filtering will be
enabled for end users.
The problems here are to implement the ipv6 addressing scheme as
it is more complex
than the ipv4's one. It will be basicly the same, just applying
the "math" for the newer
version of the ip protocol.
"Adjust components where needed and make sure that stateful filtering
works with IPv6 (kernel)."
This is will be the most interesting part i guess. Escaping
malicious packets, and defense against
the known attacks. I think that this can be done using the ipv6
reassembly code in the
network stack, this will help to examine the packet in depths.
Also this should be
highly optimized because this feature will most slow down the traffic.
"Handle IPv6 addresses in the NPF tables - a container for a fast
lookup (userland + kernel)."
I think that /src/sys/net/npf/npf_tableset.c can be modified and
used for this hash table, a separate
table for ipv6 only will be good.
"IPv6 reassembly support, re-using NetBSD's network stack code (kernel)."
This is the code that does the reassembly /src/sys/netinet6/ip6_input.c so
following it and using it reassembly can be built in npf.
This is how i understand the project. I've gone trough most of the
codes and the documentation.
I am asking the community for ideas and suggestions, what problems might have
with this project. Also if you have hints and recommendations.
Regards, Stanislav.
Home |
Main Index |
Thread Index |
Old Index