[nzlug] Uncommon Transport Protocols + Linux

Daniel Pittman daniel at rimspace.net
Sat Jan 6 01:59:03 NZDT 2007 

Raimund Eimann <raimund at cs.auckland.ac.nz> writes:

>> No -- they should have an ICMP error generated informing the sender
>> that the protocol in question is not supported.
>
> Ok... but the data in the original packet is dropped, I suppose.

Oh.  Essentially, yes.  I believe that is one of the ICMP errors that
contains a few bytes of the original packet -- so you can track down
which connection more easily -- but otherwise the data is discarded.

[...]

>>   * grab the IP packet
>>   * decrement the TTL and reject dead packets
>>   * find the outbound route for the packet
>>   * deliver the packet to the outbound queue
>
> I must admit the code is not easy to read for me... I was expecting
> something along the lines of a switch(protocol) {case TCP:... case
> UDP:... case SCTP...} statement with a defaut: stanza handling unknown
> protocols.

Like many of these things it is done with performance and scalability in
mind; the lookup retrieves a set of function pointers from a hash and
uses those to dispatch the data.

The effect is similar to your switch except it can be extended at
runtime, and can theoretically handle as many protocols as IP supports.
A switch would likely be much less efficient even without the dynamic
stuff.


>> It seems likely you have a question behind these specific technical
>> details; if you state that perhaps it can be explained?
>
> It is part of a project that investigates the suitability of various
> protocol header fields for entropy measurement. In particular, I am
> examining the value distributions of such fields in various
> scenarios. I was looking for a reference to say that even in a network
> attack scenario, filling the IP protocol field with garbage, is not
> sensible, because target hosts simply drop packets, so this situation
> does not really need to be considered. In other words: independent of
> the scenario, one may expect the values of the IP protocol field to be
> limited to a very small subset of its 8 bit-spectrum.

That is reasonable and correct, I think.  Linux, like every other
platform I am familiar with, has around half a dozen IP level protocol
handlers at any one time.  Everything else gets dumped.

I can't give you anything more authoritative than that though.  Try
asking on the Linux network developers mailing list.  An intelligent
question identifying what you did in that paragraph should get a good
response.

Regards,
        Daniel
-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the NZLUG mailing list