[Sis-SCPS-INTEREST] Question about SCPS with Linux Integration

Snyder, Brian bsnyder at idirect.net
Wed Aug 23 11:06:50 EDT 2006 

Thank you for the history.  I'm curious as I've searched around on the
web for tun/tap information.  
 
I've seen a couple of mail list posts (to various and distinct groups)
about the tun/tap interface.  It seems like the tun/tap work hasn't been
touched for over 3 years, and there was varying opinions on some of
these lists as to weather or not it would even work w/ a 2.6 kernel.....
Has anyone had any expereince getting the scps reference implementation
to work on a 2.6 linux kernel... and did you use the tun/tap interface
to do so?
 
I guess a little bit of my own architecutre here, is I am interested in
working on a scps pep running on linux that is configured to behave like
a bridge.  IE: I want to be able to drop in a pc to an existing network
and not have to require any routing changes.  So I believe all of that
shoudl be possible with the tun/tap, though I am new to that.  If I
understand correctly, i woudl want to use the tun module (I only care
about IP) and then setup routing table entries to send packets to the
tun interface for any lan's or traffic type i might care about (I can do
fancy routing w/ iproute2 and netfilter).  This would essentially allow
me to still create iptable rules to only "Route" traffic I want the PEP
to process into said interface.  
 
Is this understanding correct and doable?
 
 
Thanks,
brian


________________________________

	From: Feighery, Patrick D. [mailto:feighery at mitre.org] 
	Sent: Wednesday, August 23, 2006 10:28 AM
	To: Snyder, Brian; sis-scps-interest at mailman.ccsds.org
	Subject: RE: [Sis-SCPS-INTEREST] Question about SCPS with Linux
Integration
	
	
	Well,  I guess some history is needed to explain the steps that
were taken....
	 
	The SCPS gateway started its development at least 7 years so.
My background was in BSD and kernel programming.  When I started looking
into developing the SCPS gateway from the SCPS RI (single stack
implementations), FreeBSD 2.2 (Yes that'd right FreeBSD 2.2) just came
out and it had something called divert sockets...  This fit the bill for
getting data between kernel and application space, so the first
implementation of the gateway was will FreeBSD and divert sockets.
	 
	A few years later I was looking for a way to port this to linux
and found someone ported divert to the 2.2.12 linux kernel, so that
became the first instantiation with linux.  Granted it was not as
elegant as FreeBSD divert.  (It took time and effort to get the kernel
to compile correctly :-(
	 
	A few years later Eric Vailt contributed the tun implementation
for Linux - of which I am extremely grateful, being a BSD person I has
no idea what mechanisms linux really had.
	 
	About that same time folks at CTI implemented divert for the 2.4
based kernel to support SCPS.  My apologies to Stu Cards and company at
CTI for not recalling the actual names of the folks that did the linux
hacking. ;-(
	 
	Then a few years later I needed a way to capture all traffic,
not just the IP traffic, so I started looking into the tap method.  This
also allows SCPS to be more easily inserted into an existing topology..
	 
	A few years layer when *BSD OS implemented the tun/tap
interface, Marcin Jessa contributed the initial port of tun/tap...
	 
	I know that linux also has a technique called netfilter (which I
believe is related to the QUEUE) to perform similar functionality, but
with the tun/tap methods already implemented, I never pursued it.
	 
	Hope this helps
	 
	Best Regards    
	 
	    Pat
	 


________________________________

		From: sis-scps-interest-bounces at mailman.ccsds.org
[mailto:sis-scps-interest-bounces at mailman.ccsds.org] On Behalf Of
Snyder, Brian
		Sent: Tuesday, August 22, 2006 5:13 PM
		To: sis-scps-interest at mailman.ccsds.org
		Subject: [Sis-SCPS-INTEREST] Question about SCPS with
Linux Integration
		
		
		Hello all,
		 
		 
		I've been a bit of a linux hacker for a while now, but I
am new to SCPS.  As such I have some questions about design/integration
between the two.
		 
		It seems like teh scps software is designed to use the
tun/tap drivers on linux to get packets 'routed' into the application.
I'm curious why with iptables being able to queue packets into userspace
- that the designers did not decide to just utilize that functionality
of linux.  It seems pretty nice to me to be able to set up iptables
rules to just pass the type of traffic your interested in accelerating
into the userspace app and other data, like local traffic or udp can
just be forwarded throught hte system as normal.  Also that seems pretty
analagous to how freebsd uses the divert sockets.
		 
		Anyway, I'm sure there are good reasons for the
decisions made, I guess I am just curious for hte reasons behind that
decision so I can maybe better understand the project.
		 
		Thanks,
		 brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/sis-scps-interest/attachments/20060823/8f37e2a8/attachment.htm

More information about the Sis-SCPS-INTEREST mailing list