[Sis-SCPS-INTEREST] Question about SCPS with Linux Integration
Feighery, Patrick D.
feighery at mitre.org
Thu Aug 24 14:20:45 EDT 2006
I've used the SCPS RI on both FC2 and FC4 both of which run a 2.6
kernel.
As for the differences between tun/tap
The real differences involves transparency.
If you are configuring the tun mode, the traffic needs to be explicitly
routed __to__ and __from__ the SCPS PEP box. There with tap, the SCPS
PEP is a transparent bridge thus neither its IP nor MAC addresses are
present on the wire (expect to login into the box for mgnt reasons.)
The tap mode however does not understand vlans...
Remember that since the SCPS PEP uses rate control it must account for
all traffic that consumes the bandwidth of the satellite.
To answer your question directly... "Yes, it is doable"
Pat
.
________________________________
From: Snyder, Brian [mailto:bsnyder at idirect.net]
Sent: Wednesday, August 23, 2006 11:07 AM
To: Feighery, Patrick D.; sis-scps-interest at mailman.ccsds.org
Subject: RE: [Sis-SCPS-INTEREST] Question about SCPS with Linux
Integration
Thank you for the history. I'm curious as I've searched around
on the web for tun/tap information.
I've seen a couple of mail list posts (to various and distinct
groups) about the tun/tap interface. It seems like the tun/tap work
hasn't been touched for over 3 years, and there was varying opinions on
some of these lists as to weather or not it would even work w/ a 2.6
kernel..... Has anyone had any expereince getting the scps reference
implementation to work on a 2.6 linux kernel... and did you use the
tun/tap interface to do so?
I guess a little bit of my own architecutre here, is I am
interested in working on a scps pep running on linux that is configured
to behave like a bridge. IE: I want to be able to drop in a pc to an
existing network and not have to require any routing changes. So I
believe all of that shoudl be possible with the tun/tap, though I am
new to that. If I understand correctly, i woudl want to use the tun
module (I only care about IP) and then setup routing table entries to
send packets to the tun interface for any lan's or traffic type i might
care about (I can do fancy routing w/ iproute2 and netfilter). This
would essentially allow me to still create iptable rules to only
"Route" traffic I want the PEP to process into said interface.
Is this understanding correct and doable?
Thanks,
brian
________________________________
From: Feighery, Patrick D. [mailto:feighery at mitre.org]
Sent: Wednesday, August 23, 2006 10:28 AM
To: Snyder, Brian; sis-scps-interest at mailman.ccsds.org
Subject: RE: [Sis-SCPS-INTEREST] Question about SCPS
with Linux Integration
Well, I guess some history is needed to explain the
steps that were taken....
The SCPS gateway started its development at least 7
years so. My background was in BSD and kernel programming. When I
started looking into developing the SCPS gateway from the SCPS RI
(single stack implementations), FreeBSD 2.2 (Yes that'd right FreeBSD
2.2) just came out and it had something called divert sockets... This
fit the bill for getting data between kernel and application space, so
the first implementation of the gateway was will FreeBSD and divert
sockets.
A few years later I was looking for a way to port this
to linux and found someone ported divert to the 2.2.12 linux kernel, so
that became the first instantiation with linux. Granted it was not as
elegant as FreeBSD divert. (It took time and effort to get the kernel
to compile correctly :-(
A few years later Eric Vailt contributed the tun
implementation for Linux - of which I am extremely grateful, being a
BSD person I has no idea what mechanisms linux really had.
About that same time folks at CTI implemented divert
for the 2.4 based kernel to support SCPS. My apologies to Stu Cards
and company at CTI for not recalling the actual names of the folks that
did the linux hacking. ;-(
Then a few years later I needed a way to capture all
traffic, not just the IP traffic, so I started looking into the tap
method. This also allows SCPS to be more easily inserted into an
existing topology..
A few years layer when *BSD OS implemented the tun/tap
interface, Marcin Jessa contributed the initial port of tun/tap...
I know that linux also has a technique called netfilter
(which I believe is related to the QUEUE) to perform similar
functionality, but with the tun/tap methods already implemented, I
never pursued it.
Hope this helps
Best Regards
Pat
________________________________
From:
sis-scps-interest-bounces at mailman.ccsds.org
[mailto:sis-scps-interest-bounces at mailman.ccsds.org] On Behalf Of
Snyder, Brian
Sent: Tuesday, August 22, 2006 5:13 PM
To: sis-scps-interest at mailman.ccsds.org
Subject: [Sis-SCPS-INTEREST] Question about
SCPS with Linux Integration
Hello all,
I've been a bit of a linux hacker for a while
now, but I am new to SCPS. As such I have some questions about
design/integration between the two.
It seems like teh scps software is designed to
use the tun/tap drivers on linux to get packets 'routed' into the
application. I'm curious why with iptables being able to queue packets
into userspace - that the designers did not decide to just utilize
that functionality of linux. It seems pretty nice to me to be able to
set up iptables rules to just pass the type of traffic your interested
in accelerating into the userspace app and other data, like local
traffic or udp can just be forwarded throught hte system as normal.
Also that seems pretty analagous to how freebsd uses the divert
sockets.
Anyway, I'm sure there are good reasons for the
decisions made, I guess I am just curious for hte reasons behind that
decision so I can maybe better understand the project.
Thanks,
brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/sis-scps-interest/attachments/20060824/7f907095/attachment.html
More information about the Sis-SCPS-INTEREST
mailing list