From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp131.iad.emailsrvr.com (smtp131.iad.emailsrvr.com [207.97.245.131]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 9241521F17B for ; Mon, 26 Nov 2012 14:26:14 -0800 (PST) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp23.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 99255349BFB; Mon, 26 Nov 2012 17:26:13 -0500 (EST) X-Virus-Scanned: OK Received: from legacy3.wa-web.iad1a (legacy3.wa-web.iad1a.rsapps.net [192.168.2.219]) by smtp23.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 7A0A734865E; Mon, 26 Nov 2012 17:26:13 -0500 (EST) Received: from reed.com (localhost [127.0.0.1]) by legacy3.wa-web.iad1a (Postfix) with ESMTP id 540D921680AC; Mon, 26 Nov 2012 17:26:13 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: dpreed@reed.com, from: dpreed@reed.com) with HTTP; Mon, 26 Nov 2012 17:26:13 -0500 (EST) Date: Mon, 26 Nov 2012 17:26:13 -0500 (EST) From: dpreed@reed.com To: "Michael Richardson" MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_20121126172613000000_97248" Importance: Normal X-Priority: 3 (Normal) X-Type: html In-Reply-To: <13332.1353965267@obiwan.sandelman.ca> References: <20121125232034.GF24680@merlins.org> <31933.1353939756@obiwan.sandelman.ca> <1353942251.571510886@apps.rackspace.com> <13866.1353944313@obiwan.sandelman.ca> <1353947863.437620265@apps.rackspace.com> <9615.1353953507@obiwan.sandelman.ca> <1353959938.625616504@apps.rackspace.com> <13332.1353965267@obiwan.sandelman.ca> Message-ID: <1353968773.342829944@apps.rackspace.com> X-Mailer: webmail7.0 Cc: cerowrt-users@lists.bufferbloat.net, cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] [Cerowrt-users] QOS settings vs speedboost and random bandwidth X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 22:26:14 -0000 ------=_20121126172613000000_97248 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0AI think you can intercept and drop the ICMP packet from userspace as wel= l, if you have the right modules installed in iptables/Xtables. But I have= n't looked closely lately (I just patched the kernel code in a kernel that= probably predated iptables itself). Probably need "root", but on the rout= er itself, you have root.=0A =0AThis CMTS-queue-management is a router func= tion anyway, for the router adjacent to the cable modem/CMTS. Using it fro= m ordinary clients and servers probably just generates randomness.=0A =0ATh= e only difference from tcptraceroute (note the tcp in front) is that you sn= eak into an active TCP connection selected for active full size packet tran= sfer.=0A =0AI'll have to trace the logic in the current Internet stack in t= he latest kernels, but I'm pretty sure that iptables processes packets very= low in the stack. It ought to - one of the things you might want to do is= reject forged ICMP packets, or not forward them.=0A =0A-----Original Messa= ge-----=0AFrom: "Michael Richardson" =0ASent: Monday, Nov= ember 26, 2012 4:27pm=0ATo: dpreed@reed.com=0ACc: cerowrt-users@lists.buffe= rbloat.net, cerowrt-devel@lists.bufferbloat.net=0ASubject: Re: [Cerowrt-dev= el] [Cerowrt-users] QOS settings vs speedboost and random bandwidth=0A=0A= =0A=0A>>>>> "dpreed" =3D=3D dpreed writes:=0A dpreed> It= observed the IPv4 headers of *large* TCP/IP datagrams=0A dpreed> going ups= tream, so that it could construct "no-op"=0A dpreed> "content-free" datagra= ms that would certainly pass muster=0A dpreed> through all the filters and = be routed exactly the same as=0A dpreed> the TCP/IP datagrams that were ca= rrying large flows. It=0A dpreed> would remember only the most recent one.= =0A=0AI don't know that you need to be so precise in creating the packet, = but=0AI guess the point is not just the ACLs, but also any traffic shapers?= =0A=0A dpreed> The TTL expiration causes an ICMP packet to be sent back.=0A= dpreed> My code intercepts that packet based on its contents, and=0A dpree= d> removes it as "handled" before it gets processed by the=0A dpreed> TCP/I= P state machines. =0A=0AThis is perhaps the biggest problem with this metho= d... having to remove=0Athe magic ICMP so that it does no harm. Without th= is requirement, it=0Acould be done entirely in userspace I think.=0A=0A-- = =0A] He who is tired of Weird Al is tired of life! | firew= alls [=0A] Michael Richardson, Sandelman Software Works, Ottawa, ON |= net architect[=0A] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.o= n.ca/ |device driver[=0A Kyoto Plus: watch the video =0A then sign the petition. ------=_20121126172613000000_97248 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

= I think you can intercept and drop the ICMP packet from userspace as well, = if you have the right modules installed in iptables/Xtables.  But I ha= ven't looked closely lately  (I just patched the kernel code in a kern= el that probably predated iptables itself).  Probably need "root", but= on the router itself, you have root.

=0A

 

=0A

This CMTS-queue-management = is a router function anyway, for the router adjacent to the cable modem/CMT= S.  Using it from ordinary clients and servers probably just generates= randomness.

=0A

 

=0A

The only difference from tcptraceroute (note the t= cp in front) is that you sneak into an active TCP connection selected for a= ctive full size packet transfer.

=0A

&nb= sp;

=0A

I'll have to trace the logic in = the current Internet stack in the latest kernels, but I'm pretty sure that = iptables processes packets very low in the stack.  It ought to - one o= f the things you might want to do is reject forged ICMP packets, or not for= ward them.

=0A

 

=0A

-----Original Message-----
From: "Michael Richard= son" <mcr@sandelman.ca>
Sent: Monday, November 26, 2012 4:27pmTo: dpreed@reed.com
Cc: cerowrt-users@lists.bufferbloat.net, cerow= rt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] [Cerowrt-u= sers] QOS settings vs speedboost and random bandwidth

=0A
>>>>> "dpreed" =3D=3D dp= reed <dpreed@reed.com> writes:
dpreed> It observed the IPv4= headers of *large* TCP/IP datagrams
dpreed> going upstream, so th= at it could construct "no-op"
dpreed> "content-free" datagrams tha= t would certainly pass muster
dpreed> through all the filters and = be routed exactly the same as
dpreed> the TCP/IP datagrams that w= ere carrying large flows. It
dpreed> would remember only the most= recent one.

I don't know that you need to be so precise in cre= ating the packet, but
I guess the point is not just the ACLs, but also= any traffic shapers?

dpreed> The TTL expiration causes an I= CMP packet to be sent back.
dpreed> My code intercepts that packet= based on its contents, and
dpreed> removes it as "handled" before= it gets processed by the
dpreed> TCP/IP state machines.
This is perhaps the biggest problem with this method... having to remove=
the magic ICMP so that it does no harm. Without this requirement, it=
could be done entirely in userspace I think.

--
] = He who is tired of Weird Al is tired of life! | firewalls [=
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net = architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on= .ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtu= be.com/watch?v=3Dkzx1ycLXQSE>
then sign the petition. ------=_20121126172613000000_97248--