locked
IP Packet Encryption Callout RRS feed

  • Question

  • Hello,

    I'm developing an ip packet encryption callout (similar to IPSec, but it doesn't encapsulate the whole packet, but simply encrypts/decrypts the payload). My driver has two callouts: one for encryption (at FWPM_LAYER_OUTBOUND_IPPACKET_V4), one for decryption (at FWPM_LAYER_INBOUND_IPPACKET_V4).

    The driver work's perfectly with ping command, but when I use some high level applications (web server, for example), data never reaches it. It seems, that when I modify MDLs from NDIS_BUFFER, packets never get sent from the host, (although breakpoints in my driver indicate they do). I've tried two different approaches: one is just modifying MDLs in my classifyFn, the second is with reference/copy/drop/reinject mechanism as in Packet Modification Example on MSDN (and packets get injected successfuly), but the result is the same.

    I think ping works because internally it uses raw sockets (is it not?), but when packets traverse TCP/IP stack, something happens to them.

    I've placed my encryption filter with the lowest weight (that it should be called last) and decryption filter with the highest weight (that is should be called first).

    Any help would be appreciated.

    Sunday, October 2, 2011 6:11 AM

Answers

  • Are you dropping the cloning the original NBL(s),  dropping the original, modifying the clone to meet your needs, and then injecting the clone?   You can't directly modify the original NBLs.  When using this method, doe the injection succeed?  What is the NBL status in the CompletionFn?

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, October 3, 2011 7:08 PM
    Moderator
  • The Injection function's return value just indicates we were able to attempt the injection.  the NBL's status as indicated in teh Completion function will indicate whether the NBL was able to actually be injected.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, October 6, 2011 4:03 PM
    Moderator

All replies

  • Are you dropping the cloning the original NBL(s),  dropping the original, modifying the clone to meet your needs, and then injecting the clone?   You can't directly modify the original NBLs.  When using this method, doe the injection succeed?  What is the NBL status in the CompletionFn?

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Monday, October 3, 2011 7:08 PM
    Moderator
  • I've tried both inline modification and dropping and cloning NDIS_BUFFER using the FwpsAllocateCloneNetBufferList0 function. As I've stated, injection succedes, but never checked the status in the CompletionFn. I'll try and see what happens.
    Wednesday, October 5, 2011 5:54 PM
  • The Injection function's return value just indicates we were able to attempt the injection.  the NBL's status as indicated in teh Completion function will indicate whether the NBL was able to actually be injected.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Thursday, October 6, 2011 4:03 PM
    Moderator