Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite

To: Ben Hutchings <ben@decadent.org.uk>
Cc: 884641@bugs.debian.org
Subject: Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
From: Samuel Thibault <sthibault@debian.org>
Date: Tue, 19 Dec 2017 12:11:45 +0100
Message-id: <[🔎] 20171219111144.que3ovvccfb6v6gh@var.youpi.perso.aquilenet.fr>
Reply-to: Samuel Thibault <sthibault@debian.org>, 884641@bugs.debian.org
In-reply-to: <[🔎] 1513654623.2805.35.camel@decadent.org.uk>
References: <[🔎] 20171217231236.ydmyrfx7d7xi6bt4@var.youpi.perso.aquilenet.fr> <[🔎] 1513557468.2805.20.camel@decadent.org.uk> <[🔎] 20171218004404.h2nc7wtqhucenkln@var.youpi.perso.aquilenet.fr> <[🔎] 1513654623.2805.35.camel@decadent.org.uk> <[🔎] 20171217231236.ydmyrfx7d7xi6bt4@var.youpi.perso.aquilenet.fr>

Ben Hutchings, on mar. 19 déc. 2017 03:37:03 +0000, wrote:
> On Mon, 2017-12-18 at 01:44 +0100, Samuel Thibault wrote:
> > Ben Hutchings, on lun. 18 déc. 2017 00:37:48 +0000, wrote:
> > > On Mon, 2017-12-18 at 00:12 +0100, Samuel Thibault wrote:
> > > > It can be used as a maintained user-land TCP/IP stack.
> > > 
> > > Why would this be useful for Debian systems, which already have a much
> > > better performing TCP/IP stack?
> > 
> > But the kernel-provided stack can't be manipulated by userland for
> > e.g. VPNs, ppp, etc. without having to be root.
> [...]
> 
> Not quite.  On Linux you need CAP_NET_ADMIN in some user namespace.

Which is not so much more available.

> (In Debian this feature is guarded by a sysctl that's off by default,
> as a security mitigation.)

And thus is not generally available in installed systems.

> Even if that's disabled, a privileged container manager can create a
> new user namespace and start a container within that namespace with the
> CAP_NET_ADMIN capability.

Which doesn't usually happen on installed systems.  I won't event try,
I'm sure admins of my work clusters will refuse to enable this, for fear
of the security consequences.

> To use lwip you would presumably need raw access to a network device,
> which also requires a privileged capability.

Not if it's a vpn or ppp over USB, etc., precisely.


It is exactly the kind of reason why qemu's user-land TCP/IP stack is
the default.

Samuel

Reply to:

Follow-Ups:
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Samuel Thibault <sthibault@debian.org>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Samuel Thibault <sthibault@debian.org>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#884765: ITP: drupal-init-tools -- helper commands to create and install new Drupal projects
Next by Date: Bug#881380: marked as done (ITA: gerritlib -- client library for accessing Gerrit with Python)
Previous by thread: Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
Next by thread: Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
Index(es):
- Date
- Thread