Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite

To: Ben Hutchings <ben@decadent.org.uk>
Cc: 884641@bugs.debian.org
Subject: Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
From: Samuel Thibault <sthibault@debian.org>
Date: Tue, 19 Dec 2017 23:14:53 +0100
Message-id: <[🔎] 20171219221453.e7g4hoy2qdnlbn6p@var.youpi.perso.aquilenet.fr>
Reply-to: Samuel Thibault <sthibault@debian.org>, 884641@bugs.debian.org
In-reply-to: <[🔎] 1513721476.2805.51.camel@decadent.org.uk>
References: <[🔎] 20171217231236.ydmyrfx7d7xi6bt4@var.youpi.perso.aquilenet.fr> <[🔎] 1513557468.2805.20.camel@decadent.org.uk> <[🔎] 20171218004404.h2nc7wtqhucenkln@var.youpi.perso.aquilenet.fr> <[🔎] 1513654623.2805.35.camel@decadent.org.uk> <[🔎] 20171219111144.que3ovvccfb6v6gh@var.youpi.perso.aquilenet.fr> <[🔎] 1513721476.2805.51.camel@decadent.org.uk> <[🔎] 20171217231236.ydmyrfx7d7xi6bt4@var.youpi.perso.aquilenet.fr>

Ben Hutchings, on mar. 19 déc. 2017 22:11:16 +0000, wrote:
> On Tue, 2017-12-19 at 12:11 +0100, Samuel Thibault wrote:
> > Ben Hutchings, on mar. 19 déc. 2017 03:37:03 +0000, wrote:
> > > Even if that's disabled, a privileged container manager can create a
> > > new user namespace and start a container within that namespace with the
> > > CAP_NET_ADMIN capability.
> > 
> > Which doesn't usually happen on installed systems.  I won't event try,
> > I'm sure admins of my work clusters will refuse to enable this, for fear
> > of the security consequences.
> 
> But they would be happy to let you run an alternate TCP/IP stack that
> is invisible to standard administrative tools?

Yes, because that stack will only be able to tinker with whatever
resource is used to push packets (vpn, serial port, etc.)

> > > To use lwip you would presumably need raw access to a network device,
> > > which also requires a privileged capability.
> > 
> > Not if it's a vpn or ppp over USB, etc., precisely.
> 
> Direct access to USB serial devices is privileged,

An admin can be fine with giving access to /dev/ttyUSB0. Giving
namespace capabilities is much more involved.

> > It is exactly the kind of reason why qemu's user-land TCP/IP stack is
> > the default.
> 
> But it doesn't work very well (slow, and only forwards TCP and UDP).

Which is not an argument, on the contrary :)

Ideally qemu would precisely use lwip to avoid continuing to have to
maintain its own stack.

Samuel

Reply to:

References:
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Samuel Thibault <sthibault@debian.org>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Samuel Thibault <sthibault@debian.org>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Samuel Thibault <sthibault@debian.org>
- Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
Next by Date: Bug#838537: [ITA] Dia
Previous by thread: Bug#884641: ITP: lwip -- small implementation of the TCP/IP protocol suite
Next by thread: Processed: retitle to RFP: cube -- generic tool for displaying a multi-dimensional performance space
Index(es):
- Date
- Thread