NDIS intermediate driver to TDI question

Hi,

We are trying to write an NDIS intermediate driver which intercepts certain
packets before hitting miniport driver and changes IP address and other
stuff and we want to send it over another interface on the machine. In order
to do this, we probably have to send the packet up the stack through the TDI
interface so that it is properly routed through the NDIS stack once again.

My question is:
1. Is it even possible to do this? I am assuming it is because certain IPsec
VPN drivers do similar stuff.
2. Is it possible to do this in reverse direction - i.e. once the reply
packets are at the top of TCP stack, I want to process them and re-insert
them at the low level intermediate driver?

Thanks
Pawan Singh

NDIS intermediate drivers operate below the TDI level. Thus, in your
case, you can think of an IM as if it was a router outside the
machine. The router can manipluate and forward any packets to any port
as required. The router will of course not return a manipulated packet
back to the host's TCP/IP stack.

If you can manage to implement your IM such that it can operate as if
it was running in an independant router (gateway) then the answer to
1) is yes.

host <--> router <===> other IP segments

Same for 2). No way I can (currently) think of to "filter" packets
above the TCP/IP (WinSock) level.

Stephan
---
On Sun, 3 Aug 2003 11:35:31 -0700, "Pawan Singh" <>
wrote:

>Hi,
>
>We are trying to write an NDIS intermediate driver which intercepts certain
>packets before hitting miniport driver and changes IP address and other
>stuff and we want to send it over another interface on the machine. In order
>to do this, we probably have to send the packet up the stack through the TDI
>interface so that it is properly routed through the NDIS stack once again.
>
>My question is:
>1. Is it even possible to do this? I am assuming it is because certain IPsec
>VPN drivers do similar stuff.
>2. Is it possible to do this in reverse direction - i.e. once the reply
>packets are at the top of TCP stack, I want to process them and re-insert
>them at the low level intermediate driver?
>
>Thanks
>Pawan Singh
>

Hi Pawan,

Our DNE product is a generic NDIS shim that allows you to
develop plugin drivers that run under our WHQL digital
signature. DNE allows you to inspect, modify, redirect,
insert and delete packets. A plugin written for one OS
runs on all Windows platforms (95, 98, ME, NT, 2K, XP,
2003), and on Linux, Solaris, HP-UX, CE/PocketPC, etc.
You can change addresses and redirect over LAN or WAN
connections. Most IPSEC drivers are DNE plugins.

From what you've described, you don't need to go up
through the stack. You can query the route table if you
need to do routing. Or, if you know the interface you
want to send over, you can do that directly.

Wrt using TDI, first, keep in mind that TDI is different
on each Windows platform. Next, TDI uses an IOCTL
interface from user space to access the stack. While it
is possible to provide an IOCTL to IOCTL interface to
facilitate driver to TDI interaction (we have done this),
it's not easy. You could conceivably use and IOCTL
interface to an application and then have the app use
TDI, but I think performance would be a problem. Plus,
IOCTLs are application driven, meaning you need to
request the driver data explicitly.

If you can tell me more about exactly what you're trying
to do, I may be able to give more detailed answers. If
you're thinking DNE might be worth exploring, feel free
to email me directly.


Steve

>-----Original Message-----
>Hi,
>
>We are trying to write an NDIS intermediate driver which
intercepts certain
>packets before hitting miniport driver and changes IP
address and other
>stuff and we want to send it over another interface on
the machine. In order
>to do this, we probably have to send the packet up the
stack through the TDI
>interface so that it is properly routed through the NDIS
stack once again.
>
>My question is:
>1. Is it even possible to do this? I am assuming it is
because certain IPsec
>VPN drivers do similar stuff.
>2. Is it possible to do this in reverse direction - i.e.
once the reply
>packets are at the top of TCP stack, I want to process
them and re-insert
>them at the low level intermediate driver?
>
>Thanks
>Pawan Singh
>
>
>
>.
>

Hi Steve,

This is what I am trying to do:

Assume that the PC has a physical adapter with a public IP address:
64.64.64.64 and all its routing tables are properly set for proper IP
communication. I want to create a private tunnel over a UDP port or TCP port
over this public network. But I want to create a virtual adapter with an
internal IP address e.g. 10.10.10.10. So now to all the user applications it
looks like that the PC has two interfaces - one connecting it to public IP
network and the other one connecting it to a private IP network. When an
application sends packet to private 10 network, my intermediate driver will
receive this packet from TCP and modify this packet to correct source public
IP address and correct pre-configured public destination IP address. (sort
of like VPN tunnels). Similarly when the packet is received by the
intermediate driver from lower layer, I need to undo the IP address
translation based on certain characteristics of the packet e.g. certain UDP
or TCP port.

My questions are:
1. Is it possible to do this without touching TDI? Is it possible to do this
completely inside a single intermediate driver which creates a virtual
adapter and handles both inbound and outbound traffic seemlessly?

2. My lack of knowledge of NT TCP stack raises another question: when a top
layer application wants to send packets to the private network, who handles
"ARP". E.g. if my virtual address is 10.10.10.10 and other end of the tunnel
is 10.10.10.9 and I go to a command window and type "ping 10.10.10.9" - how
are the ARP packet and ICMP Echo packets going to be handled since my driver
is only going to intercept packets for certain TCP or UDP ports. Are these
handled by Windows TCP/IP stack automatically? I think my IM driver would
need special case code so that these packets are sent over the public
network in the tunnel.

3. How does the virtual adapter get its virtual "MAC address"? I guess
another way of asking #2 is who handles layer two and ICMP stuff?

I would be interested in using your DNE product if you think your product
can help me achieve some of these goals.

Thanks in advance,
Pawan Singh







"Steve Jackowski" <> wrote in message
news:04da01c35acc$f1063550$...
> Hi Pawan,
>
> Our DNE product is a generic NDIS shim that allows you to
> develop plugin drivers that run under our WHQL digital
> signature. DNE allows you to inspect, modify, redirect,
> insert and delete packets. A plugin written for one OS
> runs on all Windows platforms (95, 98, ME, NT, 2K, XP,
> 2003), and on Linux, Solaris, HP-UX, CE/PocketPC, etc.
> You can change addresses and redirect over LAN or WAN
> connections. Most IPSEC drivers are DNE plugins.
>
> From what you've described, you don't need to go up
> through the stack. You can query the route table if you
> need to do routing. Or, if you know the interface you
> want to send over, you can do that directly.
>
> Wrt using TDI, first, keep in mind that TDI is different
> on each Windows platform. Next, TDI uses an IOCTL
> interface from user space to access the stack. While it
> is possible to provide an IOCTL to IOCTL interface to
> facilitate driver to TDI interaction (we have done this),
> it's not easy. You could conceivably use and IOCTL
> interface to an application and then have the app use
> TDI, but I think performance would be a problem. Plus,
> IOCTLs are application driven, meaning you need to
> request the driver data explicitly.
>
> If you can tell me more about exactly what you're trying
> to do, I may be able to give more detailed answers. If
> you're thinking DNE might be worth exploring, feel free
> to email me directly.
>
>
> Steve
>
> >-----Original Message-----
> >Hi,> >
> >We are trying to write an NDIS intermediate driver which
> intercepts certain
> >packets before hitting miniport driver and changes IP
> address and other
> >stuff and we want to send it over another interface on
> the machine. In order
> >to do this, we probably have to send the packet up the
> stack through the TDI
> >interface so that it is properly routed through the NDIS
> stack once again.
> >
> >My question is:
> >1. Is it even possible to do this? I am assuming it is
> because certain IPsec
> >VPN drivers do similar stuff.
> >2. Is it possible to do this in reverse direction - i.e.
> once the reply
> >packets are at the top of TCP stack, I want to process
> them and re-insert
> >them at the low level intermediate driver?
> >
> >Thanks
> >Pawan Singh
> >
> >
> >
> >.
> >

> 2. My lack of knowledge of NT TCP stack raises another question: when a top
> layer application wants to send packets to the private network, who handles
> "ARP". E.g. if my virtual address is 10.10.10.10 and other end of the tunnel
> is 10.10.10.9 and I go to a command window and type "ping 10.10.10.9" - how
> are the ARP packet and ICMP Echo packets going to be handled since my driver
> is only going to intercept packets for certain TCP or UDP ports. Are these
> handled by Windows TCP/IP stack automatically? I think my IM driver would
> need special case code so that these packets are sent over the public
> network in the tunnel.

ARP packets are sent by TCPIP to the same underlying adapter as the IP packets.
So, your virtual adapter or IM code must be ready for this.

Max