Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack.

Slides:



Advertisements
Similar presentations
Network II.5 simulator ..
Advertisements

Access Control List (ACL)
6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.
Chapter 7 – Transport Layer Protocols
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.
ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.
Split-TCP: State of the Union Address Dan Berger 03/03/03.
1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.
Networking. Protocol Stack Generally speaking, sending an message is equivalent to copying a file from sender to receiver.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
CMPT 471 Networking II Address Resolution IPv6 Neighbor Discovery 1© Janice Regan, 2012.
Hacking the Bluetooth Pairing Authentication Process Graduate Operating System Mini Project Siyuan Jiang and Haipeng Cai.
One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.
Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.
CP476 Internet ComputingCh.1 # 1 Lecture 2. A Brief Introduction to the Internet The objective is to understand The history of Internet What the Internet.
LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.
Wave Relay System and General Project Details. Wave Relay System Provides seamless multi-hop connectivity Operates at layer 2 of networking stack Seamless.
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
NetSim ZigBee Simulation Code Walkthrough in 10 steps
TCP/IP Yang Wang Professor: M.ANVARI.
LWIP TCP/IP Stack 김백규.
CMPT 471 Networking II Address Resolution IPv4 ARP RARP 1© Janice Regan, 2012.
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
User Datagram Protocol (UDP) Chapter 11. Know TCP/IP transfers datagrams around Forwarded based on destination’s IP address Forwarded based on destination’s.
Chapter 22 Q and A Victor Norman CS 332 Spring 2014.
January 9, 2001 Router Plugins (Crossbow) 1 Washington WASHINGTON UNIVERSITY IN ST LOUIS Router Plugins (Formerly Crossbow) A Software Architecture for.
1 WS-Routing. 2 Why WS-Routing? SOAP (by itself) doesn’t define a message path –Header blocks describe functions to be performed by intermediaries that.
Lector: Aliyev H.U. Lecture №10 Multicast network software design TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES THE DEPARTMENT OF DATA COMMUNICATION.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
An initial study on Multi Path Routing Over Multiple Devices in Linux 2.4.x kernel Towards CS522 term project By Syama Sundar Kosuri.
Spam Mail FilterJeff Rupp & Frank Watson1 Implement Spam Mail Filtration inside Linux kernel Jeff Rupp and Frank Watson.
Chapter Thirteen The Other Protocols. Objectives You’ll get a brief overview of – IPX/SPX – NetBEUI – Appletalk How each protocol handles addressing The.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Linux Operations and Administration Chapter Eight Network Communications.
Protocol Layering Chapter 11.
Rehab AlFallaj.  Network:  Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and do specific task.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
January 9, 2001 Router Plugins (Crossbow) 1 Washington WASHINGTON UNIVERSITY IN ST LOUIS Exercises.
UDP : User Datagram Protocol 백 일 우
Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.
Submitted to: Submitted by: Mrs. Kavita Taneja Jasleen kaur (lect.) Hitaishi verma MMICT & BM MCA 4 th sem.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2015.
Cisco I Introduction to Networks Semester 1 Chapter 6 JEOPADY.
Overview of today’s lecture Major components of an operating system Structure and internal architecture of an operating system Monolithic Vs Micro-kernels.
Netfilter Framework Jimit Mahadevia Nishit Shah This work is licensed under a Creative Commons Attribution-Share.
Rogue Wireless Router By Alex Crowell and James Kasten.
Introduction to Operating Systems Concepts
Introduction to Networks
Introduction to TCP/IP networking
A quick intro to networking
Data Link Layer.
LWIP TCP/IP Stack 김백규.
Chapter 6: Network Layer
Lec 5 Layers Computer Networks Al-Mustansiryah University
Net 323: NETWORK Protocols
CS 457 – Lecture 10 Internetworking and IP
Data and Computer Communications by William Stallings Eighth Edition
Setting Up Firewall using Netfilter and Iptables
TCP/IP Protocol Suite: Review
Networking Essentials For Firewall-1 Administrators
Data Link Layer. Position of the data-link layer.
Firewalls.
How to install and manage exchange server 2010 OP Saklani.
Presentation transcript:

Packet Mangling for Fun & Profit A Brief Intro to Netfilter, User Mode Linux, and the Linux TCP/IP Stack

Topics SplitTCP Summary (Context) Netfilter Introduction One buffer to rule them all: sk_buffs User Mode Linux Current Status

SplitTCP In a Nutshell Work started by Michalis, Srikanth, and Swastik. The idea is to add transport layer proxies to long (in terms of hop count) TCP connections. If a link fails (due to mobility, etc.) the packet can be re-transmitted by the proxy closest to the failure. A “demo-quality” implementation was done which made many simplifying assumptions.

So What? My current task is to take that demo implementation and turn it into a general implementation. This presentation discusses the lessons learned up to this point in that process.

Design Goals Any and all modifications made to the behavior of TCP should be backwards compatible. I.e. nodes should interoperate regardless of weather or not they’re “split tcp enabled”.) If possible, no changes should be made to the kernel proper. It’s just better for everyone that way…

Enter Netfilter Fortunately, Linux has a plugin API, called Netfilter, which allows kernel modules to hook into strategic spots in the networking stack. Unfortunately, in the grand tradition of open source, documentation takes a back seat to implementation – so there’s a non-trivial learning curve.

Sideline: Plugin APIs An example of the Delegation design pattern (GoF) – a work unit is passed through a series of cooperating steps to produce the final result. A well-designed plugin architecture can facilitate otherwise impossible tasks and simply possible ones.

Sideline: Kernel Modules Most of the linux kernel can be built as a module – a bit of code that’s loaded into (and unloaded from) the kernel dynamically. Device drivers, file systems, even networking protocols (IPX, Appletalk) are candidates for modularization.

Writing a Module Just define a few preprocessor macros (__KERNEL__, MODULE) Include a few header files (linux/module.h, linux/version.h, linux/config.h) And honor a small interface (module_init(), module_exit()) You’ll have a no-op module.

Netfilter Overview Initial design by Paul “Rusty” Russell Netfilter is a series of callback functions within the network stack. The API is non-portable and appeared in linux 2.3.x Each protocol has it’s own set of callback points. We care about IPv4.

Netfilter Concepts A module expresses interest in being invoked at an arbitrary subset of the available callback points – specifying the function and the (global) priority in which it should be called. That function is passed (among other things) a pointer to a pointer to a packet buffer ( sk_buff ** ).

Return Values The netfilter function has five possible return values: NF_ACCEPT: continue callback chain NF_DROP: drop the packet and stop the chain NF_STOLEN: stop the chain NF_QUEUE: send the packet to userspace NF_REPEAT: call the hook again

Netfilter Hooks in IPv Routing Engine Local Sockets 1 In Out

Say that Again? 1: NF_IP_PREROUTING any received packet which checksums OK. 2: NF_IP_LOCAL_IN packets destined for local sockets 3: NF_IP_FORWARD foreign packets being forwarded 4: NF_IP_POST_ROUTING any outbound packet 5: NF_IP_LOCAL_OUT packets originating from local sockets Routing Engine Local Sockets 1 In Out 2 4 5

An sk_what?? Linux uses a structure called an sk_buff to store packet data internally. It contains a handful of pointers to other structures as well as a packet data region. Data Pointers Headroom Tailroom

Sk_buff’s and you The data area is like a stack, only you can insert at the head and the tail (deque?). The kernel provides a handful of helper functions to manage sk_buff’s and their data areas. The various header pointers point into the data area – which can be thought of as a serialized packet.

Why do We Care? An sk_buff is built as a packet travels down the stack – each layer (TCP, IP, Ethernet) adds their own special sauce. This means that each header is “squashed” in against the next – so while modifying existing data is relatively easy, adding new header data is a bit trickier.

Don’t leave me in suspense… Basically, you make a copy of the sk_buff, and ask it to “grow” a bit during the copy. Once you have the copy – you “slide” the IP and TCP headers backwards a bit, insert the new option bytes, and re- checksum the packet.

A tale of “n” checksum’s Sounds easy, right? Remember that these sk_buffs are built one layer at a time? There is no nice friendly function which will take a TCP sk_buff and compute all the needed checksums. Funny thing about checksums – almost isn’t good enough.

Ok, insmod and Remember developing on a system without memory protection and having to reboot ? Kernel modules execute in kernel space – so no one’s watching your back. If you goof, it’s time to reboot. User Mode Linux to the rescue

User Mode Linux (UML) A kernel patch that allows running the linux kernel as a user-mode process on a linux machine. If you crash the user-mode kernel, you just restart the process, no reboot required.

Where do I sign up? Setup is (in principal) fairly easy – only it turns out that the standard distribution doesn’t have netfilter enabled. So I re-built with the appropriate options and placed the binaries in ~swift/user-mode- linux/bin There’s a README there – some support executables must be installed as root on your workstation.

That’s It? Not quite – you also need a file system to boot this kernel off. Good News: you can download a file system image – you don’t have to make one. Bad News: it’s really big. (up to 700MB) Good News: you can share one among many people Bad News: you have to read the HOWTO.

Building Modules Under UML Building a kernel module is the same under UML as under “KML” – it is important that you build it against the source used to build the target kernel. For “our” UML build – that source is in ~swift/user-mode-linux/src

Current Status A skeleton of a splittcp module (tcpproxy.c) exists. It can inspect locally generated packets and add our newly defined PROXY option, rechecksum the packet, and send it on it’s way. It can inspect arriving packets, check for the option, and decide if that packet should be proxied.

So What’s Left? It doesn’t (yet) actually proxy the packet. Nor does it send an acknowledgement of receipt to the upstream proxy. There are also issues around ICMP error messages, and what should be done about them.

Conclusion Once the code is “alpha” quality, I’ll commit it to the swift CVS repository for your collective viewing pleasure. Until then, if you have questions or suggestions, see me.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.