Professional Documents
Culture Documents
advancedtopics:
NeighboringandIPsec
RamiRosen
ramirose@gmail.com
Haifux,January2008
www.haifux.org
Contents
Shortrehearsal(4slides)
NeighboringSubsystem
structneighbour
arp
arp_bind_neighbour()method
DuplicateAddressDetection(DAD)
LVS(LinuxVirtualSever)
ARPDarpuserspacedaemon
Neighbourstates
ChangeofIPaddress/Macaddress
IPsec
Scope
Wewillnotdealwithmulticastandwithipv6andwithwireless.
TheL3networkprotocolwedealwithisipv4,andthe
L2LinkLayerprotocolisEthernet.
NeighboringSubsystem
Allcodeinthislectureistakenfromlinux2.6.24rc4
04Dec2007
Canbeobtainedfrom
http://www.kernel.org/pub/linux/kernel/v2.6/testing/(andmirrors)
Shortrehearsal(4slides)
Thelayersthatwewilldealwith(basedonthe7layersmodel)
are:
TransportLayer(L4)(udp,tcp...)
NetworkLayer(L3)(ip)
LinkLayer(L2)(ethernet)
Shortrehearsal(4slides)
TwomostImportantdatastructures:sk_buffandnet_device.
sk_buff:
dstisaninstanceofdst_entry;dstisamemberinsk_buff.
Thelookupintheroutingsubsystemconstructsdst.
Itdecideshowthepacketwillcontinueitstraversal.
Thisisdonebyassigningmethodstoitsinput()/output()functions
Eachdst_entryhasaneighbourmember.(withIPSecitisNULL).
WhenworkingwithIPSec,thedstinfactrepresentsalinked
listofdst_entries.Onlythelastoneisforrouting;allprevious
dst_entriesareforIPSectransformers.
Shortrehearsal(4slides)
net_device
net_devicerepresentsaNetworkInterfaceCard.
net_devicehasmemberslikemtu,dev_addr(deviceMAC
address),promiscuity,nameofdevice(eth0,eth1,lo,etc),and
more.
Animportantmemberofnet_deviceisflags.
YoucandisableARPrepliesonaNICbysettingIFF_NOARPflag:
ifconfigeth0arp
ifconfigeth0willshow:
UPBROADCASTRUNNINGNOARPMULTICAST...
EnablingARPagainisdoneby:ifconfigeth0arp.
Shortrehearsal(4slides)
ip_input_route()method:performsalookupintherouting
subsystemforeachincomingpacket.Looksfirstinthe
routingcache;incasethereisacachemiss,looksintothe
routingtableandinsertsanentryintotheroutingcache.Calls
arp_bind_neighbour()forUNICASTpacketsonly.Returns0
uponsuccess.
dev_queue_xmit(structsk_buff*skb)iscalledtotransmit
thepacket,whenitisready.(hasL2destinationaddress)
(net/core/dev.c)
dev_queue_xmit()passesthepackettothenicdevicedriver
fortransmissionusingthedevicedriverhard_start_xmit()
method.
NeighboringSubsystem
Goals:whatistheneighboringsubsystemfor?
Theworldisajungleingeneral,andthenetworkinggame
contributesmanyanimals.(fromRFC826,ARP,1982)
InIPV4implementedbyARP;inIPv6:ND,neighbourdiscovery.
Ethernetheaderis14byteslong:
SourceMacaddressanddestinationMacaddress6byteseach.
Type(2bytes).Forexample,(include/linux/if_ether.h)
0x0800isthetypeforIPpacket(ETH_P_IP)
0x0806isthetypeforARPpacket(ETH_P_ARP)
0X8035isthetypeforRARPpacket(ETH_P_RARP)
NeighboringSubsystemstructneighbour
neighbour(instanceofstructneighbour)isembeddedindst,
whichisinturnisembeddedinsk_buff:
sk_buff
dst
Neighbour
ha
primary_key
...
NeighboringSubsystemstructneighbour
Implementationimportantdatastructures
structneighbour(/include/et/neighbour.h)
hathehardwareaddress(MACaddresswhendealingwith
Ethernet)oftheneighbour.ThisfieldisfilledwhenanARP
responsearrives.
primary_keyTheIPaddress(L3)oftheneighbour.
lookupinthearptableisdonewiththeprimary_key.
nud_staterepresentstheNetworkUnreachabilityDetection
stateoftheneighbor.(forexample,NUD_REACHABLE).
NeighboringSubsystemstructneighbour
contd
AneighbourcanchangeitsstatetoNUD_REACHABLEby
oneofthreeways:
L4confirmation.
ReceiveARPreplyforthefirsttimeorreceivinganARPreply
inresponsetoanARPrequestwheninNUD_PROBEstate.
Confirmationcanbedonealsobyissuingasysadmin
command(butitisrare).
NeighboringSubsystemstructneighbour
contd
int(*output)(structsk_buff*skb);
output()canbeassignedtodifferentmethodsaccordingtothe
stateoftheneighbour.Forexample,neigh_resolve_output()
andneigh_connected_output().Initially,itis
neigh_blackhole().
Whenastatechanges,thanalsotheoutputfunctionmaybe
assignedtoadifferentfunction.
refcntincrementedbyneigh_hold();decrementedby
neigh_release().Wedon'tfreeaneighbourwhentherefcnt
ishigherthan1;instead,wesetdead(amemberofneighbour)
to1.
NeighboringSubsystemstructneighbour
contd
timer(Thecallbackmethodisneigh_timer_handler()).
structhh_cache*hh(definedininclude/linux/netdevice.h)
confirmedconfirmationtimestamp.
ConfirmationcandonefromL4(transportlayer).
Forexample,dst_confirm()callsneigh_confirm().
dst_confirm()iscalledfromtcp_ack()(net/ipv4/tcp_input.c)
andbyudp_sendmsg()(net/ipv4/udp.c)andmore.
neigh_confirm()doesNOTchangethestateitisthejob
ofneigh_timer_handler().
NeighboringSubsystemstructneighbour
contd
dev(net_devicefromwhichwesendpacketstotheneighbour).
structneigh_parms
*parms;
parmsincludemostlytimertunables,netstructure(network
namespaces),etc.
networknamespacesenablemultipleinstancesofthenetwork
stacktotheuserspace.
Anetworkdevicebelongstoexactlyonenetworknamespace.
CONFIG_NET_NSwhenbuildingthekernel.
NeighboringSubsystemstructneighbour
contd
arp_queue
everyneighbourhasasmallarpqueueofitself.
Therecanbeonly3elementsbydefaultinanarp_queue.
Thisisconfigurable:/proc/sys/net/ipv4/neigh/default/unres_qlen
structneigh_table
structneigh_tablerepresentsaneighboringtable
(/include/net/neighbour.h)
Thearptable(arp_tbl)isaneigh_table.(/include/net/arp.h)
InIPv6,nd_tbl(NeighborDiscoverytable)isaneigh_table
also(include/net/ndisc.h)
Thereisalsodn_neigh_table(DECnet)
(linux/net/decnet/dn_neigh.c)andclip_tbl(forATM)(net/atm/clip.c)
gc_timer:neigh_periodic_timer()isthecallbackforgarbage
collection.
neigh_periodic_timer()deletesFAILEDentriesfromtheARP
table.
NeighboringSubsystemarp
WhenthereisnoentryintheARPcacheforthedestinationIP
addressofapacket,abroadcastissent(ARPrequest,
ARPOP_REQUEST:whohasIPaddressx.y.z...).Thisisdoneby
amethodcalledarp_solicit().(net/ipv4/arp.c)
InIPv6,theparallelmechanismiscalledND(Neighbor
discovery)andisimplementedaspartofICMPv6.
AmulticastissentinIPv6(andnotabroadcast).
Ifthereisnoanswerintimetothisarprequest,thenwewillendup
withsendingbackanICMPerror(DestinationHostUnreachable).
Thisisdonebyarp_error_report(),whichindirectlycalls
ipv4_link_failure();seenet/ipv4/route.c.
ARPtable
NeighbourNeighbourNeighbour
ha
hh
next
hh_cahe
hh_data
hh_cache
SADATYPE
ha
hh next
hh_cahe
hh_data
SADATYPE
NeighboringSubsystemarp
Youcanseethecontentsofthearptablebyrunning:
cat/proc/net/arporbyrunningthearpfromacommandline.
ipneighshowisthenewmethodtoshowarp(fromIPROUTE2)
Youcandeleteandaddentriestothearptable;seemanarp/man
ip.
Whenusingipneighaddyoucanspecifythestateoftheentry
whichyouareadding(likepermanent,stale,reachable,etc).
NeighboringSubsystemarptable
arpcommanddoesnotshowreachabilitystatesexceptthe
incompletestateandpermanentstate:
PermanententriesaremarkedwithMinFlags:
example:arpoutput
AddressHWtypeHWaddressFlagsMaskIface
10.0.0.2(incomplete)eth0
10.0.0.3ether00:01:02:03:04:05CMeth0
10.0.0.138ether00:20:8F:0C:68:03Ceth0
NeighboringSubsystemipshowneigh
Wecanseethecurrentneighbourstates:
Example:
ipneighshow
192.168.0.254deveth0lladdr00:03:27:f1:a1:31REACHABLE
192.168.0.152deveth0lladdr00:00:00:cc:bb:aaSTALE
192.168.0.121deveth0lladdr00:10:18:1b:1c:14PERMANENT
192.168.0.54deveth0lladdraa:ab:ac:ad:ae:afSTALE
192.168.0.98deveth0INCOMPLETE
NeighboringSubsystemarp
arp_process()handlesbothARPrequestsandARPresponses.
net/ipv4/arp.c
Ifthetargetip(tip)addressinthearpheaderistheloopback
thenarp_process()dropsitsinceloopbackdoesnotneedARP.
...
if(LOOPBACK(tip)||MULTICAST(tip))
gotoout;
out:
...
kfree_skb(skb);
return0;
NeighboringSubsystemarp
(see:#defineLOOPBACK(x)(((x)&htonl(0xff000000))==htonl(0x7f000000))in
linux/in.h
IfitisanARPrequest(ARPOP_REQUEST)
wecallip_route_input().
Why?
Incaseitisforus,(RTN_LOCAL)wesendandARPreply.
arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha
,dev>dev_addr,sha);
Wealsoupdateourarptablewiththesenderentry(ip/mac).
Specialcase:ARPproxyserver.
NeighboringSubsystemarp
IncasewereceiveanARPreply(ARPOP_REPLY)
Weperformalookupinthearptable.(bycalling
__neigh_lookup())
Ifwefindanentry,weupdatethearptableby
neigh_update().
NeighboringSubsystemarp
IfthereisnoentryandthereisNOsupportforunsolicitedARPwe
don'tcreateanentryinthearptable.
SupportforunsolicitedARPby
setting/proc/sys/net/ipv4/conf/all/arp_acceptto1.
Thecorrespondingmacrois:
IPV4_DEVCONF_ALL(ARP_ACCEPT))
Inolderkernels,supportforunsolicitedARPwasdoneby:
CONFIG_IP_ACCEPT_UNSOLICITED_ARP
NeighboringSubsystemlookup
Lookupintheneighboringsubsystemisdonevia:neigh_lookup()
parameters:
neigh_table(arp_tbl)
pkey(ipaddress,theprimary_keyofneighbourstruct)
dev(net_device)
Thereare2wrappers:
__neigh_lookup()
justonemoreparameter:creat(aflag:tocreateaneighbor
byneigh_create()ornot))
and__neigh_lookup_errno()
NeighboringSubsystemstaticentries
AddingastaticentryisdonebyarpsipAddressMacAddress
Alternatively,thiscanbedoneby:
ipneighaddipAddressdeveth0lladdrMacAddressnudpermanent
Thestate(nud_state)ofthisentrywillbeNUD_PERMANENT
ipneighshowwillshowitasPERMANENT.
WhydoweneedPERMANENTentries?
arp_bind_neighbour()method
Supposewearesendingapackettoahostforthefirsttime.
adst_entryisaddedtotheroutingcachebyrt_intern_hash().
WeshouldknowtheL2addressofthathost.
sort_intern_hash()callsarp_bind_neighbour().
onlyforRTN_UNICAST(notformulticast/broadcast).
arp_bind_neighbour():net/ipv4/arp.c
dst>neighbour=NULL,soitcalls__neigh_lookup_errno().
Thereisnosuchentryinthearptable.
Sowewillcreateaneighbourwithneigh_create()andadd
ittothearptable.
arp_bind_neighbour()method
neigh_create()createsaneighbourwithNUD_NONEstate
settingnud_statetoNUD_NONEisdoneinneigh_alloc()
NeighboringSubsystemIFF_NOARPflag
Disablingandenablingarp
ifconfigeth1arp
YouwillseetheNOARPflagnowinifconfiga
ifconfigeth1arp(toenablearpofthedevice).
Infact,thissetstheIFF_NOARPflagofnet_device.
Therearecaseswheretheinterfacebydefaultiswiththe
IFF_NOARPflag(forexample,pppinterface,
seeppp_setup()(drivers/net/ppp_generic.c)
ChangingIPaddress
Supposewetrytoseteth1toanIPaddressofadifferent
machineontheLAN:
First,wewillsetanipforeth1in(inFC8,forexample)
/etc/sysconfig/networkscripts/ifcfgeth1
...
IPADDR=192.168.0.122
...
andthanrun:
ifupeth1
ChangingIPaddresscontd.
wewillget:
But:
ifconfigeth0192.168.0.122
worksok!
Whyisitso?
ifupisfromtheinitscriptspackage.
DuplicateAddressDetection(DAD)
DuplicateAddressDetectionmode(DAD)
arpingIeth0D192.168.0.10
sendsabroadcastpacketwhosesourceaddress
is0.0.0.0.
0.0.0.0isnotavalidIPaddress(forexample,youcannot
setanipaddressto0.0.0.0withifconfig)
Themacaddressofthesenderistherealone.
DflagisforDuplicateAddressDetectionmode.
DuplicateAddressDetectioncontd
Code:(fromarp_process();see/net/ipv4/arp.c)
/*Specialcase:IPv4duplicateaddressdetectionpacket(RFC2131)
*/
if(sip==0){
if(arp>ar_op==htons(ARPOP_REQUEST)&&
inet_addr_type(tip)==RTN_LOCAL&&
!arp_ignore(in_dev,dev,sip,tip))
arp_send(ARPOP_REPLY,ETH_P_ARP,tip,dev,tip,sha,dev
>dev_addr,dev>dev_addr);
gotoout;
NeighboringSubsystemGarbage
Collection
GarbageCollection
neigh_periodic_timer()
neigh_timer_handler()
neigh_periodic_timer()removesentireswhicharein
NUD_FAILEDstate.Thisisdonebysettingdeadto1,and
callingneigh_release().Therefcntmustbe1toensurenoone
elseusesthisneighbour.Alsoexpiredentriesareremoved.
NUD_FAILEDentriesdon'thaveMACaddress;seeipneigh
showintheexampleabove).
NeighboringSubsystemAsynchronous
GarbageCollection
neigh_forced_gc()performssynchronousgarbagecollection.
Itiscalledfromneigh_alloc()whenthenumberoftheentries
inthearptableexceedsa(configurable)limit.
Thislimitisconfigurable(gc_thresh2,gc_thresh3)
/proc/sys/net/ipv4/neigh/default/gc_thresh2
/proc/sys/net/ipv4/neigh/default/gc_thresh3
Thedefaultforgc_thresh3is1024.
Candidatesforcleanup:Entrieswhichtheirreference
countis1,orwhichtheirstateisNOTpermanent.
NeighboringSubsystemGarbage
Collection
Changingtheneighbourstateisdoneonlyin
neigh_timer_handler().
LVS(LinuxVirtualSever)
http://www.linuxvirtualserver.org/
IntegratedintotheLinuxkernel(in2.4kernelitwasapatch).
Locatedin:net/ipv4/ipvsinthekerneltree.NoIPV6support.
LVShaseightschedulingalgorithms.
LVS/DRisLVSwithdirectrouting(aloadbalancingsolution).
ipvsadmistheuserspacemanagementtools(availablein
mostdistros).
DirectRoutingisthepacketforwardingmethod.
g,gatewaying=>Usegatewaying(directrouting)
seemanipvsadm.
LVS/DR
Example:3RealServersandtheDirectorallhavethesame
VirtualIP(VIP).
VIP(VirtualIP)
RealServer1
RealServer2
LinuxDirector
RealServer3
clients
VIP
VIP
VIP
LVSandARP
ThereisanARPprobleminthisconfiguration.
WhenyousendanARPbroadcast,andthereceiving
machinehastwoormoreNICs,eachofthemrespondsto
thisARPrequest.
Example:amachinewithtwoNICs;
eth0is192.168.0.151andeth1is192.168.0.152.
LVSandARPexample:
LVSandARP
Solutions
1)SetARP_IGNOREto1:
echo1>/proc/sys/net/ipv4/conf/eth0/arp_ignore
echo1>/proc/sys/net/ipv4/conf/eth1/arp_ignore
2)Usearptables.
Thereare3pointsinthearpwalkthrough:
(include/linux/netfilter_arp.h)
NF_ARP_IN(inarp_rcv(),net/ipv4/arp.c).
NF_ARP_OUT(inarp_xmit()),net/ipv4/arp.c)
NF_ARP_FORWARD(inbr_nf_forward_arp(),
net/bridge/br_netfilter.c)
LVSandARP
http://ebtables.sourceforge.net/download.html
EbtablesisinfacttheparallelofnetfilterbutinL2.
LVSexample(ipvsadm)
ipvsadmC//cleartheLVStable
ipvsadmAtDirectorIPAddress:80
ipvsadmatDirectorIPAddress:80rRealServer1g
ipvsadmatDirectorIPAddress:80rRealServer2g
ipvsadmatDirectorIPAddress:80rRealServer3g
AnexampleforsettingLVS/DRonTCPport80withthree
realservers:
Thisexampledealswithtcpconnections(forudp
connectionweshoulduseuinsteadoftinthelast3lines).
LVSexample:
ipvsadmLn//listtheLVStable
/proc/sys/net/ipv4/ip_forwardshouldbesetto1
Inthisexample,packetssenttoVIPwillbesenttotheload
balancer;itwilldelegatethemtotherealserveraccording
toitsscheduler.ThedestMACaddressinL2headerwillbe
theMACaddressoftherealservertowhichthepacketwill
besent.ThedestIPheaderwillbeVIP.
ThisisdonewithNF_IP_LOCAL_IN.
ARPDarpuserspacedaemon
ARPDisauserspacedaemon;itcanbeusedifwewantto
removesomeworkfromthekernel.
Theuserspacedaemonispartofiproute2(/misc/arpd.c)
ARPDhassupportfornegativeentriesandfordeadhosts.
ThekernelarpcodedoesNOTsupportthesetypeof
entries!
ThekernelbydefaultisnotcompiledwithARPDsupport;we
shouldsetCONFIG_ARPDforusingit:
NetworkingSupport>NetworkingOptions>IP:ARPdaemon
support.(ItisconsideredExperimental).
see:/usr/share/doc/iproute2.6.22/arpd.ps(AlexeyKuznetsov).
ARPD
Weshouldalsosetapp_probestoavaluegreaterthan0by
setting
/proc/sys/net/ipv4/neigh/eth0/app_solicit
Thiscanbedonealsobythea(active_probes)parameter.
ThevalueofthisparametertellshowmanyARPrequeststo
sendbeforethatneighbourisconsidereddead.
ThekparametertellsthekernelnottosendARPbroadcast;in
suchcase,thearpddaemonisnotonlylisteningtoARPrequests,
butalsosendARPbroadcasts.
Wecantunekernelparametersaswelike;infact,wecantuneit
sothatarprequestswillbesendonlyfromthedaemonandnot
fromthekernelatall.
ARPD
Activation:
arpda1keth0&
Onsomedistros,youwillgettheerrordb_open:Nosuchfile
ordirectoryunlessyousimplyrunmkdir/var/lib/arpd/before
(forthearpd.dbfile).
Payattention:youcanstartarpddaemonwhenthereisno
supportinthekernel(CONFIG_ARPDisnotset).
Inthiscaseyou,arppacketsarestillcaughtbyarpddaemon
get_arp_pkt()(misc/arpd.c)
Butyoudon'tgetmessagesfromthekernel.
get_arp_pkt()isnotcalled.(misc/arpd.c)
ARPD
Tip:tocheckifCONFIG_ARPDisset,simplyseeifthereare
anyresulrsfrom
cat/proc/kallsyms|grepneigh_app
Macaddresses
MACaddress(MediaAccessControl)
Accordingtospecs,MACaddressshouldbeunique.
The3firstbytesspecifyahwmanufacturerofthecard.
AllocatedbyIANA.
Thereareexceptionstothisrule.
Technion(?)
EthernetHWaddr00:16:3E:3F:6E:5D
ARPwatch(detectARPcache
poisoning)
Arpwatchisanopensourcetool;helpstodetectsuchattack.
Activation:arpwatchdieth0(outputtostderr)
ChangingMACaddresscanbeasaresultofsomesecurity
attack(ARPcachepoisoning,ARPspoofing).
Arpwatchkeepsatableofip/macaddressesandsenses
whenthereisachange.
disforredirectingthelogtostderr(nosyslog,nomail).
IncasesomeonechangedMACaddressonthesame
network,youwillgetamessagelikethis:
ARPwatchExample
From:root(Arpwatch)
To:root
Subject:changedethernetaddress(jupiter)
hostname:jupiter
ipaddress:192.168.0.54
ethernetaddress:aa:bb:cc:dd:ee:ff
ethernetvendor:<unknown>
oldethernetaddress:0:20:18:61:e5:e0
oldethernetvendor:...
ChangeofIPaddress/Macaddress
ChangeofIPaddressdoesnottriggernotifyingits
neighbours.
ChangeofMACaddress,NETDEV_CHANGEADDR,alsodoes
nottriggernotifyingitsneighbours.
Itdoesupdatethelocalarptablebyneigh_changeaddr().
Exceptiontothisisirlaneth:
irlan_eth_send_gratuitous_arp()
(net/irda/irlan/irlan_eth.c)
Somenicsdon'tpermitchangingofMACaddressyouget:
SIOCSIFHWADDR:Deviceorresourcebusy
Sometimesyoushouldonlybringdownthenicbefore.
Flushingthearptable
Flushingthearp:
ipstatisticsneighflushdeveth0
***Round1,deleting7entries***
***Flushiscompleteafter1round***
Flushingthearptablecontd
Specifyingtwicestatisticswillalsoshowwhichentrieswere
deleted,theirmacaddresses,etc...
ipstatisticsstatisticsneighflushdeveth0
192.168.0.254lladdr00:04:27:fd:ad:30ref17used0/0/0
REACHABLE
***Round1,deleting1entries***
***Flushiscompleteafter1round***
callsneigh_delete()innet/core/neighbour.c
ChangesthestatetoNUD_FAILED
Neighbourstates
neighbourstates
neigh_alloc()
None
Incomplete
Reachable
Stale
Delay
Probe
NeighboringSubsystemstates
NUDstates
NUD_NONE
NUD_REACHABLE
NUD_STALE
NUD_DELAY
NUD_PROBE
NUD_FAILED
NUD_INCOMPLETE
NeighboringSubsystemstates
Fromthebeginningofcore/neighbour.c:
Isita(latent)bug?
if(!(state&NUD_IN_TIMER)){
#ifndefCONFIG_SMP
printk(KERN_WARNING"neigh:timer&!nud_in_timer\n");
#endif
gotoout;
}
NeighboringSubsystemstates
Specialstates:
NUD_NOARP
NUD_PERMANENT
Nostatetransitionsareallowedfromthesestatestoanother
state.
NeighboringSubsystemstates
NUDstatecombinations:
NUD_IN_TIMER(NUD_INCOMPLETE|NUD_REACHABLE|
NUD_DELAY|NUD_PROBE)
Whenremovinganeighbour,westopthetimer(call
del_timer())onlyifthestateisNUD_IN_TIMER.
NUD_VALID (NUD_PERMANENT|NUD_NOARP|
NUD_REACHABLE|NUD_PROBE|NUD_STALE|NUD_DELAY)
NUD_CONNECTED (NUD_PERMANENT|NUD_NOARP|
NUD_REACHABLE)
Neighbourstates
apacketissenttothisneighbour.
ItsstatechangestoFAILED.
neigh_resolve_output()andneigh_connected_output().
net/core/neighbour.c
WhenaneighbourisinaSTALEstateitwillremaininthis
stateuntiloneofthetwowilloccur
AneighbourinINCOMPLETEstatedoesnothaveMACaddress
setyet(hamemberofneighbour)
Sowhenneigh_resolve_output()iscalled,theneighbourstate
ischangedtoINCOMPLETE.
Neighbourstates
Whenneigh_connected_output()iscalled,theMACaddressofthe
neighbourisknown;soweendupwithcallingdev_queue_xmit(),
whichcallsthehard_start_xmit()methodoftheNICdevicedriver.
Thehard_start_xmit()methodactuallyputstheframeonthewire.
IPSec
WorksatnetworkIPlayer(L3)
UsedinmanyformsofsecurednetworkslikeVPNs.
MandatoryinIPv6.(notinIPv4)
Implementedinmanyoperatingsystems:Linux,Solaris,Windows,
andmore.
In2.6kernel:implementedbyDaveMillerandAlexeyKuznetsov.
Transformationbundles.
Chainofdstentries;onlythelastoneisforrouting.
ThedstentriesinthechainhaveANULLNeighborasamember.
(exceptthelastone)
IPSeccont.
RFC2401
IPSeccont.
Userspacetools:http://ipsectools.sf.net
BuildingVPN:http://www.openswan.org/(OpenSource).
TherearealsononIPSecsolutionsforVPN
OpenVPNusesssl/tls.
example:pptp
structxfrm_policyhasthefollowingmember:
structdst_entry*bundles.
__xfrm4_bundle_create()createsdst_entries(withthe
DST_NOHASHflag)see:net/ipv4/xfrm4_policy.c
TransportModeandTunnelMode.
IPSeccontd.
Showthesecuritypolicies:
ipxfrmpolicyshow
CreateRSAkeys:
ipsecrsasigkeyverbose2048>keys.txt
ipsecshowhostkeyleft>left.publickey
ipsecshowhostkeyright>right.publickey
IPSeccontd.
Example:HosttoHostVPN(usingopenswan)
in/etc/ipsec.conf:
connlinuxtolinux
left=192.168.0.189
leftnexthop=%direct
leftrsasigkey=0sAQPPQ...
right=192.168.0.45
rightnexthop=%direct
rightrsasigkey=0sAQNwb...
type=tunnel
auto=start
IPSeccontd.
serviceipsecstart(tostarttheservice)
ipsecverifyCheckyoursystemtoseeifIPsecgotinstalledand
startedcorrectly.
ipsecautostatus
IfyouseeIPsecSAestablished,thisimpliessuccess.
Lookforerrorsin/var/log/secure(fedoracore)orinkernelsyslog
Tipsforhacking
Documentation/networking/ipsysctl.txt:networkingkerneltunabels
Exampleofreadingahexaddress:
iph>daddr==0x0A00A8C0or
meanscheckingiftheaddressis192.168.0.10(C0=192,A8=168,00=0,0A=10).
ABASHscriptforgettingMACaddressfromIPaddress:(ipToHex.sh)
#!/bin/sh
IP_ADDR=$1
forIin$(echo${IP_ADDR}|sede"s/\.//g");do
printf'%02X'$I
done
echo
usageexample:./ipToHex.sh192.168.0.1=>C0A80001
TipsforhackingContd.
Disablepingreply:
echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all
Disablearp:iplinkseteth0arpoff(theNOARPflagwillbeset)
Alsoifconfigeth0arphasthesameeffect.
HowcanyougetthePathMTUtoadestination(PMTU)?
Usetracepath(seemantracepath).
Tracepathisfromiputils.
TipsforhackingContd.
TipsforhackingContd.
Incaseyouwanttosendapacketfromauserspaceapplication
throughaspecifieddevicewithoutalteringanyroutingtables:
structifreqinterface;
strncpy(interface.ifr_ifrn.ifrn_name,"eth1",IFNAMSIZ);
if(setsockopt(s,SOL_SOCKET,SO_BINDTODEVICE,(char
*)&interface,sizeof(interface))<0)
{
printf("errorsettingSO_BINDTODEVICE");
exit(1);
TipsforhackingContd.
Keepiphdrstructhandy(printout):(fromlinux/ip.h)
structiphdr{
__u8 ihl:4,
version:4;
__u8 tos;
__be16
tot_len;
__be16
id;
__be16
frag_off;
__u8 ttl;
__u8 protocol;
__sum16 check;
__be32
saddr;
__be32
daddr;
/*Theoptionsstarthere.*/
};
TipsforhackingContd.
NIPQUAD():macroforprintinghexaddresses
Printingmacaddress(fromnet_device):
printk("sk_buff>dev=%02x:%02x:%02x:%02x:%02x:%02x\n",
((skb)>dev)>dev_addr[0],((skb)>dev)>dev_addr[1],
((skb)>dev)>dev_addr[2],((skb)>dev)>dev_addr[3],
((skb)>dev)>dev_addr[4],((skb)>dev)>dev_addr[5]);
PrintingIPaddress(primary_key)ofaneighbour(inhexformat):
printk("neigh>primary_key=%02x.%02x.%02x.%02x\n",
neigh>primary_key[0],neigh>primary_key[1],
neigh>primary_key[2],neigh>primary_key[3]);
TipsforhackingContd.
Or:
printk("***neigh>primary_key=%u.%u.%u.%u\n",
NIPQUAD(*(u32*)neigh>primary_key));
CONFIG_NET_DMAisforTCP/IPoffload.
Whenyouencounter:xfrm/CONFIG_XFRMthishastotodowith
IPSEC.(transformers).
TipsforhackingContd.
Showingarpstatisticsby:
cat/proc/net/stat/arp_cache
entriesallocsdestroyshash_growslookupshitsres_failed
rcv_probes_mcastrcv_probes_ucastperiodic_gc_runs
forced_gc_runs
periodic_gc_runs:statisticsofhowmanytimesthe
neigh_periodic_timer()iscalled.
Linksandmoreinfo
1)LinuxNetworkStackWalkthrough(2.4.20):
http://gicl.cs.drexel.edu/people/sevy/network/Linux_network_stack_walkth
2)UnderstandingtheLinuxKernel,SecondEdition
ByDanielP.Bovet,MarcoCesati
SecondEditionDecember2002
chapter18:networking.
UnderstandingLinuxNetworkInternals,Christianbenvenuti
Oreilly,FirstEdition.
Linksandmoreinfo
3)LinuxDeviceDriver,byJonathanCorbet,AlessandroRubini,Greg
KroahHartman
ThirdEditionFebruary2005.
Chapter17,NetworkDrivers
4)Linuxnetworking:(alotofdocsaboutspecificnetworkingtopics)
http://linuxnet.osdl.org/index.php/Main_Page
5)netdevmailinglist:http://www.spinics.net/lists/netdev/
Linksandmoreinfo
6)Removalofmultipathroutingcachefromkernelcode:
http://lists.openwall.net/netdev/2007/03/12/76
http://lwn.net/Articles/241465/
7)LinuxAdvancedRouting&TrafficControl:
http://lartc.org/
8)ebtablesafilteringtoolforabridging:
http://ebtables.sourceforge.net/
Linksandmoreinfo
9)WritingNetworkDeviceDriverforLinux:(article)
http://app.linux.org.mt/article/writingnetdrivers?locale=en
Linksandmoreinfo
10)Netconfayearlynetworkingconference;firstwasin2004.
http://vger.kernel.org/netconf2004.html
http://vger.kernel.org/netconf2005.html
http://vger.kernel.org/netconf2006.html
Nextone:LinuxConfAustralia,January2008,Melbourne
DavidS.Miller,JamesMorris,RustyRussell,JamalHadiSalim,Stephen
Hemminger,HaraldWelte,HideakiYOSHIFUJI,HerbertXu,ThomasGraf,Robert
Olsson,ArnaldoCarvalhodeMeloandothers
Linksandmoreinfo
11)PolicyRoutingWithLinuxOnlineBookEdition
byMatthewG.Marsh(Sams).
http://www.policyrouting.org/PolicyRoutingBook/
12)THRASHAdynamicLCtrieandhashdatastructure:
RobertOlssonStefanNilsson,August2006
http://www.csc.kth.se/~snilsson/public/papers/trash/trash.pdf
13)IPSechowto:
http://www.ipsechowto.org/t1.html
Linksandmoreinfo
14)Openswan:BuildingandIntegratingVirtualPrivate
Networks,byPaulWouters,KenBantoft
http://www.packtpub.com/book/openswan/mid/061205jqdnh2by
publisher:PacktPublishing.
15)abookincludingchaptersaboutLVS:
TheLinuxEnterpriseClusterBuildaHighlyAvailableCluster
withCommodityHardwareandFreeSoftware,ByKarl
Kopper.
http://www.nostarch.com/frameset.php?startat=cluster
15)http://www.vyatta.comOpenSourceNetworking
Linksandmoreinfo
16)AddressResolutionProtocol(ARP)
http://linuxip.net/html/etherarp.html
17)ARPWatchatoolformonitorincomingARPtraffic.
LawrenceBerkeleyNationalLaboratory
ftp://ftp.ee.lbl.gov/arpwatch.tar.gz.
18)arptables:
http://ebtables.sourceforge.net/download.html
19)TCP/IPIllustrated,Volume1:TheProtocols
ByW.RichardStevens
http://www.informit.com/store/product.aspx?isbn=0201633469
Linksandmoreinfo
20)UnixNetworkProgramming,Volume1:TheSockets
NetworkingAPI(3rdEdition)(AddisonWesleyProfessional
ComputingSeries)(Hardcover)
byW.RichardStevens(Author),BillFenner(Author),AndrewM.
Rudoff(Author)
Questions
Questions?
ThankYou!