TCP/IP Lecture 1 GSDGSDFGSDGSDGSD SDGSDGDSGD DGSGSD

LinuxKernelNetworking
advancedtopics:
NeighboringandIPsec
RamiRosen
ramirose@gmail.com
Haifux,January2008
www.haifux.org
Contents
Shortrehearsal(4slides)
NeighboringSubsystem
structneighbour
arp
arp_bind_neighbour()method
DuplicateAddressDetection(DAD)
LVS(LinuxVirtualSever)
ARPDarpuserspacedaemon
Neighbourstates
ChangeofIPaddress/Macaddress
IPsec
Scope
Wewillnotdealwithmulticastandwithipv6andwithwireless.
TheL3networkprotocolwedealwithisipv4,andthe
L2LinkLayerprotocolisEthernet.
Allcodeinthislectureistakenfromlinux2.6.24rc4
04Dec2007
Canbeobtainedfrom
http://www.kernel.org/pub/linux/kernel/v2.6/testing/(andmirrors)
Thelayersthatwewilldealwith(basedonthe7layersmodel)
are:
TransportLayer(L4)(udp,tcp...)
NetworkLayer(L3)(ip)
LinkLayer(L2)(ethernet)
TwomostImportantdatastructures:sk_buffandnet_device.
sk_buff:
dstisaninstanceofdst_entry;dstisamemberinsk_buff.
Thelookupintheroutingsubsystemconstructsdst.
Itdecideshowthepacketwillcontinueitstraversal.
Thisisdonebyassigningmethodstoitsinput()/output()functions
Eachdst_entryhasaneighbourmember.(withIPSecitisNULL).
WhenworkingwithIPSec,thedstinfactrepresentsalinked
listofdst_entries.Onlythelastoneisforrouting;allprevious
dst_entriesareforIPSectransformers.
net_device
net_devicerepresentsaNetworkInterfaceCard.
net_devicehasmemberslikemtu,dev_addr(deviceMAC
address),promiscuity,nameofdevice(eth0,eth1,lo,etc),and
more.
Animportantmemberofnet_deviceisflags.
YoucandisableARPrepliesonaNICbysettingIFF_NOARPflag:
ifconfigeth0arp
ifconfigeth0willshow:
UPBROADCASTRUNNINGNOARPMULTICAST...
EnablingARPagainisdoneby:ifconfigeth0arp.
ip_input_route()method:performsalookupintherouting
subsystemforeachincomingpacket.Looksfirstinthe
routingcache;incasethereisacachemiss,looksintothe
routingtableandinsertsanentryintotheroutingcache.Calls
arp_bind_neighbour()forUNICASTpacketsonly.Returns0
uponsuccess.
dev_queue_xmit(structsk_buff*skb)iscalledtotransmit
thepacket,whenitisready.(hasL2destinationaddress)
(net/core/dev.c)
dev_queue_xmit()passesthepackettothenicdevicedriver
fortransmissionusingthedevicedriverhard_start_xmit()
method.
Goals:whatistheneighboringsubsystemfor?
Theworldisajungleingeneral,andthenetworkinggame
contributesmanyanimals.(fromRFC826,ARP,1982)
InIPV4implementedbyARP;inIPv6:ND,neighbourdiscovery.
Ethernetheaderis14byteslong:
SourceMacaddressanddestinationMacaddress6byteseach.
Type(2bytes).Forexample,(include/linux/if_ether.h)
0x0800isthetypeforIPpacket(ETH_P_IP)
0x0806isthetypeforARPpacket(ETH_P_ARP)
0X8035isthetypeforRARPpacket(ETH_P_RARP)
NeighboringSubsystemstructneighbour
neighbour(instanceofstructneighbour)isembeddedindst,
whichisinturnisembeddedinsk_buff:
sk_buff
dst
Neighbour
ha
primary_key
...
Implementationimportantdatastructures
structneighbour(/include/et/neighbour.h)
hathehardwareaddress(MACaddresswhendealingwith
Ethernet)oftheneighbour.ThisfieldisfilledwhenanARP
responsearrives.
primary_keyTheIPaddress(L3)oftheneighbour.
lookupinthearptableisdonewiththeprimary_key.
nud_staterepresentstheNetworkUnreachabilityDetection
stateoftheneighbor.(forexample,NUD_REACHABLE).
contd
AneighbourcanchangeitsstatetoNUD_REACHABLEby
oneofthreeways:
L4confirmation.
ReceiveARPreplyforthefirsttimeorreceivinganARPreply
inresponsetoanARPrequestwheninNUD_PROBEstate.
Confirmationcanbedonealsobyissuingasysadmin
command(butitisrare).
contd
int(*output)(structsk_buff*skb);
output()canbeassignedtodifferentmethodsaccordingtothe
stateoftheneighbour.Forexample,neigh_resolve_output()
andneigh_connected_output().Initially,itis
neigh_blackhole().
Whenastatechanges,thanalsotheoutputfunctionmaybe
assignedtoadifferentfunction.
refcntincrementedbyneigh_hold();decrementedby
neigh_release().Wedon'tfreeaneighbourwhentherefcnt
ishigherthan1;instead,wesetdead(amemberofneighbour)
to1.
contd
timer(Thecallbackmethodisneigh_timer_handler()).
structhh_cache*hh(definedininclude/linux/netdevice.h)
confirmedconfirmationtimestamp.
ConfirmationcandonefromL4(transportlayer).
Forexample,dst_confirm()callsneigh_confirm().
dst_confirm()iscalledfromtcp_ack()(net/ipv4/tcp_input.c)
andbyudp_sendmsg()(net/ipv4/udp.c)andmore.
neigh_confirm()doesNOTchangethestateitisthejob
ofneigh_timer_handler().
contd
dev(net_devicefromwhichwesendpacketstotheneighbour).
structneigh_parms
*parms;
parmsincludemostlytimertunables,netstructure(network
namespaces),etc.
networknamespacesenablemultipleinstancesofthenetwork
stacktotheuserspace.
Anetworkdevicebelongstoexactlyonenetworknamespace.
CONFIG_NET_NSwhenbuildingthekernel.
contd
arp_queue
everyneighbourhasasmallarpqueueofitself.
Therecanbeonly3elementsbydefaultinanarp_queue.
Thisisconfigurable:/proc/sys/net/ipv4/neigh/default/unres_qlen
structneigh_table
structneigh_tablerepresentsaneighboringtable
(/include/net/neighbour.h)
Thearptable(arp_tbl)isaneigh_table.(/include/net/arp.h)
InIPv6,nd_tbl(NeighborDiscoverytable)isaneigh_table
also(include/net/ndisc.h)
Thereisalsodn_neigh_table(DECnet)
(linux/net/decnet/dn_neigh.c)andclip_tbl(forATM)(net/atm/clip.c)
gc_timer:neigh_periodic_timer()isthecallbackforgarbage
collection.
neigh_periodic_timer()deletesFAILEDentriesfromtheARP
table.
NeighboringSubsystemarp
WhenthereisnoentryintheARPcacheforthedestinationIP
addressofapacket,abroadcastissent(ARPrequest,
ARPOP_REQUEST:whohasIPaddressx.y.z...).Thisisdoneby
amethodcalledarp_solicit().(net/ipv4/arp.c)
InIPv6,theparallelmechanismiscalledND(Neighbor
discovery)andisimplementedaspartofICMPv6.
AmulticastissentinIPv6(andnotabroadcast).
Ifthereisnoanswerintimetothisarprequest,thenwewillendup
withsendingbackanICMPerror(DestinationHostUnreachable).
Thisisdonebyarp_error_report(),whichindirectlycalls
ipv4_link_failure();seenet/ipv4/route.c.
ARPtable
NeighbourNeighbourNeighbour
ha
hh
next
hh_cahe
hh_data
hh_cache
SADATYPE
ha
hh next
hh_cahe
hh_data
SADATYPE
Youcanseethecontentsofthearptablebyrunning:
cat/proc/net/arporbyrunningthearpfromacommandline.
ipneighshowisthenewmethodtoshowarp(fromIPROUTE2)
Youcandeleteandaddentriestothearptable;seemanarp/man
ip.
Whenusingipneighaddyoucanspecifythestateoftheentry
whichyouareadding(likepermanent,stale,reachable,etc).
NeighboringSubsystemarptable
arpcommanddoesnotshowreachabilitystatesexceptthe
incompletestateandpermanentstate:
PermanententriesaremarkedwithMinFlags:
example:arpoutput
AddressHWtypeHWaddressFlagsMaskIface
10.0.0.2(incomplete)eth0
10.0.0.3ether00:01:02:03:04:05CMeth0
10.0.0.138ether00:20:8F:0C:68:03Ceth0
NeighboringSubsystemipshowneigh
Wecanseethecurrentneighbourstates:
Example:
ipneighshow
192.168.0.254deveth0lladdr00:03:27:f1:a1:31REACHABLE
192.168.0.152deveth0lladdr00:00:00:cc:bb:aaSTALE
192.168.0.121deveth0lladdr00:10:18:1b:1c:14PERMANENT
192.168.0.54deveth0lladdraa:ab:ac:ad:ae:afSTALE
192.168.0.98deveth0INCOMPLETE
arp_process()handlesbothARPrequestsandARPresponses.
net/ipv4/arp.c
Ifthetargetip(tip)addressinthearpheaderistheloopback
thenarp_process()dropsitsinceloopbackdoesnotneedARP.
...
if(LOOPBACK(tip)||MULTICAST(tip))
gotoout;
out:
...
kfree_skb(skb);
return0;
(see:#defineLOOPBACK(x)(((x)&htonl(0xff000000))==htonl(0x7f000000))in
linux/in.h
IfitisanARPrequest(ARPOP_REQUEST)
wecallip_route_input().
Why?
Incaseitisforus,(RTN_LOCAL)wesendandARPreply.
arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha
,dev>dev_addr,sha);
Wealsoupdateourarptablewiththesenderentry(ip/mac).
Specialcase:ARPproxyserver.
IncasewereceiveanARPreply(ARPOP_REPLY)
Weperformalookupinthearptable.(bycalling
__neigh_lookup())
Ifwefindanentry,weupdatethearptableby
neigh_update().
IfthereisnoentryandthereisNOsupportforunsolicitedARPwe
don'tcreateanentryinthearptable.
SupportforunsolicitedARPby
setting/proc/sys/net/ipv4/conf/all/arp_acceptto1.
Thecorrespondingmacrois:
IPV4_DEVCONF_ALL(ARP_ACCEPT))
Inolderkernels,supportforunsolicitedARPwasdoneby:
CONFIG_IP_ACCEPT_UNSOLICITED_ARP
NeighboringSubsystemlookup
Lookupintheneighboringsubsystemisdonevia:neigh_lookup()
parameters:
neigh_table(arp_tbl)
pkey(ipaddress,theprimary_keyofneighbourstruct)
dev(net_device)
Thereare2wrappers:
__neigh_lookup()
justonemoreparameter:creat(aflag:tocreateaneighbor
byneigh_create()ornot))
and__neigh_lookup_errno()
NeighboringSubsystemstaticentries
AddingastaticentryisdonebyarpsipAddressMacAddress
Alternatively,thiscanbedoneby:
ipneighaddipAddressdeveth0lladdrMacAddressnudpermanent
Thestate(nud_state)ofthisentrywillbeNUD_PERMANENT
ipneighshowwillshowitasPERMANENT.
WhydoweneedPERMANENTentries?
Supposewearesendingapackettoahostforthefirsttime.
adst_entryisaddedtotheroutingcachebyrt_intern_hash().
WeshouldknowtheL2addressofthathost.
sort_intern_hash()callsarp_bind_neighbour().
onlyforRTN_UNICAST(notformulticast/broadcast).
arp_bind_neighbour():net/ipv4/arp.c
dst>neighbour=NULL,soitcalls__neigh_lookup_errno().
Thereisnosuchentryinthearptable.
Sowewillcreateaneighbourwithneigh_create()andadd
ittothearptable.
neigh_create()createsaneighbourwithNUD_NONEstate
settingnud_statetoNUD_NONEisdoneinneigh_alloc()
NeighboringSubsystemIFF_NOARPflag
Disablingandenablingarp
ifconfigeth1arp
YouwillseetheNOARPflagnowinifconfiga
ifconfigeth1arp(toenablearpofthedevice).
Infact,thissetstheIFF_NOARPflagofnet_device.
Therearecaseswheretheinterfacebydefaultiswiththe
IFF_NOARPflag(forexample,pppinterface,
seeppp_setup()(drivers/net/ppp_generic.c)
ChangingIPaddress
Supposewetrytoseteth1toanIPaddressofadifferent
machineontheLAN:
First,wewillsetanipforeth1in(inFC8,forexample)
/etc/sysconfig/networkscripts/ifcfgeth1
...
IPADDR=192.168.0.122
...
andthanrun:
ifupeth1
ChangingIPaddresscontd.
wewillget:
Error, some other host already uses address

192.168.0.122.
But:
ifconfigeth0192.168.0.122
worksok!
Whyisitso?
ifupisfromtheinitscriptspackage.
DuplicateAddressDetection(DAD)
DuplicateAddressDetectionmode(DAD)
arpingIeth0D192.168.0.10
sendsabroadcastpacketwhosesourceaddress
is0.0.0.0.
0.0.0.0isnotavalidIPaddress(forexample,youcannot
setanipaddressto0.0.0.0withifconfig)
Themacaddressofthesenderistherealone.
DflagisforDuplicateAddressDetectionmode.
DuplicateAddressDetectioncontd
Code:(fromarp_process();see/net/ipv4/arp.c)
/*Specialcase:IPv4duplicateaddressdetectionpacket(RFC2131)
*/
if(sip==0){
if(arp>ar_op==htons(ARPOP_REQUEST)&&
inet_addr_type(tip)==RTN_LOCAL&&
!arp_ignore(in_dev,dev,sip,tip))
arp_send(ARPOP_REPLY,ETH_P_ARP,tip,dev,tip,sha,dev
>dev_addr,dev>dev_addr);
gotoout;
NeighboringSubsystemGarbage
Collection
GarbageCollection
neigh_periodic_timer()
neigh_timer_handler()
neigh_periodic_timer()removesentireswhicharein
NUD_FAILEDstate.Thisisdonebysettingdeadto1,and
callingneigh_release().Therefcntmustbe1toensurenoone
elseusesthisneighbour.Alsoexpiredentriesareremoved.
NUD_FAILEDentriesdon'thaveMACaddress;seeipneigh
showintheexampleabove).
NeighboringSubsystemAsynchronous
GarbageCollection
neigh_forced_gc()performssynchronousgarbagecollection.
Itiscalledfromneigh_alloc()whenthenumberoftheentries
inthearptableexceedsa(configurable)limit.
Thislimitisconfigurable(gc_thresh2,gc_thresh3)
/proc/sys/net/ipv4/neigh/default/gc_thresh2
/proc/sys/net/ipv4/neigh/default/gc_thresh3
Thedefaultforgc_thresh3is1024.
Candidatesforcleanup:Entrieswhichtheirreference
countis1,orwhichtheirstateisNOTpermanent.
NeighboringSubsystemGarbage
Collection
Changingtheneighbourstateisdoneonlyin
neigh_timer_handler().
LVS(LinuxVirtualSever)
http://www.linuxvirtualserver.org/
IntegratedintotheLinuxkernel(in2.4kernelitwasapatch).
Locatedin:net/ipv4/ipvsinthekerneltree.NoIPV6support.
LVShaseightschedulingalgorithms.
LVS/DRisLVSwithdirectrouting(aloadbalancingsolution).
ipvsadmistheuserspacemanagementtools(availablein
mostdistros).
DirectRoutingisthepacketforwardingmethod.
g,gatewaying=>Usegatewaying(directrouting)
seemanipvsadm.
LVS/DR
Example:3RealServersandtheDirectorallhavethesame
VirtualIP(VIP).
VIP(VirtualIP)
RealServer1
RealServer2
LinuxDirector
RealServer3
clients
VIP
VIP
VIP
LVSandARP
ThereisanARPprobleminthisconfiguration.
WhenyousendanARPbroadcast,andthereceiving
machinehastwoormoreNICs,eachofthemrespondsto
thisARPrequest.
Example:amachinewithtwoNICs;
eth0is192.168.0.151andeth1is192.168.0.152.
LVSandARPexample:
LVSandARP
Solutions
1)SetARP_IGNOREto1:
echo1>/proc/sys/net/ipv4/conf/eth0/arp_ignore
echo1>/proc/sys/net/ipv4/conf/eth1/arp_ignore
2)Usearptables.
Thereare3pointsinthearpwalkthrough:
(include/linux/netfilter_arp.h)
NF_ARP_IN(inarp_rcv(),net/ipv4/arp.c).
NF_ARP_OUT(inarp_xmit()),net/ipv4/arp.c)
NF_ARP_FORWARD(inbr_nf_forward_arp(),
net/bridge/br_netfilter.c)
LVSandARP
http://ebtables.sourceforge.net/download.html
EbtablesisinfacttheparallelofnetfilterbutinL2.
LVSexample(ipvsadm)
ipvsadmC//cleartheLVStable
ipvsadmAtDirectorIPAddress:80
ipvsadmatDirectorIPAddress:80rRealServer1g
AnexampleforsettingLVS/DRonTCPport80withthree
realservers:
Thisexampledealswithtcpconnections(forudp
connectionweshoulduseuinsteadoftinthelast3lines).
LVSexample:
ipvsadmLn//listtheLVStable
/proc/sys/net/ipv4/ip_forwardshouldbesetto1
Inthisexample,packetssenttoVIPwillbesenttotheload
balancer;itwilldelegatethemtotherealserveraccording
toitsscheduler.ThedestMACaddressinL2headerwillbe
theMACaddressoftherealservertowhichthepacketwill
besent.ThedestIPheaderwillbeVIP.
ThisisdonewithNF_IP_LOCAL_IN.
ARPDarpuserspacedaemon
ARPDisauserspacedaemon;itcanbeusedifwewantto
removesomeworkfromthekernel.
Theuserspacedaemonispartofiproute2(/misc/arpd.c)
ARPDhassupportfornegativeentriesandfordeadhosts.
ThekernelarpcodedoesNOTsupportthesetypeof
entries!
ThekernelbydefaultisnotcompiledwithARPDsupport;we
shouldsetCONFIG_ARPDforusingit:
NetworkingSupport>NetworkingOptions>IP:ARPdaemon
support.(ItisconsideredExperimental).
see:/usr/share/doc/iproute2.6.22/arpd.ps(AlexeyKuznetsov).
ARPD
Weshouldalsosetapp_probestoavaluegreaterthan0by
setting
/proc/sys/net/ipv4/neigh/eth0/app_solicit
Thiscanbedonealsobythea(active_probes)parameter.
ThevalueofthisparametertellshowmanyARPrequeststo
sendbeforethatneighbourisconsidereddead.
ThekparametertellsthekernelnottosendARPbroadcast;in
suchcase,thearpddaemonisnotonlylisteningtoARPrequests,
butalsosendARPbroadcasts.
Wecantunekernelparametersaswelike;infact,wecantuneit
sothatarprequestswillbesendonlyfromthedaemonandnot
fromthekernelatall.
ARPD
Activation:
arpda1keth0&
Onsomedistros,youwillgettheerrordb_open:Nosuchfile
ordirectoryunlessyousimplyrunmkdir/var/lib/arpd/before
(forthearpd.dbfile).
Payattention:youcanstartarpddaemonwhenthereisno
supportinthekernel(CONFIG_ARPDisnotset).
Inthiscaseyou,arppacketsarestillcaughtbyarpddaemon
get_arp_pkt()(misc/arpd.c)
Butyoudon'tgetmessagesfromthekernel.
get_arp_pkt()isnotcalled.(misc/arpd.c)
ARPD
Tip:tocheckifCONFIG_ARPDisset,simplyseeifthereare
anyresulrsfrom
cat/proc/kallsyms|grepneigh_app
Macaddresses
MACaddress(MediaAccessControl)
Accordingtospecs,MACaddressshouldbeunique.
The3firstbytesspecifyahwmanufacturerofthecard.
AllocatedbyIANA.
Thereareexceptionstothisrule.
Technion(?)
EthernetHWaddr00:16:3E:3F:6E:5D
ARPwatch(detectARPcache
poisoning)
Arpwatchisanopensourcetool;helpstodetectsuchattack.
Activation:arpwatchdieth0(outputtostderr)
ChangingMACaddresscanbeasaresultofsomesecurity
attack(ARPcachepoisoning,ARPspoofing).
Arpwatchkeepsatableofip/macaddressesandsenses
whenthereisachange.
disforredirectingthelogtostderr(nosyslog,nomail).
IncasesomeonechangedMACaddressonthesame
network,youwillgetamessagelikethis:
ARPwatchExample
From:root(Arpwatch)
To:root
Subject:changedethernetaddress(jupiter)
hostname:jupiter
ipaddress:192.168.0.54
ethernetaddress:aa:bb:cc:dd:ee:ff
ethernetvendor:<unknown>
oldethernetaddress:0:20:18:61:e5:e0
oldethernetvendor:...
ChangeofIPaddress/Macaddress
ChangeofIPaddressdoesnottriggernotifyingits
neighbours.
ChangeofMACaddress,NETDEV_CHANGEADDR,alsodoes
nottriggernotifyingitsneighbours.
Itdoesupdatethelocalarptablebyneigh_changeaddr().
Exceptiontothisisirlaneth:
irlan_eth_send_gratuitous_arp()
(net/irda/irlan/irlan_eth.c)
Somenicsdon'tpermitchangingofMACaddressyouget:
SIOCSIFHWADDR:Deviceorresourcebusy
Sometimesyoushouldonlybringdownthenicbefore.
Flushingthearptable
Flushingthearp:
ipstatisticsneighflushdeveth0
***Round1,deleting7entries***
***Flushiscompleteafter1round***
Flushingthearptablecontd
Specifyingtwicestatisticswillalsoshowwhichentrieswere
deleted,theirmacaddresses,etc...
ipstatisticsstatisticsneighflushdeveth0
192.168.0.254lladdr00:04:27:fd:ad:30ref17used0/0/0
REACHABLE
***Round1,deleting1entries***
***Flushiscompleteafter1round***
callsneigh_delete()innet/core/neighbour.c
ChangesthestatetoNUD_FAILED
Neighbourstates
neighbourstates
neigh_alloc()
None
Incomplete
Reachable
Stale
Delay
Probe
NeighboringSubsystemstates
NUDstates
NUD_NONE
NUD_REACHABLE
NUD_STALE
NUD_DELAY
NUD_PROBE
NUD_FAILED
NUD_INCOMPLETE
Fromthebeginningofcore/neighbour.c:
Isita(latent)bug?
if(!(state&NUD_IN_TIMER)){
#ifndefCONFIG_SMP
printk(KERN_WARNING"neigh:timer&!nud_in_timer\n");
#endif
gotoout;
}
Specialstates:
NUD_NOARP
NUD_PERMANENT
Nostatetransitionsareallowedfromthesestatestoanother
state.
NUDstatecombinations:
NUD_IN_TIMER(NUD_INCOMPLETE|NUD_REACHABLE|
NUD_DELAY|NUD_PROBE)
Whenremovinganeighbour,westopthetimer(call
del_timer())onlyifthestateisNUD_IN_TIMER.
NUD_VALID (NUD_PERMANENT|NUD_NOARP|
NUD_REACHABLE|NUD_PROBE|NUD_STALE|NUD_DELAY)
NUD_CONNECTED (NUD_PERMANENT|NUD_NOARP|
NUD_REACHABLE)
Neighbourstates
apacketissenttothisneighbour.
ItsstatechangestoFAILED.
neigh_resolve_output()andneigh_connected_output().
net/core/neighbour.c
WhenaneighbourisinaSTALEstateitwillremaininthis
stateuntiloneofthetwowilloccur
AneighbourinINCOMPLETEstatedoesnothaveMACaddress
setyet(hamemberofneighbour)
Sowhenneigh_resolve_output()iscalled,theneighbourstate
ischangedtoINCOMPLETE.
Neighbourstates
Whenneigh_connected_output()iscalled,theMACaddressofthe
neighbourisknown;soweendupwithcallingdev_queue_xmit(),
whichcallsthehard_start_xmit()methodoftheNICdevicedriver.
Thehard_start_xmit()methodactuallyputstheframeonthewire.
IPSec
WorksatnetworkIPlayer(L3)
UsedinmanyformsofsecurednetworkslikeVPNs.
MandatoryinIPv6.(notinIPv4)
Implementedinmanyoperatingsystems:Linux,Solaris,Windows,
andmore.
In2.6kernel:implementedbyDaveMillerandAlexeyKuznetsov.
Transformationbundles.
Chainofdstentries;onlythelastoneisforrouting.
ThedstentriesinthechainhaveANULLNeighborasamember.
(exceptthelastone)
IPSeccont.
RFC2401
IPSeccont.
Userspacetools:http://ipsectools.sf.net
BuildingVPN:http://www.openswan.org/(OpenSource).
TherearealsononIPSecsolutionsforVPN
OpenVPNusesssl/tls.
example:pptp
structxfrm_policyhasthefollowingmember:
structdst_entry*bundles.
__xfrm4_bundle_create()createsdst_entries(withthe
DST_NOHASHflag)see:net/ipv4/xfrm4_policy.c
TransportModeandTunnelMode.
IPSeccontd.
Showthesecuritypolicies:
ipxfrmpolicyshow
CreateRSAkeys:
ipsecrsasigkeyverbose2048>keys.txt
ipsecshowhostkeyleft>left.publickey
ipsecshowhostkeyright>right.publickey
IPSeccontd.
Example:HosttoHostVPN(usingopenswan)
in/etc/ipsec.conf:
connlinuxtolinux
left=192.168.0.189
leftnexthop=%direct
leftrsasigkey=0sAQPPQ...
right=192.168.0.45
rightnexthop=%direct
rightrsasigkey=0sAQNwb...
type=tunnel
auto=start
IPSeccontd.
serviceipsecstart(tostarttheservice)
ipsecverifyCheckyoursystemtoseeifIPsecgotinstalledand
startedcorrectly.
ipsecautostatus
IfyouseeIPsecSAestablished,thisimpliessuccess.
Lookforerrorsin/var/log/secure(fedoracore)orinkernelsyslog
Tipsforhacking
Documentation/networking/ipsysctl.txt:networkingkerneltunabels
Exampleofreadingahexaddress:
iph>daddr==0x0A00A8C0or
meanscheckingiftheaddressis192.168.0.10(C0=192,A8=168,00=0,0A=10).
ABASHscriptforgettingMACaddressfromIPaddress:(ipToHex.sh)
#!/bin/sh
IP_ADDR=$1
forIin$(echo${IP_ADDR}|sede"s/\.//g");do
printf'%02X'$I
done
echo
usageexample:./ipToHex.sh192.168.0.1=>C0A80001
TipsforhackingContd.
Disablepingreply:
echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all
Disablearp:iplinkseteth0arpoff(theNOARPflagwillbeset)
Alsoifconfigeth0arphasthesameeffect.
HowcanyougetthePathMTUtoadestination(PMTU)?
Usetracepath(seemantracepath).
Tracepathisfromiputils.
inet_addr_type() method: returns the address type; the input to this

method is the IP address. The return value can be RTN_LOCAL,
RTN_UNICAST, RTN_BROADCAST, RTN_MULTICAST etc.
See: net/ipv4/fib_frontend.c
Incaseyouwanttosendapacketfromauserspaceapplication
throughaspecifieddevicewithoutalteringanyroutingtables:
structifreqinterface;
strncpy(interface.ifr_ifrn.ifrn_name,"eth1",IFNAMSIZ);
if(setsockopt(s,SOL_SOCKET,SO_BINDTODEVICE,(char
*)&interface,sizeof(interface))<0)
{
printf("errorsettingSO_BINDTODEVICE");
exit(1);
Keepiphdrstructhandy(printout):(fromlinux/ip.h)
structiphdr{
__u8 ihl:4,
version:4;
__u8 tos;
__be16
tot_len;
__be16
id;
__be16
frag_off;
__u8 ttl;
__u8 protocol;
__sum16 check;
__be32
saddr;
__be32
daddr;
/*Theoptionsstarthere.*/
};
NIPQUAD():macroforprintinghexaddresses
Printingmacaddress(fromnet_device):
printk("sk_buff>dev=%02x:%02x:%02x:%02x:%02x:%02x\n",
((skb)>dev)>dev_addr[0],((skb)>dev)>dev_addr[1],
((skb)>dev)>dev_addr[2],((skb)>dev)>dev_addr[3],
((skb)>dev)>dev_addr[4],((skb)>dev)>dev_addr[5]);
PrintingIPaddress(primary_key)ofaneighbour(inhexformat):
printk("neigh>primary_key=%02x.%02x.%02x.%02x\n",
neigh>primary_key[0],neigh>primary_key[1],
neigh>primary_key[2],neigh>primary_key[3]);
Or:
printk("***neigh>primary_key=%u.%u.%u.%u\n",
NIPQUAD(*(u32*)neigh>primary_key));
CONFIG_NET_DMAisforTCP/IPoffload.
Whenyouencounter:xfrm/CONFIG_XFRMthishastotodowith
IPSEC.(transformers).
Showingarpstatisticsby:
cat/proc/net/stat/arp_cache
entriesallocsdestroyshash_growslookupshitsres_failed
rcv_probes_mcastrcv_probes_ucastperiodic_gc_runs
forced_gc_runs
periodic_gc_runs:statisticsofhowmanytimesthe
neigh_periodic_timer()iscalled.
Linksandmoreinfo
1)LinuxNetworkStackWalkthrough(2.4.20):
http://gicl.cs.drexel.edu/people/sevy/network/Linux_network_stack_walkth
2)UnderstandingtheLinuxKernel,SecondEdition
ByDanielP.Bovet,MarcoCesati
SecondEditionDecember2002
chapter18:networking.
UnderstandingLinuxNetworkInternals,Christianbenvenuti
Oreilly,FirstEdition.
Linksandmoreinfo
3)LinuxDeviceDriver,byJonathanCorbet,AlessandroRubini,Greg
KroahHartman
ThirdEditionFebruary2005.
Chapter17,NetworkDrivers
4)Linuxnetworking:(alotofdocsaboutspecificnetworkingtopics)
http://linuxnet.osdl.org/index.php/Main_Page
5)netdevmailinglist:http://www.spinics.net/lists/netdev/
Linksandmoreinfo
6)Removalofmultipathroutingcachefromkernelcode:
http://lists.openwall.net/netdev/2007/03/12/76
http://lwn.net/Articles/241465/
7)LinuxAdvancedRouting&TrafficControl:
http://lartc.org/
8)ebtablesafilteringtoolforabridging:
http://ebtables.sourceforge.net/
Linksandmoreinfo
9)WritingNetworkDeviceDriverforLinux:(article)
http://app.linux.org.mt/article/writingnetdrivers?locale=en
Linksandmoreinfo
10)Netconfayearlynetworkingconference;firstwasin2004.
http://vger.kernel.org/netconf2004.html
Nextone:LinuxConfAustralia,January2008,Melbourne
DavidS.Miller,JamesMorris,RustyRussell,JamalHadiSalim,Stephen
Hemminger,HaraldWelte,HideakiYOSHIFUJI,HerbertXu,ThomasGraf,Robert
Olsson,ArnaldoCarvalhodeMeloandothers
Linksandmoreinfo
11)PolicyRoutingWithLinuxOnlineBookEdition
byMatthewG.Marsh(Sams).
http://www.policyrouting.org/PolicyRoutingBook/
12)THRASHAdynamicLCtrieandhashdatastructure:
RobertOlssonStefanNilsson,August2006
http://www.csc.kth.se/~snilsson/public/papers/trash/trash.pdf
13)IPSechowto:
http://www.ipsechowto.org/t1.html
Linksandmoreinfo
14)Openswan:BuildingandIntegratingVirtualPrivate
Networks,byPaulWouters,KenBantoft
http://www.packtpub.com/book/openswan/mid/061205jqdnh2by
publisher:PacktPublishing.
15)abookincludingchaptersaboutLVS:
TheLinuxEnterpriseClusterBuildaHighlyAvailableCluster
withCommodityHardwareandFreeSoftware,ByKarl
Kopper.
http://www.nostarch.com/frameset.php?startat=cluster
15)http://www.vyatta.comOpenSourceNetworking
Linksandmoreinfo
16)AddressResolutionProtocol(ARP)
http://linuxip.net/html/etherarp.html
17)ARPWatchatoolformonitorincomingARPtraffic.
LawrenceBerkeleyNationalLaboratory
ftp://ftp.ee.lbl.gov/arpwatch.tar.gz.
18)arptables:
http://ebtables.sourceforge.net/download.html
19)TCP/IPIllustrated,Volume1:TheProtocols
ByW.RichardStevens
http://www.informit.com/store/product.aspx?isbn=0201633469
Linksandmoreinfo
20)UnixNetworkProgramming,Volume1:TheSockets
NetworkingAPI(3rdEdition)(AddisonWesleyProfessional
ComputingSeries)(Hardcover)
byW.RichardStevens(Author),BillFenner(Author),AndrewM.
Rudoff(Author)
Questions
Questions?
ThankYou!

TCP/IP Lecture 1 GSDGSDFGSDGSDGSD SDGSDGDSGD DGSGSD

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TCP/IP Lecture 1 GSDGSDFGSDGSDGSD SDGSDGDSGD DGSGSD

Uploaded by

Copyright:

Available Formats

LinuxKernelNetworking

Error, some other host already uses address

inet_addr_type() method: returns the address type; the input to this

You might also like