New Wireless Hacking Talk

Introduction
Walking down the layers

Into kernelspace
That's it!
Wireless Kernel Tweaking

or how B.A.T.M.A.N. learned to y
Marek Lindner, Simon Wunderlich
December 28, 2007
Introduction
Into kernelspace
That's it!
Outline
Introduction
what is a (dynamic) routing protocol?
the B.A.T.M.A.N. approach

layer 3 vs. layer 2
implementation issues
bridging
Into kernelspace
what's dierent
interacting with the kernel
That's it!
Introduction
Into kernelspace
That's it!

Example scenario - 6:00
Introduction
Into kernelspace
That's it!

Example scenario - 23:00
Introduction
Into kernelspace
That's it!

Example scenario (2)
Introduction
Into kernelspace
That's it!

Introduction to B.A.T.M.A.N.
B.A.T.M.A.N. = better approach to mobile adhoc networks

only decide next neighbour, not whole route
topology is not used or known by nodes
routing decisions are distributed by the nodes
designed for lossy networks
routing protocols internal is out of scope, we just assume it
works ;)
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Layer 3 - isn't that enough?
B.A.T.M.A.N. alters routing tables

kernel manages routing of payload trac
this works only for IP, no IPv6, DHCP, IPX ...
users have to make sure that everyone has an unique IP
routing into/outside other networks is quite complex
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Let's try layer 2
write userspace proof-of-concept, then go to kernelspace

instead of IPs, use MAC-addresses as identiers (should
be[TM] unique per design)
we provide a virtual switch-port bat0 to the user
virtual Ethernet interface (TAP), all other nodes are just one
(virtual) hop away
IP, IPv6, DHCP, IPX already works on Ethernet, we have
nothing to do
can be used as bridge over multiple interfaces (e.g. WiFi and
Ethernet)
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Usage
provide a virtual switch-port bat0 to the user
k e r o :/# i f c o n f i g bat0
bat0
L i n k encap : E t h e r n e t HWaddr 0 0 : 1 3 : 3 7 : 9 1 : 4 2 : 3 7
i n e t 6 addr : f e 8 0 : : 2 1 7 : 1 3 f f : f e 3 7 :4237/64 Scope : L i n k
UP BROADCAST RUNNING MULTICAST MTU: 1 4 7 2 M e t r i c : 1
RX p a c k e t s : 0 e r r o r s : 0 dropped : 0 o v e r r u n s : 0 frame : 0
TX p a c k e t s : 4 e r r o r s : 0 dropped : 0 o v e r r u n s : 0 c a r r i e r : 0
c o l l i s i o n s :0 txqueuelen :500
RX b y t e s : 0 ( 0 . 0 B) TX b y t e s : 3 2 8 ( 3 2 8 . 0 B)
participants set IP adresses (etc.) on their bat0 interface
k e r o :/# i f c o n f i g bat0 i n e t 1 9 2 . 1 6 8 . 1 0 . 2 3
k e r o :/# r o u t e add d e f a u l t gw 1 9 2 . 1 6 8 . 1 0 . 2 3
( o r even b e t t e r : )
k e r o :/# d h c l i e n t bat0
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
All the layer 2 belong to us!
B.A.T.M.A.N. transports the Ethernet-Frame to the node with

the destination MAC
it does not care about IP-adresses etc, just as your switch
OGMs and payload are encapsulated in our own
Ethernet-Frames (Ethertype 0x0842)
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Implementation
TAP-interface bat0 receives/sends Ethernet-Frames from the

user
we decide which neighbour should receive it, based on the
B.A.T.M.A.N. algorithm
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Bridging support
B.A.T.M.A.N. collects MACs of participants behind the Bridge

These lists are announced via HNA-Messages and ooded to
all B.A.T.M.A.N. nodes
With this, we have a decentralized MAC Translation Table
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Visualization
Nice side eect: with the HNA information, the whole

topology with the nodes behind the APs becomes visible
Introduction
Into kernelspace
That's it!
layer 3 vs. layer 2

bridging
Great - and now?

proof-of-concept implementation in the userspace works quite
well
the problem is: performance!
it should also run well on minimal embedded systems (Access
Points, Cell Phones)
typical path is:
select(): wait for a packet

read() it
nd next hop, update tables etc. (pretty fast)
write() it
System Calls for read/write take very long time (switch to
kernel mode and back, copy overhead)
becomes a problem with high bandwidth usage, peak
performance of the NICs can't be reached
Introduction
Into kernelspace
That's it!
what's dierent
Put it into kernelspace
No useless message copy (recycle kernel buers)

no Syscalls and no user/kernel mode switch
kernel works asynchronous and preemptive
asynchronous packet handling possible
Introduction
Into kernelspace
That's it!
what's dierent
Living in the kernelspace
the proc lesystem
l s / p r o c / n e t /batmanadv /
gateways
interfaces
log
log_level
originators
orig_interval
activating batman-adv
echo wlan0 > / p r o c / n e t /batmanadv / i n t e r f a c e s
deactivating batman-adv
echo "" > / p r o c / n e t /batmanadv / i n t e r f a c e s
Introduction
Into kernelspace
That's it!
what's dierent
Logging merits special attention

the log level
c a t / p r o c / n e t /batmanadv / l o g _ l e v e l
[ x ] c r i t i c a l (0)
[ ] warnings (1)
[ ] notices (2)
[ ] batman ( 4 )
[ ] routes (8)
setting the log level
#
#
echo 3 > / p r o c / n e t /batmanadv / l o g _ l e v e l

c a t / p r o c / n e t /batmanadv / l o g _ l e v e l
[ x ] c r i t i c a l (0)
[ x ] warnings (1)
[ x ] notices (2)
[ ] batman ( 4 )
[ ] routes (8)
reading the log
#
[
[
c a t / p r o c / n e t /batmanadv / l o g
6 2 6 ] B . A .T.M. A .N. Advanced 0.1 a l p h a ( c o m p a b i l i t y v e r s i o n 1)
9 7 1 ] Changing l o g _ l e v e l from : 0 to : 3
Introduction
Into kernelspace
That's it!
what's dierent
Kernel development
don't be scared
the kernel is a big library for all your hacking needs
debugging techniques:
clean programming - think before you insmod

printk - tells you what's up
kernel oops - gives you the stack trace
UML - safer debugging
again: don't panic! :-)
Introduction
Into kernelspace
That's it!
what's dierent
Battool
there is no ICMP on Layer 2

we still want to ping, traceroute etc to debug the network
implement own ICMP protocol into batman-adv protocol
battool provides ping, traceroute and raw packet dump
injects and receives special packets into unix socket
(userspace) or device (kernelspace)
Introduction
Into kernelspace
That's it!
Links
http://open-mesh.net/
https://dev.open-mesh.net/batman
Introduction
Into kernelspace
That's it!
Thank you!

New Wireless Hacking Talk

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

New Wireless Hacking Talk

Загружено:

Авторское право:

Доступные форматы

Introduction

Walking down the layers

Wireless Kernel Tweaking

Marek Lindner, Simon Wunderlich

December 28, 2007

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

Walking down the layers

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

what is a (dynamic) routing protocol?

Example scenario - 6:00

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

what is a (dynamic) routing protocol?

Example scenario - 23:00

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

what is a (dynamic) routing protocol?

Example scenario (2)

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

what is a (dynamic) routing protocol?

B.A.T.M.A.N. = better approach to mobile adhoc networks

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

Layer 3 - isn't that enough?

B.A.T.M.A.N. alters routing tables

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

Let's try layer 2

write userspace proof-of-concept, then go to kernelspace

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

provide a virtual switch-port bat0 to the user

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

All the layer 2 belong to us!

B.A.T.M.A.N. transports the Ethernet-Frame to the node with

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

TAP-interface bat0 receives/sends Ethernet-Frames from the

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

B.A.T.M.A.N. collects MACs of participants behind the Bridge

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

Nice side eect: with the HNA information, the whole

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

layer 3 vs. layer 2

Great - and now?

select(): wait for a packet

Marek Lindner, Simon Wunderlich

Wireless Kernel Tweaking

Put it into kernelspace

No useless message copy (recycle kernel buers)

provide a virtual switch-port bat0 to the user

Nice side eect: with the HNA information, the whole

No useless message copy (recycle kernel buers)

the proc lesystem