Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.

Slides:



Advertisements
Similar presentations
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Wireless Audio Conferencing System (WACS) Mehmet Ali Abbasoğlu Furkan Çimen Aylin Deveci Kübra Gümüş.
Introduction To Networking
© Lethbridge/Laganière 2001 Chap. 3: Basing Development on Reusable Technology 1 Let’s get started. Let’s start by selecting an architecture from among.
Embedded Transport Acceleration Intel Xeon Processor as a Packet Processing Engine Abhishek Mitra Professor: Dr. Bhuyan.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.
Computer Networks IGCSE ICT Section 4.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
NetServ Tutorial Quick and easy network service and packet processing using NetServ Jae Woo Lee and Roberto Francescangeli.
Basic Router Configuration Warren Toomey GCIT. Introduction A Cisco router is simply a computer that receives packets and forwards them on based on what.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Wave Relay System and General Project Details. Wave Relay System Provides seamless multi-hop connectivity Operates at layer 2 of networking stack Seamless.
Virtual Private Networking with OpenVPN Wim Kerkhoff Fraser Valley Linux Users Group April 15, 2004.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
Implementation and Performance Analysis of a Delay Based Packet Scheduling Algorithm for an Embedded Open Source Router Master’s Thesis Presentation June.
LWIP TCP/IP Stack 김백규.
SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in specific network programs  e.g. 1, wu-FTP server support.
LWIP TCP/IP Stack 김백규.
IP Forwarding.
10/12/ Embedded XINU and WRT54GL. 10/12/ Topics Logic and shift operators Data-driven vs function-driven Embedded XINU and WRT54GL.
PORTING A NETWORK CRYPTOGRAPHIC SERVICE TO THE RMC2000 : A CASE STUDY IN EMBEDDED SOFTWARE DEVELOPMENT.
CSP Implementing a network 1 Implementing a network Lecturer: Smilen Dimitrov Cross-sensorial processing – MED7.
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
1 實驗九:建置網路安全閘道器 教師: 助教:. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.
1 Networking Chapter Distributed Capabilities Communications architectures –Software that supports a group of networked computers Network operating.
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.
Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.
Fast NetServ Data Path: OpenFlow integration Emanuele Maccherani Visitor PhD Student DIEI - University of Perugia, Italy IRT - Columbia University, USA.
©Brooks/Cole, 2003 Model and protocol  A model is the specification set by a standards organization as a guideline for designing networks.  A protocol.
802.11n Sniffer Design Overview Vladislav Mordohovich Igor Shtarev Luba Brouk.
An initial study on Multi Path Routing Over Multiple Devices in Linux 2.4.x kernel Towards CS522 term project By Syama Sundar Kosuri.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.
Lecture 6 Networked Systems Network Operating Systems Introduction to Sockets HTTP – FTP – TCP - UDP Client-Server Model.
Networking Components WILLIAM NELSON LTEC HUB  Device that operated on Layer 1 of the OSI stack.  All I/O flows out all other ports besides the.
 Program Abstractions  Concepts  ACE Structure.
Networking Components William Isakson LTEC 4550 October 7, 2012 Module 3.
1 Kyung Hee University Chapter 11 User Datagram Protocol.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 2: The Linux System Part 5.
Data Communication Networks Lec 13 and 14. Network Core- Packet Switching.
Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.
1 Network Communications A Brief Introduction. 2 Network Communications.
LINUX® Netfilter The Linux Firewall Engine. Overview LINUX® Netfilter is a firewall engine built into the Linux kernel Sometimes called “iptables” for.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Skype.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
An open source user space fast path TCP/IP stack and more…
Firewalls. A Firewall is: a) Device that interconnects two networks b) Network device that regulates the access to an internal network c) Program that.
Software 12/1/2008.
Chapter 11 User Datagram Protocol
Virtual Private Networking with OpenVPN
Programming Assignment
Network Address Translation (NAT)
Chapter 14 User Datagram Protocol (UDP)
Setting Up Firewall using Netfilter and Iptables
Chapter 8 Network Perimeter Security
Chapter 2: The Linux System Part 5
The Router Plugins system architecture
Embedded XINU and WRT54GL
Firewalls.
Presentation transcript:

Small Form Computing A bump in the wire

The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless mesh network by installing SMesh? ● Can we make it a robot controller by performing computations on it? ● Can it encrypt/decrypt? At what rate?

The answers ● Let’s try and run something on it ● Learn about its target platform o MIPS 32 architecture o Single Core o Little Endian o Memory – 61 MB ● What about its capability? o Need of standard benchmarks

Linux to the rescue - OpenWRT ● A Linux distribution for embedded devices ● Flash the router! ● Bleeding edge version - Chaos Calmer

Now the benchmarking.. ● File Transfer over TCP o Wired: 89 Mpbs Wireless: 44 Mpbs With I/O: 7Mbps ● OpenSSL benchmarks ● Definitely not for Asymmetric Encryption! Test ( for 3 seconds) block size: 16Cloud2 BpsNEXX Bps SHA K K AES 256 CBC K K 2048 bit private RSA for 10s1384 signs/s verify/s 8.1 signs/s verify/s

Let’s write some code… ● Cross compilation – Sourcery codebench Lite, OpenWRT SDK ● mipslinux-gnu-gcc -msoft-float -EL -static -o ● Get USB support - opkg package manager ● Building a simple package using the SDK

What do we do with it? ● What about a Bump-In-The-Wire? ● Set it up as two intermediary hops between two hosts trying to communicate ● Encryption/Decryption on the fly

Topology (LAN: ) NEXX 2 (WAN: ) (LAN: ) NEXX 2 (WAN: ) Host Host Host Host (LAN: ) NEXX 2 (WAN: ) (LAN: ) NEXX 2 (WAN: ) ICMP Sends a ping request XXXX Sends a ping reply Encrypts/ Decrypts Decrypts/ Encrypts ICMP

Step 1 ● Understanding Journey of an IP packet through the network

All that jargon Checksum s Sniffing Netfilter Raw sockets IPTables Packet Capture

Raw Sockets A user level application can open a raw socket to get packets exactly as they would arrive on the network Not suitable for this application - creates a ‘clone’ of each incoming packet for every application that has opened a raw socket, to listen to that type of packet. It didn’t really ‘bypass’ the kernel processing

Divert Sockets They fit the bill, their very use case was to filter specific packets and get them to user space, giving the process total control of the packet. It could pass the packet as is, or choose to mangle it IPPROTO_DIVERT – instruct the firewall to send packets to a certain port, to which this socket is bound Different kernel needed

Netfilter/Iptables ● A framework for packet filtering, a kernel subsystem in all modern linux kernels, all incoming packets traverse the netfilter subsystem ● Iptables - a user level application to interact with netfilter modules

Digging into Netfilter ● Each protocol (IPV4/IPV6/DECnet )defines ‘hooks’. These are well defined points in a packet’s traversal of that protocol stack ● Kernel modules can register to listen on different hooks of that stack with priority. Packets are passed to them in order of priority on arrival ● These modules, can decide the ‘fate’ of the packet o NF_DROP/NF_ACCEPT/NF_STOLEN/NF_QUEUE ● Packets that are queued, are handled in user space

Packet Traversing Netfilter system NF_IP_PRE_ROUTINGROUTENF_IP_FORWARDNF_IP_POST NF_IP_LOCAL ROUTE NF_IP_LOCAL_OUT

Iptables A packet selection system that is built over Netfilter The ‘tables’ are modules that are registered at various ‘hooks’ in this framework, these ‘hooks’ are referred to as ‘chains’ when handling incoming packets Iptables –t mangle –I FORWARD –p tcp –j ACCEPT Iptables –t mangle –I FORWARD –p tcp –j NF_QUEUE

Libnetfilter queue Userspace library providing an API to packets that have been queued by the kernel packet filter Three step process: 1.Library setup – nfq_open(), nfq_unbind_pf(), nfq_bind_pf() 2.Message receiving – callback function for each received packet 3.Exit phase – nfq_close()

Our system Packet received – call back function – check type – encrypt/decrypt – re-calculate checksums – issue verdict Queue 0 Queue 1 nfqnl_program From LAN From WAN Process ed packet

Encryption / Decryption Using simple XOR AES Encryption OpenSSL library

Performance (all wired) Tool / Method XORAESNo queue PING packets2 ms2.2 ms1 ms Iperf (TCP) 15.7 Mbps11 Mbps94 Mbps File Transfer (TCP) ( 20 MB ) Mbps8.8 Mbps90 Mbps

Conclusions For performance improvement, write a netfilter hook ( loadable kernel module) instead of mangling packets in user space – will need to see how encryption can be done here How does this perform encryption with respect to other tools Is this value for money?

References libnetfilter_queue/ libnetfilter_queue/

Questions ? Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.