Presentation is loading. Please wait.

Presentation is loading. Please wait.

Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless.

Published byClinton Hodge Modified over 9 years ago

Similar presentations

Presentation on theme: "Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless."— Presentation transcript:

1 Small Form Computing A bump in the wire

2 The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless mesh network by installing SMesh? ● Can we make it a robot controller by performing computations on it? ● Can it encrypt/decrypt? At what rate?

3 The answers ● Let’s try and run something on it ● Learn about its target platform o MIPS 32 architecture o Single Core o Little Endian o Memory – 61 MB ● What about its capability? o Need of standard benchmarks

4 Linux to the rescue - OpenWRT ● A Linux distribution for embedded devices ● Flash the router! ● Bleeding edge version - Chaos Calmer

5 Now the benchmarking.. ● File Transfer over TCP o Wired: 89 Mpbs Wireless: 44 Mpbs With I/O: 7Mbps ● OpenSSL benchmarks ● Definitely not for Asymmetric Encryption! Test ( for 3 seconds) block size: 16Cloud2 BpsNEXX Bps SHA131787.25K2805.40K AES 256 CBC54005.82K6222.59K 2048 bit private RSA for 10s1384 signs/s 49705 verify/s 8.1 signs/s 257.9 verify/s

6 Let’s write some code… ● Cross compilation – Sourcery codebench Lite, OpenWRT SDK ● mipslinux-gnu-gcc -msoft-float -EL -static -o ● Get USB support - opkg package manager ● Building a simple package using the SDK

7 What do we do with it? ● What about a Bump-In-The-Wire? ● Set it up as two intermediary hops between two hosts trying to communicate ● Encryption/Decryption on the fly

8 Topology (LAN: 192.168.3.1) NEXX 2 (WAN: 192.168.4.1) (LAN: 192.168.3.1) NEXX 2 (WAN: 192.168.4.1) Host 1 192.168.3.222 Host 1 192.168.3.222 Host 2 192.168.1.12 8 Host 2 192.168.1.12 8 (LAN: 192.168.1.1) NEXX 2 (WAN: 192.168.4.3) (LAN: 192.168.1.1) NEXX 2 (WAN: 192.168.4.3) ICMP Sends a ping request XXXX Sends a ping reply Encrypts/ Decrypts Decrypts/ Encrypts ICMP

9 Step 1 ● Understanding Journey of an IP packet through the network

10 All that jargon Checksum s Sniffing Netfilter Raw sockets IPTables Packet Capture

11 Raw Sockets A user level application can open a raw socket to get packets exactly as they would arrive on the network Not suitable for this application - creates a ‘clone’ of each incoming packet for every application that has opened a raw socket, to listen to that type of packet. It didn’t really ‘bypass’ the kernel processing

12 Divert Sockets They fit the bill, their very use case was to filter specific packets and get them to user space, giving the process total control of the packet. It could pass the packet as is, or choose to mangle it IPPROTO_DIVERT – instruct the firewall to send packets to a certain port, to which this socket is bound Different kernel needed

13 Netfilter/Iptables ● A framework for packet filtering, a kernel subsystem in all modern linux kernels, all incoming packets traverse the netfilter subsystem ● Iptables - a user level application to interact with netfilter modules

14 Digging into Netfilter ● Each protocol (IPV4/IPV6/DECnet )defines ‘hooks’. These are well defined points in a packet’s traversal of that protocol stack ● Kernel modules can register to listen on different hooks of that stack with priority. Packets are passed to them in order of priority on arrival ● These modules, can decide the ‘fate’ of the packet o NF_DROP/NF_ACCEPT/NF_STOLEN/NF_QUEUE ● Packets that are queued, are handled in user space

15 Packet Traversing Netfilter system NF_IP_PRE_ROUTINGROUTENF_IP_FORWARDNF_IP_POST NF_IP_LOCAL ROUTE NF_IP_LOCAL_OUT

16 Iptables A packet selection system that is built over Netfilter The ‘tables’ are modules that are registered at various ‘hooks’ in this framework, these ‘hooks’ are referred to as ‘chains’ when handling incoming packets Iptables –t mangle –I FORWARD –p tcp –j ACCEPT Iptables –t mangle –I FORWARD –p tcp –j NF_QUEUE

17 Libnetfilter queue Userspace library providing an API to packets that have been queued by the kernel packet filter Three step process: 1.Library setup – nfq_open(), nfq_unbind_pf(), nfq_bind_pf() 2.Message receiving – callback function for each received packet 3.Exit phase – nfq_close()

18 Our system Packet received – call back function – check type – encrypt/decrypt – re-calculate checksums – issue verdict Queue 0 Queue 1 nfqnl_program From LAN From WAN Process ed packet

19 Encryption / Decryption Using simple XOR AES Encryption OpenSSL library

20 Performance (all wired) Tool / Method XORAESNo queue PING packets2 ms2.2 ms1 ms Iperf (TCP) 15.7 Mbps11 Mbps94 Mbps File Transfer (TCP) ( 20 MB ) 13.54 Mbps8.8 Mbps90 Mbps

21 Conclusions For performance improvement, write a netfilter hook ( loadable kernel module) instead of mangling packets in user space – will need to see how encryption can be done here How does this perform encryption with respect to other tools Is this value for money?

22 References http://sock-raw.org/papers/sock_raw https://home.regit.org/netfilter-en/using-nfqueue-and- libnetfilter_queue/ https://home.regit.org/netfilter-en/using-nfqueue-and- libnetfilter_queue/ http://www.netfilter.org/projects/iptables/index.html

23 Questions ? Thank you!

Download ppt "Small Form Computing A bump in the wire. The questions ● What can we do with an inexpensive small computer? ● Can we make it a part of a seamless wireless."

Similar presentations

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.

A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Wireless Audio Conferencing System (WACS) Mehmet Ali Abbasoğlu Furkan Çimen Aylin Deveci Kübra Gümüş.

Wireless Audio Conferencing System (WACS) Mehmet Ali Abbasoğlu Furkan Çimen Aylin Deveci Kübra Gümüş.
Introduction To Networking

Introduction To Networking
© Lethbridge/Laganière 2001 Chap. 3: Basing Development on Reusable Technology 1 Let’s get started. Let’s start by selecting an architecture from among.

© Lethbridge/Laganière 2001 Chap. 3: Basing Development on Reusable Technology 1 Let’s get started. Let’s start by selecting an architecture from among.
Embedded Transport Acceleration Intel Xeon Processor as a Packet Processing Engine Abhishek Mitra Professor: Dr. Bhuyan.

Embedded Transport Acceleration Intel Xeon Processor as a Packet Processing Engine Abhishek Mitra Professor: Dr. Bhuyan.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.

1 Netfilter in Linux Bing Qi Department of Computer Science and Engineering Auburn university.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
NetServ Tutorial Quick and easy network service and packet processing using NetServ Jae Woo Lee and Roberto Francescangeli.

NetServ Tutorial Quick and easy network service and packet processing using NetServ Jae Woo Lee and Roberto Francescangeli.
Basic Router Configuration Warren Toomey GCIT. Introduction A Cisco router is simply a computer that receives packets and forwards them on based on what.

Basic Router Configuration Warren Toomey GCIT. Introduction A Cisco router is simply a computer that receives packets and forwards them on based on what.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.

Similar presentations

Ads by Google