21

Wireless Hacking Talk

  • View
    3.068

  • Download
    0

Embed Size (px)

DESCRIPTION

Wireless Kernel Tweaking or how B.A.T.M.A.N. learned to fly Kernel hacking definitely is the queen of coding but in order to bring mesh routing that one vital step further we had to conquer this, for us, unchartered territory. Working in the kernel itself is a tough and difficult task to manage, but the results and effectivity to be gained justify the long and hard road to success. We took on the mission to go down that road and the result is B.A.T.M.A.N. advanced which is a kernel land implementation of the B.A.T.M.A.N. mesh routing protocol specifically designed to manage Wireless MANs.

Citation preview

Page 1: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

Wireless Kernel Tweakingor how B.A.T.M.A.N. learned to �y

Marek Lindner, Simon Wunderlich

December 28, 2007

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 2: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

Outline

1 Introductionwhat is a (dynamic) routing protocol?the B.A.T.M.A.N. approach

2 Walking down the layerslayer 3 vs. layer 2implementation issuesbridging

3 Into kernelspacewhat's di�erentinteracting with the kernel

4 That's it!

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 3: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what is a (dynamic) routing protocol?the B.A.T.M.A.N. approach

Example scenario - 6:00

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 4: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what is a (dynamic) routing protocol?the B.A.T.M.A.N. approach

Example scenario - 23:00

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 5: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what is a (dynamic) routing protocol?the B.A.T.M.A.N. approach

Example scenario (2)

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 6: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what is a (dynamic) routing protocol?the B.A.T.M.A.N. approach

Introduction to B.A.T.M.A.N.

B.A.T.M.A.N. = better approach to mobile adhoc networks

only decide next neighbour, not whole route

topology is not used or known by nodes

routing decisions are distributed by the nodes

designed for lossy networks

routing protocols internal is out of scope, we just assume itworks ;)

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 7: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Layer 3 - isn't that enough?

B.A.T.M.A.N. alters routing tables

kernel manages routing of payload tra�c

this works only for IP, no IPv6, DHCP, IPX ...

users have to make sure that everyone has an unique IP

routing into/outside other networks is quite complex

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 8: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Let's try layer 2

write userspace proof-of-concept, then go to kernelspace

instead of IPs, use MAC-addresses as identi�ers (shouldbe[TM] unique per design)

we provide a virtual switch-port �bat0� to the user

virtual Ethernet interface (TAP), all other nodes are just one(virtual) hop away

IP, IPv6, DHCP, IPX already works on Ethernet, we havenothing to do

can be used as bridge over multiple interfaces (e.g. WiFi andEthernet)

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 9: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Usage

provide a virtual switch-port �bat0� to the user

ke ro :/# i f c o n f i g bat0bat0 L ink encap : E the rne t HWaddr 0 0 : 1 3 : 3 7 : 9 1 : 4 2 : 3 7

i n e t 6 addr : f e80 : : 2 1 7 : 1 3 f f : f e37 :4237/64 Scope : L inkUP BROADCAST RUNNING MULTICAST MTU:1472 Met r i c : 1RX packe t s : 0 e r r o r s : 0 dropped : 0 o v e r r u n s : 0 frame : 0TX packe t s : 4 e r r o r s : 0 dropped : 0 o v e r r u n s : 0 c a r r i e r : 0c o l l i s i o n s : 0 t xqueue l e n :500RX by t e s : 0 ( 0 . 0 B) TX by t e s :328 (328 . 0 B)

participants set IP adresses (etc.) on their bat0 interface

ke ro :/# i f c o n f i g bat0 i n e t 192 . 168 . 10 . 23ke ro :/# rou t e add d e f a u l t gw 192 . 168 . 10 . 23( or even b e t t e r : )ke ro :/# d h c l i e n t bat0

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 10: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

All the layer 2 belong to us!

B.A.T.M.A.N. transports the Ethernet-Frame to the node withthe destination MAC

it does not care about IP-adresses etc, just as your switch

OGMs and payload are encapsulated in our ownEthernet-Frames (Ethertype 0x0842)

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 11: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Implementation

TAP-interface bat0 receives/sends Ethernet-Frames from theuser

we decide which neighbour should receive it, based on theB.A.T.M.A.N. algorithm

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 12: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Bridging support

B.A.T.M.A.N. collects MACs of participants behind the Bridge

These lists are announced via HNA-Messages and �ooded toall B.A.T.M.A.N. nodes

With this, we have a decentralized MAC Translation TableMarek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 13: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Visualization

Nice side e�ect: with the HNA information, the wholetopology with the nodes behind the APs becomes visible

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 14: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

layer 3 vs. layer 2implementation issuesbridging

Great - and now?

proof-of-concept implementation in the userspace works quitewell

the problem is: performance!

it should also run well on minimal embedded systems (AccessPoints, Cell Phones)

typical path is:select(): wait for a packetread() it�nd next hop, update tables etc. (pretty fast)write() it

System Calls for read/write take very long time (switch tokernel mode and back, copy overhead)

becomes a problem with high bandwidth usage, peakperformance of the NICs can't be reached

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 15: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what's di�erentinteracting with the kernel

Put it into kernelspace

No useless message copy (recycle kernel bu�ers)

no Syscalls and no user/kernel mode switch

kernel works asynchronous and preemptive

asynchronous packet handling possible

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 16: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what's di�erentinteracting with the kernel

Living in the kernelspace

the proc �lesystem

# l s / p roc / net /batman−adv/gatewaysi n t e r f a c e sl o gl o g_ l e v e lo r i g i n a t o r so r i g_ i n t e r v a l

activating batman-adv

# echo wlan0 > / proc / net /batman−adv/ i n t e r f a c e s

deactivating batman-adv

# echo "" > / proc / net /batman−adv/ i n t e r f a c e s

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 17: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what's di�erentinteracting with the kernel

Logging merits special attention

the log level# ca t / proc / net /batman−adv/ l o g_ l e v e l[ x ] c r i t i c a l ( 0 )[ ] wa rn ing s (1 )[ ] n o t i c e s (2 )[ ] batman (4 )[ ] r o u t e s (8 )

setting the log level# echo 3 > / proc / net /batman−adv/ l o g_ l e v e l# ca t / proc / net /batman−adv/ l o g_ l e v e l[ x ] c r i t i c a l ( 0 )[ x ] wa rn ing s (1 )[ x ] n o t i c e s (2 )[ ] batman (4 )[ ] r o u t e s (8 )

reading the log# ca t / proc / net /batman−adv/ l o g[ 626 ] B .A .T.M.A.N. Advanced 0.1− a lpha ( c ompab i l i t y v e r s i o n 1)[ 971 ] Changing l o g_ l e v e l from : 0 to : 3

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 18: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what's di�erentinteracting with the kernel

Kernel development

don't be scared

the kernel is a big library for all your hacking needs

debugging techniques:

clean programming - think before you insmodprintk - tells you what's upkernel oops - gives you the stack traceUML - safer debugging

again: don't panic! :-)

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 19: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

what's di�erentinteracting with the kernel

Battool

there is no ICMP on Layer 2

we still want to ping, traceroute etc to debug the network

implement own ICMP protocol into batman-adv protocol

battool provides ping, traceroute and raw packet dump

injects and receives special packets into unix socket(userspace) or device (kernelspace)

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 20: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

Links

http://open-mesh.net/

https://dev.open-mesh.net/batman

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking

Page 21: Wireless Hacking Talk

IntroductionWalking down the layers

Into kernelspaceThat's it!

Thank you!

Marek Lindner, Simon Wunderlich Wireless Kernel Tweaking