NDprotector, an implementation of RFC 3971 & RFC 3972 77 th IETF - - PowerPoint PPT Presentation

▶

Aug 23, 2022 444 likes •552 views

NDprotector, an implementation of RFC 3971 & RFC 3972 77 th IETF - CGA & SEND maIntenance WG Tony Cheneau (TLCOM SudParis) email: tony.cheneau@it-sudparis.eu Arnaud Ebalard (EADS) Motivations Global context: MobiSEND project

SLIDE 1

NDprotector, an implementation of RFC 3971 & RFC 3972

77th IETF

CGA & SEND maIntenance WG

Tony Cheneau (TÉLÉCOM SudParis)

email: tony.cheneau@it-sudparis.eu

Arnaud Ebalard (EADS)

SLIDE 2

3/22/2009 77th IETF - CSI Working Group 2

Motivations

Global context: MobiSEND project (see

http://mobisend.org) financially supported by ANR (French 'National Research Agency')

Initially, Arnaud Ebalard developed extensions

to Scapy6 tool to handle SEND messages and

ptions
We needed an implementation that was easy to

deploy, extend and configure

SLIDE 3

3/22/2009 77th IETF - CSI Working Group 3

Requirements

Linux kernel
Userspace:

◊ Modified version of Scapy6 ◊ OpenSSL ◊ iproute2 ◊ ip6tables ◊ netfilter_queue and python's netfilter_queue

bindings

SLIDE 4

3/22/2009 77th IETF - CSI Working Group 4

Implementation

Hook in netfilter to redirect ingoing and
utgoing NDP packets to our implementations
Accept/modify/drop NDP packets
Scapy6 dissects the different layers and

assembles new options (e.g. RSA Signature Option)

Relies on radvd to send Router Advertisements

SLIDE 5

3/22/2009 77th IETF - CSI Working Group 5

Basic configuration of Routers

You should only change:

NDprotector.certification_path variable
NDprotector.default_publickey variable

It will automatically:

Assign a CGA for the link-layer prefix on 'eth0'
Work in “mixed environment”

SLIDE 6

3/22/2009 77th IETF - CSI Working Group 6

Basic configuration of Hosts

You should only change:

NDprotector.trustanchors variable

It will automatically:

Assign a CGA for the link-layer prefix on 'eth0'
Check Certification Path of each router

SLIDE 7

3/22/2009 77th IETF - CSI Working Group 7

Limitations

Limited interaction with the kernel (must

recreate internal Neighbor Cache structure)

Run as “root”

SLIDE 8

3/22/2009 77th IETF - CSI Working Group 8

Future work

Inclusion in Scapy6 of some code
Add Signature Agility support
Add CRL check support
Add rate limiting support
(Eventually) add in-kernel CGA generation

support

Some code optimization (if required)

SLIDE 9

3/22/2009 77th IETF - CSI Working Group 9

Thanks for listening

Questions ? Thoughts ? Improvements ?

Download the implementation at:

http://amnesiak.org/NDprotector/

Compare it with slightly patched NTT DoCoMo

NDprotector, an implementation of RFC 3971 & RFC 3972

77th IETF

Tony Cheneau (TÉLÉCOM SudParis)

Arnaud Ebalard (EADS)

Motivations

http://mobisend.org) financially supported by ANR (French 'National Research Agency')

to Scapy6 tool to handle SEND messages and

deploy, extend and configure

Requirements

bindings

Implementation

assembles new options (e.g. RSA Signature Option)

Basic configuration of Routers

You should only change:

It will automatically:

Basic configuration of Hosts

You should only change:

It will automatically:

Limitations

recreate internal Neighbor Cache structure)

Future work

support

Thanks for listening

Questions ? Thoughts ? Improvements ?

http://amnesiak.org/NDprotector/

implementation we maintain here: http://mobisend.org/software.html