This repository has been archived by the owner on May 2, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhackathon.tex
88 lines (74 loc) · 3.47 KB
/
hackathon.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
\documentclass{beamer}
\usetheme{metropolis} % Use metropolis theme
\usepackage{minted}
\title{ICMPv6 support for libpcap}
\date{\today}
\author{Matthias Hannig, Moritz Wilhelmy}
\institute{RIPE NCC IPv6 Hackathon Copenhagen}
\begin{document}
\maketitle
\section{Teaching somebody else's old dog new tricks}
\begin{frame}{The Problem}
\texttt{tcpdump -i en0 "icmp6[icmptype] = icmp6-echo"}\\
\texttt{tcpdump: IPv6 upper-layer protocol is not supported by proto[x]}
With the current version of libpcap it's not possible to match directly on ICMPv6 packet header attributes.
\end{frame}
\begin{frame}{Enter BPF}
\begin{itemize}
\item Berkeley Packet Filter is a bytecode register machine that runs inside the kernel.
\item Used for performing computational operations on network packets (and nowadays other data on Linux).
\item Linux and FreeBSD JIT-compile the bytecode to native assembly on a
variety of platforms for additional speed.
\item libpcap uses it internally as a compile target for its filter expression syntax.
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Example bytecode: IPv6 packet?}
\begin{minted}{text}
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 3
(002) ret #TRUE
(003) ret #0
\end{minted}
\begin{itemize}
\item Load half-word (16 bit) at offset 12 (EtherType) into the accumulator
\item Compare equality with magic value for IPv6 packet \texttt{0x86dd}
\item If true, jump to line 2, else jump to line 3
\item Return true if it matches, or false if it doesn't
\end{itemize}
\end{frame}
\begin{frame}{What is libpcap?}
\begin{itemize}
\item Packet capture: OS independent engine to tap into the network stack
\item Fallback BPF bytecode interpreter in case the kernel rejects the BPF code
\item BPF filter code generator
\end{itemize}
\end{frame}
\begin{frame}[fragile]{Adding ICMPv6}
\setminted{fontsize=\tiny,baselinestretch=1}
\begin{minted}[breaklines]{text}
# tcpdump 'icmp6[icmptype] = icmp6-neighboradvert'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:21:23.046939 IP6 2001:470:ddf6:0:209a:219e:ffd4:5e74 > 2001:470:ddf6::1: ICMP6, neighbor advertisement, tgt is 2001:470:ddf6:0:209a:219e:ffd4:5e74 length 24
^C
# tcpdump 'icmp6[icmptype] = icmp6-echoreply || icmp6[icmptype] = icmp6-echo'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:50:43.424237 IP6 2001:470:ddf6:0:209a:219e:ffd4:5e74 > 2a00:1450:4013:c00::65: ICMP6, echo request, seq 1, length 64
13:50:43.457299 IP6 2a00:1450:4013:c00::65 > 2001:470:ddf6:0:209a:219e:ffd4:5e74: ICMP6, echo reply, seq 1, length 64
\end{minted}
\end{frame}
\begin{frame}[fragile]{Future developments}
There are several shortcomings in IPv6 processing inside libpcap, for
instance there is no generic IPv6 header processing code.
This is partly because IPv6 allows chaining of extension headers, making
processing in plain BPF complicated due to restrictions imposed by the
kernel (no loops allowed to ensure that the BPF program terminates).
\end{frame}
\begin{frame}[standout]
Demo time
\end{frame}
\begin{frame}{Thank you!}
Questions?
\end{frame}
\end{document}