1ddf21c6aSAna Kukec.\"- 2ddf21c6aSAna Kukec.\" Copyright (c) 2010 Ana Kukec 3ddf21c6aSAna Kukec.\" All rights reserved. 4ddf21c6aSAna Kukec.\" 5ddf21c6aSAna Kukec.\" Redistribution and use in source and binary forms, with or without 6ddf21c6aSAna Kukec.\" modification, are permitted provided that the following conditions 7ddf21c6aSAna Kukec.\" are met: 8ddf21c6aSAna Kukec.\" 1. Redistributions of source code must retain the above copyright 9ddf21c6aSAna Kukec.\" notice, this list of conditions and the following disclaimer. 10ddf21c6aSAna Kukec.\" 2. Redistributions in binary form must reproduce the above copyright 11ddf21c6aSAna Kukec.\" notice, this list of conditions and the following disclaimer in the 12ddf21c6aSAna Kukec.\" documentation and/or other materials provided with the distribution. 13ddf21c6aSAna Kukec.\" 14ddf21c6aSAna Kukec.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15ddf21c6aSAna Kukec.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16ddf21c6aSAna Kukec.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17ddf21c6aSAna Kukec.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18ddf21c6aSAna Kukec.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19ddf21c6aSAna Kukec.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20ddf21c6aSAna Kukec.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21ddf21c6aSAna Kukec.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22ddf21c6aSAna Kukec.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23ddf21c6aSAna Kukec.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24ddf21c6aSAna Kukec.\" SUCH DAMAGE. 25ddf21c6aSAna Kukec.\" 26ddf21c6aSAna Kukec.Dd September 19, 2010 27ddf21c6aSAna Kukec.Dt SEND 4 28ddf21c6aSAna Kukec.Os 29ddf21c6aSAna Kukec.Sh NAME 30ddf21c6aSAna Kukec.Nm send 31ddf21c6aSAna Kukec.Nd "Kernel side support for Secure Neighbor Discovery (SeND)" 32ddf21c6aSAna Kukec.Sh SYNOPSIS 33ddf21c6aSAna Kukec.In sys/socket.h 34ddf21c6aSAna Kukec.In netinet/in.h 35ddf21c6aSAna Kukec.In netinet6/send.h 36ddf21c6aSAna Kukec.Ft int 37ddf21c6aSAna Kukec.Fn socket PF_INET6 SOCK_RAW IPPROTO_SEND 38ddf21c6aSAna Kukec.Pp 397646a841SJoel DahlTo load the driver as a module at boot time, place the following line in 40ddf21c6aSAna Kukec.Xr loader.conf 5 : 41ddf21c6aSAna Kukec.Bd -literal -offset indent 42ddf21c6aSAna Kukecsend_load="YES" 43ddf21c6aSAna Kukec.Ed 44ddf21c6aSAna Kukec.Sh DESCRIPTION 45ddf21c6aSAna KukecIPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover other nodes 46ddf21c6aSAna Kukecon the link, to determine their link-layer addresses to find routers, and 47ddf21c6aSAna Kukecto maintain reachability information about the paths to active members. 48ddf21c6aSAna KukecNDP is vulnerable to various attacks [RFC3756]. 49ddf21c6aSAna KukecSecure Neighbor Discovery is a set of extensions to NDP that counter threats 50ddf21c6aSAna Kukecto NDP [RFC3971]. 51ddf21c6aSAna Kukec.Pp 52ddf21c6aSAna KukecKernel side support for SeND consists of a kernel module with hooks that 53ddf21c6aSAna Kukecdivert relevant packets (Neighbor Solicitations, Neighbor Advertisements, 54ddf21c6aSAna KukecRouter Solicitations, Router Advertisements and Redirects) from the NDP stack, 55ddf21c6aSAna Kukecsend them to user space on a dedicated socket and reinject them back for 56ddf21c6aSAna Kukecfurther processing. 57ddf21c6aSAna KukecHooks are triggered only if the 58ddf21c6aSAna Kukec.Nm 59ddf21c6aSAna Kukecmodule is loaded. 60ddf21c6aSAna Kukec.Pp 61ddf21c6aSAna KukecThe native SeND socket is similar to a raw IP socket, but with its own, 62ddf21c6aSAna Kukecinternal pseudo-protocol (IPPROTO_SEND). 63ddf21c6aSAna KukecStruct sockaddr_send is defined in 64ddf21c6aSAna Kukec.In netinet6/send.h . 65ddf21c6aSAna KukecIt defines the total length of the structure, the address family, packet's 66ddf21c6aSAna Kukecincoming or outgoing direction from the interface's point of view, and the 67ddf21c6aSAna Kukecinterface index. 68ddf21c6aSAna Kukec.Bd -literal 69ddf21c6aSAna Kukecstruct sockaddr_send { 70ddf21c6aSAna Kukec unsigned char send_len; /* total length */ 71ddf21c6aSAna Kukec sa_family_t send_family; /* address family */ 72ddf21c6aSAna Kukec int send_direction; 73ddf21c6aSAna Kukec int send_ifidx; 74ddf21c6aSAna Kukec char send_zero[8]; 75ddf21c6aSAna Kukec}; 76ddf21c6aSAna Kukec.Ed 77ddf21c6aSAna Kukec.Pp 78ddf21c6aSAna KukecThe address family is always 79ddf21c6aSAna Kukec.Va AF_INET6 . 80ddf21c6aSAna KukecThe 81ddf21c6aSAna Kukec.Va send_direction 82ddf21c6aSAna Kukecvariable denotes the direction of the packet from the interface's 83ddf21c6aSAna Kukecpoint of view and has either the value 84ddf21c6aSAna Kukec.Dv SND_IN 85ddf21c6aSAna Kukecor 86ddf21c6aSAna Kukec.Dv SND_OUT . 87ddf21c6aSAna KukecThe 88ddf21c6aSAna Kukec.Va send_ifidx 89ddf21c6aSAna Kukecvariable is the interface index of the receiving or sending interface. 90ddf21c6aSAna KukecThe 91ddf21c6aSAna Kukec.Va send_zero 92ddf21c6aSAna Kukecvariable is padding and must always be zero. 93ddf21c6aSAna Kukec.Pp 94ddf21c6aSAna KukecIn case that no user space application is connected to the send socket, 95ddf21c6aSAna Kukecprocessing continues normally as if the module was not loaded. 96ddf21c6aSAna Kukec.Sh INPUT HOOK 97ddf21c6aSAna KukecThe input hook is named after the input path of the incoming or outgoing 98ddf21c6aSAna KukecNDP packets, on the way from the wire, through the nd6 stack, to user 99ddf21c6aSAna Kukecspace. 100ddf21c6aSAna KukecRelevant packets are identified by adding an mbuf_tag 101ddf21c6aSAna Kukec(see 102ddf21c6aSAna Kukec.Xr mbuf_tags 9 ) 103ddf21c6aSAna Kukecto the 104ddf21c6aSAna Kukec.Xr mbuf 9 , 105ddf21c6aSAna Kukecif the 106ddf21c6aSAna Kukec.Nm 107ddf21c6aSAna Kukecmodule is loaded. 108ddf21c6aSAna KukecIt is then passed on to the kernel-userland interface 109ddf21c6aSAna Kukecfor either cryptographic protection or validation by the SeND application. 110ddf21c6aSAna KukecThe hook takes an argument that describes the direction of the packet, both 111ddf21c6aSAna Kukecin case of incoming and outgoing packets. 112ddf21c6aSAna Kukec.Dv SND_IN 113ddf21c6aSAna Kukecis the direction of the incoming packets that are usually protected 114ddf21c6aSAna Kukecby the SeND options and then sent to user space for cryptographic validation. 115ddf21c6aSAna Kukec.Dv SND_OUT 116ddf21c6aSAna Kukecis the outgoing direction. 117ddf21c6aSAna KukecIt describes both reply and locally 118ddf21c6aSAna Kukecoriginated outgoing packets that are sent to user space for the addition 119ddf21c6aSAna Kukecof SeND options. 120ddf21c6aSAna Kukec.Sh INCOMING PACKETS 121ddf21c6aSAna KukecThe incoming ND packet from the wire: 122ddf21c6aSAna Kukec.Bd -literal 123ddf21c6aSAna Kukec kernelspace ( userspace 124ddf21c6aSAna Kukec ) 125ddf21c6aSAna Kukec incoming SeND/ND packet ( 126ddf21c6aSAna Kukec | ) 127ddf21c6aSAna Kukec v ( SND_IN ) ( 128ddf21c6aSAna Kukec icmp6_input() -> send_input_hook ---> send socket ----+ 129ddf21c6aSAna Kukec : ) | 130ddf21c6aSAna Kukec : # # ( | 131ddf21c6aSAna Kukec normal : # # ) v 132ddf21c6aSAna Kukec processing : # send.ko # ( SeND application 133ddf21c6aSAna Kukec path : # # ) | 134ddf21c6aSAna Kukec : # # ( | 135ddf21c6aSAna Kukec v ) | 136ddf21c6aSAna Kukec icmp6/nd6_??_input() <- protocol switch <--- send socket <---+ 137ddf21c6aSAna Kukec | structure (IPPPROTO_SEND) ) 138ddf21c6aSAna Kukec | ( SND_IN ) ( 139ddf21c6aSAna Kukec v ) 140ddf21c6aSAna Kukec continue normal ND processing ( 141ddf21c6aSAna Kukec.Ed 142ddf21c6aSAna Kukec.Sh OUTGOING PACKETS 143ddf21c6aSAna KukecOutgoing ND packet (reply or locally triggered): 144ddf21c6aSAna Kukec.Bd -literal 145ddf21c6aSAna Kukec kernelspace ( userspace 146ddf21c6aSAna Kukec ) 147ddf21c6aSAna Kukec nd6_na_input() ( 148ddf21c6aSAna Kukec +PACKET_TAG_ND_OUTGOING ) 149ddf21c6aSAna Kukec | ) 150ddf21c6aSAna Kukec | outgoing packet ( 151ddf21c6aSAna Kukec | | ) 152ddf21c6aSAna Kukec | v ( 153ddf21c6aSAna Kukec | icmp6_redirect_output() ) 154ddf21c6aSAna Kukec | nd6_ns_output() ( 155ddf21c6aSAna Kukec | nd6_na_output() ) 156ddf21c6aSAna Kukec | +PACKET_TAG_ND_OUTGOING ( 157ddf21c6aSAna Kukec | | ) 158ddf21c6aSAna Kukec | +-----------<- rip6_output() <----------)----- rtsol/rtadvd/.. 159ddf21c6aSAna Kukec | | +PACKET_TAG_ND_OUTGOING ( 160ddf21c6aSAna Kukec | v ) 161ddf21c6aSAna Kukec | ip6_output() ( 162ddf21c6aSAna Kukec | | ) 163ddf21c6aSAna Kukec +-------->-+ ( 164ddf21c6aSAna Kukec | ) 165ddf21c6aSAna Kukec v ( SND_OUT ) ( 166ddf21c6aSAna Kukec nd6_output_lle() -> send_input_hook ---> send socket ----+ 167ddf21c6aSAna Kukec -PACKET_TAG_ND_OUTGOING ) | 168ddf21c6aSAna Kukec : # # ( | 169ddf21c6aSAna Kukec normal : # # ) v 170ddf21c6aSAna Kukec processing : # send.ko # ( SeND application 171ddf21c6aSAna Kukec path : # # ) | 172ddf21c6aSAna Kukec : # # ( | 173ddf21c6aSAna Kukec v ) | 174ddf21c6aSAna Kukec (*ifp->if_output)() <- protocol switch <--- send socket <---+ 175ddf21c6aSAna Kukec | structure (IPPPROTO_SEND) ) 176ddf21c6aSAna Kukec | ( SND_OUT ) ( 177ddf21c6aSAna Kukec v ) 178ddf21c6aSAna Kukec continue with normal packet output ( 179ddf21c6aSAna Kukec.Ed 180ddf21c6aSAna Kukec.Sh ERRORS 181ddf21c6aSAna KukecA socket operation may fail with one of the following errors returned: 182ddf21c6aSAna Kukec.Bl -tag -width Er 183ddf21c6aSAna Kukec.It Bq Er EEXIST 184ddf21c6aSAna KukecAnother user space SeND application is bound to the socket. 185ddf21c6aSAna Kukec.It Bq Er ENOBUFS 186ddf21c6aSAna KukecShortage of space to receive the incoming (SeND-protected) or outgoing 187ddf21c6aSAna Kukec(SeND-validated) packet from the SeND application. 188ddf21c6aSAna Kukec.It Bq Er ENOSYS 189ddf21c6aSAna KukecA packet received from user space and passed to the NDP stack for further 190ddf21c6aSAna Kukecprocessing is neither Neighbor Solicitation, Neighbor Advertisement, 191ddf21c6aSAna KukecRouter Solicitation, Router Advertisement nor Redirect. 192ddf21c6aSAna Kukec.It Bq Er ENOENT 193ddf21c6aSAna KukecOccurs if interface output routines fail to send the packet out of the 194ddf21c6aSAna Kukecinterface. 195ddf21c6aSAna Kukec.El 196ddf21c6aSAna Kukec.Sh SEE ALSO 197*0b3504fdSChristian Brueffer.Xr recvfrom 2 , 198*0b3504fdSChristian Brueffer.Xr sendto 2 , 199*0b3504fdSChristian Brueffer.Xr socket 2 , 200ddf21c6aSAna Kukec.Xr loader.conf 5 201ddf21c6aSAna Kukec.Sh HISTORY 202ddf21c6aSAna KukecThe 203ddf21c6aSAna Kukec.Nm 204ddf21c6aSAna Kukecmodule first appeared in 205ddf21c6aSAna Kukec.Fx 9.0 . 206ddf21c6aSAna Kukec.Sh AUTHORS 2076c899950SBaptiste Daroussin.An Ana Kukec Aq Mt anchie@FreeBSD.org , 208ddf21c6aSAna KukecUniversity of Zagreb 209ddf21c6aSAna Kukec.Sh BUGS 210ddf21c6aSAna KukecDue to the lack of NDP locking, it is currently not possible to unload the 211ddf21c6aSAna Kukec.Nm 212ddf21c6aSAna Kukecmodule. 213