sp3

package module
v0.0.0-...-e3fa1f4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2017 License: BSD-3-Clause Imports: 6 Imported by: 0

README

(SP)^3: A Simple Practical & Safe Packet Spoofing Protocol

Install an SP^3 Server: go get github.com/willscott/sp3

SP3 provides a mechanism through which a server which has the capability to spoof packets can offer that capability in a limited capacity. In particular, the protocol supports spoofing packets as long as the destination client consents in advance to receive those communications.

Why?

There are several uses of SP^3 we've thought of, and we're sure there are many more.

  • NAT hole-punching facilitation. Currently, NAT holepunching only works for UDP, partially because even when the clients are controlled, it generally requires root permissions to send packets with a specific sequence number. Having a source of packet injection can provide a mechanism to synchronize sequence numbers and create TCP connections between two NAT'ed machines.

  • Firewall characterization. It's often difficult to test how your network will respond to packets sent from black-holed or unadvertised prefixes. A source of packets can allow you to validate firewall rules and routing policy.

  • Circumvention. The ability to send packets from arbitrary sources can help to mask traffic by adding a layer of cover trafic and IP diversity that makes surveilance much more difficult.

Design

There are three participants in SP3: the server, client, and sender. The server is the host which can send spoofed packets. It acts as a relay, accepting encapsulated IP packets from the sender and sending them to the client, even when their source address is spoofed. The client is the destination that receives the packets. The sender is the host that generates the packets.

One issue with packet spoofing is the number of attack vectors it opens. In order to provide a service that makes a reasonable trade-off between enabling valid use cases while not opening itself up to abuse and attacks, the server enforces a policy on packets it is willing to send. The primary property the server attempts to guarantee is that the client consents to receiving spoofed packets.

The server provides a number of mechanisms by which the client can provide this consent. The simplest is that the client establishes a connection to the server, and directly tells the server it is wiling to receive traffic. This is done with a web-socket based connection, and supports a client running in a web browser. When the client cannot or is unwilling to establish a direct connection to the server, it can generate a proof-of-ownership for the sender to prove its location and intent without direct communication to the server.

Server

Build:

apt-get install libpcapdev
cd server
go build

Run

sudo ./server [--port 8080]

Sender

Client

A web based client is included in the client directory.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthenticationMethod 

type AuthenticationMethod int
const (
	WEBSOCKET AuthenticationMethod = iota
	STUNINJECTION
	PATHREFLECTION
)

type Authenticator 

type Authenticator interface {
	Authenticate(chan<- string) (AuthenticationMethod, []byte, error)
}

*

  • An SP3 Authenticator is the interface for a specific authentication method.
  • The method is passed a channel to complete the challenge from the server;
  • THe Authenticate method should set up a listener, and then provide the
  • AuthenticationMethod and AuthenticationOptions for the SenderHello message.

type DirectAuth 

type DirectAuth struct {
	// contains filtered or unexported fields
}

func (DirectAuth) Authenticate 

func (d DirectAuth) Authenticate(done chan<- string) (AuthenticationMethod, []byte, error)

type SenderAuthorization 

type SenderAuthorization struct {
	DestinationAddress string
	Challenge          string
}

type SenderHello 

type SenderHello struct {
	DestinationAddress    string
	AuthenticationMethod  AuthenticationMethod
	AuthenticationOptions []byte
}

type SenderMessage 

type SenderMessage struct {
	Packet []byte
}

type ServerMessage 

type ServerMessage struct {
	Status    Status
	Challenge string
	Sent      []byte
}

type Sp3Conn 

type Sp3Conn struct {
	*websocket.Conn
	// contains filtered or unexported fields
}

func Dial 

func Dial(sp3server url.URL, destination net.IP, auth Authenticator, dialer *websocket.Dialer) (*Sp3Conn, error)

*

  • A golang client for connecting to an SP^3 server to send packets.

func (*Sp3Conn) Close 

func (s *Sp3Conn) Close() error

func (*Sp3Conn) LocalAddr 

func (s *Sp3Conn) LocalAddr() net.Addr

func (*Sp3Conn) ReadFrom 

func (s *Sp3Conn) ReadFrom(b []byte) (n int, addr net.Addr, err error)

func (*Sp3Conn) SetDeadline 

func (s *Sp3Conn) SetDeadline(t time.Time) error

func (*Sp3Conn) SetReadDeadline 

func (s *Sp3Conn) SetReadDeadline(t time.Time) error

func (*Sp3Conn) SetWriteDeadline 

func (s *Sp3Conn) SetWriteDeadline(t time.Time) error

func (*Sp3Conn) WriteTo 

func (s *Sp3Conn) WriteTo(b []byte, addr net.Addr) (n int, err error)

type State 

type State int
const (
	SENDERHELLO State = iota // Waiting for client Hello message.
	HELLORECEIVED
	AUTHORIZED // Acceptable ClientAuhtorization received.
)

type Status 

type Status int
const (
	OKAY         Status = iota
	UNAUTHORIZED        // Sender isn't authorized to send to that destination
	UNSUPPORTED         // Server doesn't support the requested AuthenticationMethod
	INVALID             // Server failed to parse the message
)

Source Files

View all Source files

Directories

Path Synopsis
examples
echo
policy
lib

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.