Final GSoC report for IPv6 Secure Neighbor Discovery project

Ana Kukec anchie at fer.hr
Fri Aug 21 21:40:41 UTC 2009 

Hi,

For Google Summer of Code I had been working on a native kernel API for 
IPv6 SEcure Neighbor Discovery (SEND).

SEND is a way to secure the Neighbor Discovery protocol messages using 
public key based signatures, Cryptographically Generated Addresses for 
proving address ownership on individual nodes, and X.509 certificates 
for authorizing nodes to act as routers and to delegate certain prefixes.

The BSD licensed SEND implementation from NTT DOCOMO USA Labs was 
changed from using netgraph and the Berkeley Packet Filter to a native 
FreeBSD interface based on routing sockets.

If SEND is loaded, the kernel intercepts the respective incoming and 
outgoing ICMPv6 packets and sends them to user space for cryptographic 
processing (signing or validating the signatures) and if ok passes the 
back to the kernel for further normal processing or
discards the packets.

During last couple of weeks I was mostly testing, trying to get things 
to work. Most of the code was already written, but wrong handling of 
mbufs, especially when sending messages from kernel to the user space, 
took a few days to be tracked down.

Now, most of the things are done and working:
- successful exchange and validation of the Neighbor Solicitation,
- successful exchange and validation of the Neighbor Advertisement,
- successful exchange of the Neighbor Discovery Redirect message,
- the processing of the incoming direction of Router Solicitations and 
Router Advertisements.

I'll keep working on this project even now that GSoC has finished to get 
it to the point so that it can be integrated into the main FreeBSD src tree.

Things that are next on the list:
- the processing of the outgoing direction of Router Solicitations and 
Router Advertisements,
- interoperability testing,
- implementation of the ongoing work in IETF Cga & SeND maintainance WG.

Also documentation was updated to reflect the latest state of workflow 
and APIs.  You can find more information on my wiki page here: 
http://wiki.freebsd.org/SOC2009AnaKukec

In case you have p4 access you can find the code here,
http://p4web.freebsd.org/@md=d&cd=//&c=0hb@//depot/projects/soc2009/anchie_send/?ac=83 


In case you don't feel free to mail me.  I plan to post patches once 
outgoing RS/RA packets will fully work.

Thanks to Google and the FreeBSD Project for making it possible that I
could work on this.

Ana

More information about the soc-status mailing list