-
Notifications
You must be signed in to change notification settings - Fork 22
Port Knocking
In this tutorial we'll show how to realize the Port Knocking application by leveraging OpenState features.
Before going further into this tutorial, you have to make sure you've already installed the OpenState softswitch in Mininet as explained here http://openstate-sdn.github.io/. The completeness of this step leads Mininet to use OpenState as its OpenFlow user space switch.
-
Launch portknock controller application in Mininet by typing the following command:
$ ryu-manager ryu/ryu/app/openstate/portknock.py
The port knock program composes of the following port sequence, where to actually open the last port 2000 we must first "knock" the previous 4 ports.
PORT_LIST = [5123, 6234, 7345, 8456, 2000]
-
Start Mininet with a single topology with 2 hosts:
$ sudo mn --topo single,2 --mac --switch user --controller remote -x
-
To actually knock on UDP ports we'll use netcat on both h1 and h2. On h2's terminal run the following command:
h2# nc -lu 2000
-
On the h1's terminal type the following command:
h1# nc -u 10.0.0.2 2000
Type something on stdin and then press return. In this case netcat will read from stdin and send the message as a UDP packet to the specified port. Type ctrl-c to exit the nc process. As you can see from h2 no packet is received.
-
Using netcat on h1 send packets to the following ports: 5123, 6234, 7345, 8456 (type something, press return and ctrl-c to exit the process). You can use nc as specified by the following command:
h1# nc -u 10.0.0.2 5123 ... h1# nc -u 10.0.0.2 6234 ... h1# nc -u 10.0.0.2 7345 ... h1# nc -u 10.0.0.2 8456 ...
-
Finally, as we completed the knock sequence port 2000 should be open from h1 to h2.
h1# nc -u 10.0.0.2 2000 ...
It is possible to avoid points 5 and 6 by executing the script "test_port_knocking" in h1. This script will test an incorrect sequence and then the correct one. You have to specify the following command in h1 xterm:
h1# ~/ryu/ryu/app/openstate/test_port_knocking.sh
- Type something on stdin and then press return. You should see now h2 receiving packets on port 2000.
To debug flow entries:
$ sudo dpctl -c unix:/tmp/s1 stats-flow table=0