


LC(1)							    LC(1)


NAME
       lc - Low Latency stdio <-> Layer 2 Filtering Bridge

SYNOPSIS
       lc [-l interface] [-m interface] [options]

PACKAGE
       Paketto Keiretsu 1.0

DESCRIPTION
       Linkcat(lc) attempts to do to Layer 2 (Ethernet) what Net-
       cat(nc) does  for  Layer	 4-7(TCP/UDP):	 Provide  direct,
       bidirectional,  streaming  access  to  the  network.  Lib-
       cap/tcpdump syntax filters  may	be  specified  in  either
       direction,  but	no  filtering is enabled by default.  Two
       separate syntaxes are supported;	 one  accepts  and  emits
       libpcap dump format(raw binary w/ a fixed size file header
       and a fixed size packet header),	 the  other  accepts  and
       emits  simple hex w/ backslash line continuation.  Several
       other features are also implemented;  specifically,  early
       work  involving	the  embedding	of  cryptographic shared-
       secret signatures in the Ethernet Trailer is demonstrated.


       OPTIONS


       -l interface
	      Sniff frames from this interface.	 "00" may be used
	      in place of an  explictly	 specified  interface  to
	      imply  sniffing from the first available interface.

       -m interface
	      Spoof frames onto this interface.	 "00" may be used
	      in  place	 of  an explicitly specified interface to
	      imply spoofing onto the first available  interface.

       -p/-P filter
	      Specify  a  filter  through  which  sniffed(-p)  or
	      spoofed(-P) frames will be matched  against  before
	      they're  allowed	to  pass  through.  The syntax is
	      extraordinarily straightforward; see tcpdump  docu-
	      mentation	 for  examples.	  "not port 22", "tcp and
	      ether  src   00:11:22:33:44:55",	 "host	 www.dox-
	      para.com",  and "icmp or (udp and port 53)" are all
	      valid filters.

       -w sniff_file
	      Specify a file that sniffed frames should be  writ-
	      ten  into,  rather  than	simply being dropped onto
	      stdout.

       -r spoof_file
	      Specify a file that spoofed frames should	 be  read



								1





LC(1)							    LC(1)


	      from, rather than being extracted from stdin.

       -t [h/p]
	      Specify  the type of file that linkcat should oper-
	      ate against.  -th emits and accepts packets in hex-
	      adecimal ASCII format, with end-of-line(w/o contin-
	      uation) implying	end  of	 frame.	  -tp  emits  and
	      accepts  packets	in raw libpcap mode, replete with
	      libpcap file header, pkthdr structs, and raw binary
	      data.   The  latter format has not been audited (by
	      this author) for security breaches; the former  has
	      no  out-of-band  signaling  aside	 from the implied
	      end-of-frames.  However, the HEX/ASCII format has a
	      3x  data	expansion penalty (obviously heavily com-
	      pressible).

       -o/-O m-n
	      Emit a byte range as  an	integer,  presumably  for
	      phentropy(another	   component   of   the	  Paketto
	      Keiretsu) to parse.  Effectively, given an incoming
	      frame,  return  the  mth through the nth bytes as a
	      hexadecimal integer preceeded by	0x.   -o  outputs
	      the bytes in network order; -O outputs the bytes in
	      reverse (presumably correct) order.   This  can  be
	      used  to	great  effect for exacting the entropy of
	      TCP Sequence Numbers(-p tcp  -O  39-42)  and  other
	      semi-random  network  fields.   (	 m  - n ) must be
	      equal to 1, 2, or 4 for phentropy 1.0 to	correctly
	      understand it.

       -e     Output  spoofed  frame  to  stderr,  as  a hexdump.
	      Occasionally useful.

       -c num Output no more than  num	characters  to	stdio  at
	      once.  Overflow will be handled using the \ contin-
	      uator.


EXPERIMENTS (TRAILER CRYPTO)
       -M key Append a 20 byte Message Authentication Code (HMAC-
	      SHA1) to the end of an outgoing frame before spoof-
	      ing it onto the wire, using the SHA-1'd results  of
	      a	 user  provided	 key.	Since both IP and ARP are
	      immune to and expect random content in the ethernet
	      trailer, this does not interfere with normal opera-
	      tions.  Security is limited to the entropy  of  the
	      provided	 key,	and  direct  replay  attacks  are
	      entirely trivial in this implementation (though the
	      content of the replayed packet may not be changed).

       -L key Verify that  the	last  20  bytes	 of  every  frame
	      sniffed off the wire forms an HMAC-SHA1 hash of the
	      supplied packet, or refuse to output said frame  to
	      its  appropriate dump -- stdout or a file named via



								2





LC(1)							    LC(1)


	      -w.  This happens without	 any  frame  parsing,  so
	      theoretically  it's  possible  to authenticate even
	      broken traffic.

       -S     Strip the HMAC-SHA1 hash upon verifying (i.e. don't
	      propogate to future clients).


BUGS
       "any" device doesn't work right, yet.  Oh, and the trailer
       crypto has serious issues when IP actually  takes  up  the
       entire ethernet packet up to the MTU limit.  I had thought
       jumboframe support was more widespread  when  I	developed
       this  tech.   I	had  *no idea* how acrimonious the debate
       was.  Still, trailer  crypto  outshines	TCP  options  for
       sideband	 signatures...	at least until Boneh's Weil Pair-
       ing work becomes a) available and b) fast.  (Soon on  both
       counts!)

AUTHOR
       This  work  has	been  done  by	Dan  Kaminsky  of DoxPara
       Research, who may be reached at dan@doxpara.com.



































								3


