Commit 5a484b37 authored by 's avatar
Browse files

added mapi_set_authdata description

git-svn-id: file:///home/svn/mapi/trunk@230 8d5bb341-7cf1-0310-8cf6-ba355fef3186
parent 788ff771
...@@ -568,7 +568,130 @@ is included in Appendix~\ref{sec:misccode}. Since the application has ...@@ -568,7 +568,130 @@ is included in Appendix~\ref{sec:misccode}. Since the application has
access to the full packet record, {\tt print\_IP\_pkt()} can be altered access to the full packet record, {\tt print\_IP\_pkt()} can be altered
as needed to print any other part of the packet, even the whole packet payload. as needed to print any other part of the packet, even the whole packet payload.
\subsection{Admission control}
In this example we illustrate the admission control features of mapi.
In most cases administrators of sensors do not want users to gain full
control. Contrariwise, users should be restricted in means of the functions
that they are allowed to apply to a flow. The main reasons behind this
reluctance are privacy and performance. As far as privacy is concerned,
an administrator may not be willing to provide full packets to users
but only statistics as packet of byte counters. Moreover, since some
functions may consume a large amount of resources, such as the string
search function, the usage of these functions should be restricted.
The administrator of each sensor creates a usage policy, that specifies
how the sensor can be used, or in other words which functions the user is
able to use. A sample policy is presented below:
\begin{code}
KeyNote-Version: 2
Authorizer: "rsa-base64:MIGJAoGBAJvSuO9jaR6MUcSvI8L/kYodSAAE="
Licensees: "rsa-base64:MIGJAoGBAMNhS1N2Hbj6eipkayuQ0rVlDApl="
Conditions: device_name ~= "eth[0-9]"
&& (TO_BUFFER != "defined")
&& @$("STR_SEARCH.num") < 4 -> "true";
Signature: "sig-rsa-sha1-base64:aVjpVTDs2ZWAQjJD2o5IUh+jDZc="
\end{code}
Policies in general specify that the administrator of the sensor,
identified in the {\tt Authorizer} field, permit users that are identified
in the {\tt Licensees} field to create network flows if they conform to the
assertions that are specified in the {\tt Conditions} field. In this particular
policy the conditions restrict the user to open an interface in the
range of eth0-eth9, do not use the {\tt TO\_BUFFER} function and apply less
than four {\tt STR\_SEARCH} functions.
When a user wants to use a sensor, he contacts the administrator of
the sensor and sends his public key. The administrator adds this public
key to the Licensees field of the policy and then digitally signs the
message, as it is shown in the {\tt Signature} field. This latter step is
mandatory so no one can alter the policy. The signed policy, called
credentials, is returned to the user and should be used every time a
flow is created. For example, in the following program a user wants
to count the packets in a mapi sensor.
\begin{Verbatim}[numbersep=12pt, numbers=left, baselinestretch=1.1, fontsize=\small]
#include <stdio.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include "mapi.h"
static int fd;
int main(int argc,char **argv)
{
int counter, loop = 10, int connect_status;
unsigned long long *res;
struct dmapi_results *dres;
signal(SIGINT,die);
signal(SIGTERM,die);
signal(SIGQUIT,die);
/* create a flow using the eth0 interface */
fd = mapi_create_flow("eth0");
if (fd <0)
{
printf("Could not create flow\n");
}
/* apply a packet counter */
counter = mapi_apply_function(fd,"PKT_COUNTER");
/* set the authentication data for the flow */
if ( mapi_set_authdata(fd,"public_key","private_key","credentials") != 0 )
{
printf("Setting authdata failed\n");
die(0);
}
/* connect to the flow */
connect_status = mapi_connect(fd);
if(connect_status < 0)
{
printf("Connect failed")
if(connect_status == -1 )
printf("Authorization error\n");
die(0);
}
while( loop-- ) //count the packets
{
sleep(1);
res = mapi_read_results(fd,counter,MAPI_COPY);
if(res)
printf("PKTS=%llu\n",*res);
else
printf("mapi_read_results failed!\n");
}
die(0);
return 0;
}
static void die(int d)
{
mapi_close_flow(fd);
exit(0);
}
\end{Verbatim}
The user creates a flow (line 20) and then applies the packet counter
function (line 27). Then he should send the data that will be used
authenticate his against the sensor as well as his credentials. This is
done with the {\tt mapi\_set\_authdata} function (line 30). Using the public
and private key, a challenge is created so that the identity of the
user can be certified. The last parameter, credentials, is the policy
that the administrator has sent to the user. When the user connect to
the flow (line 37), the daemon that performs the admission control
(authd) authenticates the user and check whether the flow specification
conform to the policy so that the flow will be created. In it does
not, an authorization error is returned to the user.
\appendix \appendix
...@@ -593,8 +716,8 @@ Synopsis ...@@ -593,8 +716,8 @@ Synopsis
struct mapipkt * mapi_get_next_pkt(int fd, int fid); struct mapipkt * mapi_get_next_pkt(int fd, int fid);
int mapi_loop(int fd, int fid, int cnt, mapi_handler); int mapi_loop(int fd, int fid, int cnt, mapi_handler);
void * mapi_read_results(int fd, int fid, int copy); void * mapi_read_results(int fd, int fid, int copy);
int mapi_set_authdata(int fd, const char *pub, const char *priv, const int mapi_set_authdata(int fd, const char *public_key,
char *creds); const char *private_key, const char *credentials);
int mapi_load_library(char *library); int mapi_load_library(char *library);
int mapi_unload_library(char *library); int mapi_unload_library(char *library);
int mapi_get_flow_info(int fd, mapi_flow_info_t *info); int mapi_get_flow_info(int fd, mapi_flow_info_t *info);
...@@ -691,8 +814,15 @@ Routines ...@@ -691,8 +814,15 @@ Routines
with the description of the error denoted by err_no. Memory for both with the description of the error denoted by err_no. Memory for both
arguments must have been previously allocated. arguments must have been previously allocated.
int mapi_set_authdata(int fd, char *pub, char *priv, char *creds); int mapi_set_authdata(int fd, char *public_key,
Sets the required information to authorize a flow. char *private_key, char *credentials);
mapi_set_authdata() sets the required information to authorize a flow.
This function is required only if authorization is enabled in the mapi
sensor. Keys are used to authenticate the user while the credentials
provide the sensor with the policy that the flow should comform to.
The user can retreive the digitaly signed credentials (so that thay can
not be altered) from the administrator of each sensor. Authorization is
performed upon mapi_connect().
int mapi_load_library(char *lib); int mapi_load_library(char *lib);
mapi_load_library() is used to inform the MAPI daemon for the new mapi_load_library() is used to inform the MAPI daemon for the new
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment