I see that lwIP has some AutoIP (aka IPv4LL, aka RFC 3927) code, but I can't tell if it does anything higher up in the Zeroconf stack, namely mDNS and DNS-SD (with RFC 2782).
So, does lwIP support DNS-SD service discovery? If not, would it be easy to port code from a project like Avahi that does (assuming licensing allows it)?
No, lwIP does not support any part of Zeroconf except AutoIP.
I've not looked at Avahi but porting Apples mDNSResponder to lwIP
is quite straightforward. There is one bit of nastiness where you
have to pull back the pbuf headers to access the IP header to get the
sender IP (I think a "proper" method for this is in the works
for lwIP but AFAIK it's not in a release yet).
With mDNSResponder you get both service advertisment and discovery.
I can't comment on the LWIP part of your question (the last time I used LWIP it didn't even have IPv4LL support), but you might be interested to know that Apple have open-sourced their mDNSResponder code, available from here:
http://developer.apple.com/networking/bonjour
The interesting thing about this implementation is that they provide a VxWorks platform layer which may well be a better match for porting to your embedded target than the Avahi library.
The lwIP web site has a task tracker with the following three items (it looks as though they were added around 2010, around the time this question was originally asked):
Add "One shot" Multicast DNS Queries (.local) to dns.c
Marked done, Dec 2016. It provides a subset of ZeroConf functionality. It is not a complete solution, but could be a good basis to build upon.
Create "mDNSQuerier" module to support multiple response and continuous Multicast DNS queries
Create multicast DNS Responder module enabling LwIP applications to support multicast DNS host name resoltuion
On 28 August 2015, these latter two tickets were marked "Cancelled" with the note "Cancelled since noone seems to want to work on this."
Here is a very small mDNS responder which can be ported rather easily to lwIP:
https://bitbucket.org/geekman/tinysvcmdns
Apples mDNSResponder is still rather heavyweight for very small systems (in terms of RAM usage), so if only basic functionality is required this one may be preferred.
Related
I want to write a client and server in C preferably, simple C++ if necessary.
The server will run on some flavor of Linux, the client is for testing the server.
I want to ensure messages are received and error free; therefore I will use TCP.
I want them to communicate securely; thus I will use the latest version of TLS (v1.3).
I intend to use the GnuTLS library for reasons:
Actively updated by reputable open source project
License permits selling product
Given the above, if implemented and tested, I could claim that the client/server communication is secure, reliable (a.k.a. assured), and error-checked. Yes?
Am I missing something? Is anything patently false?
Edit: certificates... i think i'm missing something about certificates to protect against man in the middle attacks...
TLS is a complex topic. Depending on your specific code the TLS connection might succeed even if you fail to properly validate the certificate. Thus, just based on what you state so far in your question it cannot be assured that the data are transferred with proper end-to-end protection and that no man in the middle can manipulate the data.
I'm looked at basil00's TorWall(https://github.com/basil00/TorWall) and cannot understand, how it is possible to ignore traffic that goes from tor?
I'm writing my own torwall and my goal is to add support of different types of proxies(socks5, http[s]). I stuck with problem that inbound traffic from tor.exe is going through the filter. I definitely missed something because torwall is working well.
Tallow ignores Tor traffic based on the port number, e.g. 9001. See the traffic.divert file from the Tallow repository (https://github.com/basil00/TorWall). This is a crude solution, and ideally it should be possible to instruct WinDivert to ignore traffic based on application, however such a feature does not currently exist as of 2018.
I am trying to create a client in C that will talk with a BACnet server. This BACnet server is stored on an industrial device (CAN2GO) and I am not sure how I could talk with this device.
I spent quite some time reading documentation for BACnet and I never found a clear example for a BACnet client. I already did some server and clients using TCP and UDP but I don't know how to start this BACnet client and I must say I am getting quite desperate.
I found a library which seems to correspond to what I want which is called BACnet protocol stack but when I tried the whois exemple no device was found (I expected to found the bacnet server but maybe I shouldn't ?).
So my question is : could you give me an exemple in C, or another language but C would be better, that would communicate with a BACnet server (nothing complicated just a question and analysing response). This example could be using the library I just wrote about or if you prefer another library I am of course open to everything.
Thank you very much for your time and answers.
I have used that stack and it is the best open source one you are going to find. If you cannot see anything using the demo\whois\bacwi example from that library, then there is something wrong with your setup. In particular, are you using IP? Are your BACnet client and BACnet server on different machines (they cannot be on the same without some serious tweaking)? Are the two machines on the same IP subnet? (They must be, once again, unless you do some serious tweaking (in this case, setting up BBMDs (BACnet Broadcast Management Devices))).
You will also want to try the "Read Property" example (demo\readprop\bacrp.exe) to actually read a value from the server.
If you are still stuck, then post your detailed problem at the link on Sourceforge, Steve, the author, is very responsive to questions.
I am currently using the stack - just started. I had a little trouble at first, not sure if my problem is the same but.. I basically am using some BAC components made from Schneider Electric (UNC-500) and an old un-supported platform (Niagara R2). On my laptop I created a host server and addressed it to a private LAN network between it and the UNC. My laptop was also using wifi, which was utilizing DHCP, so I had two separate interfaces going. This was my problem. I couldn't read or get 'I-AM' responses back from the UNC. As soon as I turned the WIFI off, I got the 'I-AM' broadcasts. Make sure that you are on the same network as your device, and that there are not other interfaces active. Maybe there is a way to assign the interface to use, IDK. I just started using it.
I want to get in the middle of packet forwarding (Not routing). For example, the system is a layer 2 bridge between hosts and their gateway. I want to check the layer 7 for string or whatever "foo" and forward/drop/delay the packet based on the result. What I am having trouble with is intercepting the packet.
What I have read so far:
I know I can get the copy of packet from BPF device (Usenix paper by Steven McCanne and Van Jacobson http://www.tcpdump.org/papers/bpf-usenix93.pdf ). that's good for sniffing but not for me.
I can access the PF device and set the filtering rules which is good for forwarding or dropping decisions, but not for inspection. man pf (4)
I can get packets into the ALTQ queues, BUT I do not know how to access the individual packets located in the queue. man altq(9)
I have also looking into the source code for PF(/usr/src/sys/contrib/pf/net ), PFCTL (/usr/src/contrib/pf/pfctl) and ALTQ(/usr/src/sys/contrib/altq/altq).
On FreeBSD 9.1 machine
I am not C expert, but I am good with it.
Maybe I am getting tired today with all the reading and missed something trivial. Please forgive me if so. Plus, this will be a very good find fro those looking into the subject.
P.S. There is a way of controlling the flow of "foo", by detecting "foo" in packet and denying the answer to that from coming back by setting up the filter for answer to that request. This is NOT what I am trying to achieve. I do not want the packet to leave the system if it should not.
EDIT 2 P.S. There is a great way of doing this on Linux. I can achieve everything I mentioned here on Linux with libnetfilter_queue. I will not bother posting solution here because there are many many many tutorials on how to do it on Linux.
In conclusion, I am still looking for answer on how to do this on BSD. As far as I can understand, I need to write a wrapper/library based on pf (because there is no such thing on the net - otherwise I should have found it already), that does the same thing as libnetfilter with it's libnetfilter_queue library. Or I could somehow dig into libnetfilter and port it to FreeBSD, but since it is based on iptables, only thing I can get from digging into libnetfilter library is logic and algorithms not the actual code itself, which by itself could prove to be of no use to me.
FreeBSD 9.1 has an userspace framework for packet access called netmap. It was recently introduced and has an amazing performance scale. It does very simple but powerful thing - just mmaps the NIC buffers to userspace portion of memory and detaches the packet processing from host stack, this was exactly what I needed the rest is on me.
If anyone needs any goods reference for this, please refer to man netmap (4)
Have a look at OpenDPI or nDPI.
Check out the "Divert Sockets" in BSD implementation as well. Unlike Netmap, it is not zero-copy (IMHO) however it can work with ipfw in order to implement the necessary filters in order to filter packages you want to process.
In previous versions of Arduino, the limiting 8-bit microcontroller board, it seems that implementing HTTPS (not merely HTTP) was almost impossible. But the newer version of Arduino Due provides 32-bit ARM core - see spec here.
I tried to check several network libraries (libcurl, openssl, yaSSL), but I didn't find anyone that was already ported to work with Arduino Due.
OpenSSL is probably too heavy to be able to run on this processor, but I believe that yaSSL as an embedded library should be possible to do.
Do you have any information of a library that I can use to trigger HTTPS requests on Arduino Due?
Unfortunately this is too long for a comment.
► No out of the box solution
From what I have gathered, there is no straightforward solution for a webserver running on the Atmel SAM3X8E ARM Cortex-M3 CPU that outputs HTTPS out of the box.
Texas Intstruments provides better options at the moment using their boards equipped with a Stellaris Microcontroller ARM Cortex-M3 CPU.
► Alternative
There are several options available that render cryptographic functions, based upon which one could lay out and implement a simple secure communication protocol that communicates with an intermediary device, which in turn facilitates Rapid Application Development and SSL.
This intermediary device, for instance an off-the-shelf 70$ Android smartphone that keeps your project mobile and connected, runs a service on a specified port which in turn communicates with Amazon SQS. Already available. This may sound ugly or tough, but is much easier than doing the programmatic groundwork for a webserver with full TLS 3 support on the Arduino. Given the proper motivation the latter may be easy, but not if one just wants a fast pragmatic solution to one's own project.
► Cryptographic libraries
crypto-arduino-library http://code.google.com/p/crypto-arduino-library/ (not maintained since 2010)
matrixssl
mbed TLS (formerly PolarSSL)
wolfSSL (formerly CyaSSL)
► Discussions
Following is a list of discussions to get you started:
HTTPS alternative on Arduino
SSL from a Microcontroller
Lightweight Packet Encryption
Many of these libraries would still need to be adapted, but community experts can help you with that fairly quickly.
Good luck! If you are at liberty to upload your final project to github then you just gained a thanks and a follower.
IMHO Arduino (including the DUE) is the wrong tool for heavy and/or encrypted web based communication. I would strongly suggest to look for more appropriate hardware in the same size and price range. As soon you get into https you are close enough to also want a lot of the other stuff that real operating systems provide. With other words I suggest to go for something like the Raspi. Similar size and prize but way more powerful, especially it can run Linux. --> HTTPS becomes simple.
The big problem with https support on an arduino is the danger of overloading your processor which could make the project unviable.
Even embedded platform targetted solutions like PolarSSL can eat up too much memory and use too much processing power. Remember that even on the most streamlined implementations, SSL support is going to have to be generalized for wide adoption and will include components that you won't find necessary. There's also the question of which Certificate Authorities you will trust and how you will communicate with them for things like certificate revocation.
I would look instead towards a solution that isn't as broken on the surface for your needs. Something like CurveProtect, which is an implementation of CurveCP.
Of course, your decision will largely be based on what you want to do and how much time you want to spend figuring the problem out. PolarSSL has a footprint that can be as small as 30K (more typically close to 100K).