Skip to content
Jack Wampler edited this page May 20, 2021 · 1 revision

Frequently Asked Questions

Station Operation

  • Is PF_Ring required to run a refraction station?

    Yes, for now PF_Ring is required. Though we are working to simplify the system and facilitate wider deployment.

  • Where can I run a refraction station?

    Currently targets for deployments require a traffic tap from a routing host. The Environment page walks through the setup for a development system using OpenWRT and a local computer, but support for requires two concurrent Ethernet connections.

Routing

  • What happens if some non-Conjure client tries to connect to a phantom IP which is live to them but not live to us (e.g. a firewall they have permission to traverse that drops unsolicited traffic from unknown hosts)?

    If a non conjure client connects to a phantom IP that is not registered, the station will examine the source and destination addresses and based off of the destination ignore the traffic and not interfere in any way.

    If a registration does exist for the phantom IP address - in ipv4 the station matches both the phantom address and the source (the client address used to register). So if this non-conjure client was separately using conjure, or behind the same NAT as a conjure client who managed to register the address then the station will send a SYNACK when the client sends a SYN (we don't currently disrupt UDP in any way). The next packet from the non-conjure connection will not contain shared secrets so conjure will continue to listen for a period of time before closing the connection. During that time the station will be sending ACKs, but otherwise the connection with the legitimate host should be uninterrupted. In IPv6 we only match on phantom address but the smallest subnet we would probably include is a /64 and selecting randomly should never result in a collision with a live address. If there is some configuration where a host uses many IPv6 addresses from a block we can enable source address matching in IPv6 as well.

  • How do you ensure that there is no interference with downstream hosts?

    We make a best effort attempt to never allow live hosts to be used as Phantom addresses by testing registered phantoms for liveness before allowing them to be used for proxy traffic. This is done by probing the addresses to test for responsiveness. You can see more about this in the comments for the liveness testing system.

      // 4 syns which returns syn-acks from 99% of sites within 1 second.
      // see  ZMap: Fast Internet-wide Scanning  and Its Security Applications
      // https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_durumeric.pdf
      //
      // return:	bool	true  - host is live
      // 			false - host is not life
      //		error	reason decision was made