![\"\"](\"https:\/\/www.vandervecken.com\/faucet\/wp-content\/uploads\/2019\/10\/fake-1.jpg\")
<\/figure>\n\n\n\nFirst we will need to tell FAUCET to intercept the service using an ACL, which will be applied to the test host’s port. Port 18 is the coprocessor port, and port 13 is the test host.<\/p>\n\n\n\n
acls:\n coprocessssh:\n - rule:\n dl_type: 0x806\n actions:\n allow: 1\n output:\n ports: [18]\n - rule:\n dl_type: 0x800\n ip_proto: 6\n tcp_dst: 22\n actions:\n output:\n ports: [18]\n - rule:\n actions:\n allow: 1\nvlans:\n trusted:\n vid: 2\ndps:\n dp:\n interfaces:\n 13:\n native_vlan: trusted\n acls_in: [coprocessssh]\n 18:\n coprocessor: {strategy: vlan_vid}<\/code><\/pre>\n\n\n\nFAUCET will now redirect port 22 to the coprocessor port. We will now need to set up an OVS switch on the coprocessor so we can start fake services, and allow ARP to work in parallel with the real host. The fake host will need to use the same MAC address as the real one, which won’t cause a conflict because FAUCET is intercepting just the TCP service and FAUCET knows not to re-learn the real host on the coprocessor port.<\/p>\n\n\n\n
Note the OVS actions for setting VID to 4098 – that’s the VID for the trusted<\/code> VLAN (2) or’d with the VID present bit (4096). That will cause packets from the coprocessor to have the right VID to be switched back into the trusted<\/code> VLAN.<\/p>\n\n\n\nroot@coprocessor:\/home\/pi# cat setupcopro.sh \n#!\/bin\/sh\n\nNFVINT=enx0023565c8859\nFAKEHW=aa:56:63:87:9e:e9\nFAKEIP=192.168.2.1\/24\nNS=copro\n\nip netns add $NS\nifconfig $NFVINT up\nip link add dev fake0 type veth peer name fakeovs0\nifconfig fakeovs0 up\nip link set fake0 netns $NS\nip netns exec $NS ifconfig fake0 hw ether $FAKEHW $FAKEIP up\nfor i in $NFVINT fakeovs0 ovs-system ; do\n echo 1 > \/proc\/sys\/net\/ipv6\/conf\/$i\/disable_ipv6\ndone\nifconfig ovs-system 0.0.0.0\n\novs-vsctl del-br br0\novs-vsctl add-br br0\novs-ofctl del-flows br0\n\nfor i in $NFVINT fakeovs0 ; do\n ovs-vsctl add-port br0 $i\ndone\n\novs-ofctl add-flow -OOpenFlow13 br0 \"in_port=1,actions=output:2\"\novs-ofctl add-flow -OOpenFlow13 br0 \"in_port=2,vlan_tci=0x0000\/0x1fff,ip,tcp,actions=push_vlan:0x8100,set_field:4098->vlan_vid,output:1\"\novs-ofctl add-flow -OOpenFlow13 br0 \"in_port=2,vlan_tci=0x0000\/0x1fff,arp,actions=push_vlan:0x8100,set_field:4098->vlan_vid,output:1\"<\/code><\/pre>\n\n\n\nNow we will start a fake service on the coprocessor and connect to it from the test host.<\/p>\n\n\n\n
root@coprocessor:\/home\/pi# cat fakessh.sh \n#!\/bin\/sh\n\nwhile \/bin\/true ; do echo completely awesome ssh service| ip netns exec copro nc -l 192.168.2.1 22 ; done\nroot@coprocessor:\/home\/pi# .\/fakessh.sh<\/code><\/pre>\n\n\n\npi@pi8021x:~ $ telnet 192.168.2.1 22\nTrying 192.168.2.1...\nConnected to 192.168.2.1.\nEscape character is '^]'.\ncompletely awesome ssh service\n^]\ntelnet> close\nConnection closed.\n<\/code><\/pre>\n\n\n\nThat’s it. We could run other services on the fake host – for example to broadcast CDP to impersonate a router, for example, or redirect other services.<\/p>\n","protected":false},"excerpt":{"rendered":"
With the coprocessor feature, FAUCET allows an external NFV host to receive packets from the dataplane, inject arbitrary packets, or both. In particular, coprocessing allows you to inject services into the dataplane, or even override services on hosts already present. In this example, we have a real host 192.168.2.1 (a router) which has an ssh … <\/p>\n