As a research assistant atÂ the Applied Communications and Information Networking Center, I saw a lot of applications that involved streaming media over multicast in mobile ad-hoc networks. The developers of each application were attempting to independently secure their traffic, which is both inefficient in terms of development and could also lead to more security holes. In response, my job was to prototype a transparent network communications security service for multicast applications using pre-distributed keys. This system “intercepts” incoming and outgoing traffic to specific addresses while the packets are still being processed in kernel-space; if the packet is incoming and destined to the current host, it is decrypted before being propagated up to the application layer, and if the packet is outgoing, it is encrypted before sending to the lower layers. In this manner, applications don’t have to deal with (as many) security issues, and encryption can be done identically across a group of applications or the entire system. This systemÂ uses netfilter queue for packet filtering and mangling, and the cryptographic facilities of openssl’s libcrypto. The communication channels were selected by binding the address/port of the receiver (e.g., multicast addresses)Â to particular queues using iptables.
This software was written in C. As the solo developer on this project, I took it as a learning opportunity for exploring open source best practices. The build environment was based on Automake and Autoconf.Â User interfaceÂ messages were internationalized using Gettext, man pages were generated using help2man, info pages were generated from .texi files, and source code documentation was generated using Doxygen from the embedded comments. Gnulib was used to share common files. The software used Gnu style switches for easy command-line use, a signal handler to ensure a smooth exit,Â and could also be run as a daemon.Â The system was packaged for redhat and debian. Best practices for Â documentation were also adopted (such as including aÂ KEYS file with my PGP key).