incentivize decentralized wifi roaming through vpn on
play

Incentivize decentralized WiFi roaming through VPN on home routers - PowerPoint PPT Presentation

Oct 03, 2022 •183 likes •576 views

Incentivize decentralized WiFi roaming through VPN on home routers RP2 rp-id 25, Security and Network Engineering, UvA Sander.Lentink@os3.nl Peter.Boers@surfnet.nl 2019-11-13 1 / 38 Introduction We desire Wi-Fi Wi-Fi being the best

  1. Incentivize decentralized WiFi roaming through VPN on home routers RP2 rp-id 25, Security and Network Engineering, UvA Sander.Lentink@os3.nl Peter.Boers@surfnet.nl 2019-11-13 1 / 38

  2. Introduction We desire Wi-Fi ◮ Wi-Fi being “the best technology for Mobile Data Offloading (MDO)” (Gupta and Rohil 2012) Enabling Wi-Fi problematic ◮ concerns around security, violating terms / illegal content (Schneier 2008) ◮ laws prevent municipality provided “free WiFi” (Chamberlain 2019) ◮ telecommunications lobby against new projects (Gurley and O’Shaughnessy 2019) When we access Wi-Fi ◮ users unaware of privacy risks (Consolvo et al. 2010) ◮ Free WiFi: captive portal 2 / 38

  3. Intro: Overcome mutual trust issue Client tunnels via home router (Sastry, Crowcroft, and Sollins 2007) ________ ___________ |Client | |foreign| |internet| |Client's | | ______| | AP | | (WAN) | |home AP | | |VPN | |_______| |________| |__________ | | |Client|------------------------>|VPN server|| |_|______| |¯¯¯¯¯¯¯| |¯¯¯¯¯¯¯¯| |__________|| ◮ Client has no privacy leaks ◮ Wi-Fi AP 1 provider has no liability worries 1 Access Point 3 / 38

  4. Intro: example setup Figure 1: “Client connects to VPN endpoint via foreign AP” 4 / 38

  5. Intro: Research Question Can we design a protocol — using existing protocols available on COTS (commercially off the shelf) clients — that eliminates the need for trust between client and Wi-Fi provider, using a VPN tunnel? 5 / 38

  6. Intro: Sub Questions ◮ Enforce network policies? ◮ Validate if VPN server listens on endpoint? ◮ Client communicate VPN endpoint to AP? ◮ Modify authentication (802.1x) server to enable this protocol? ◮ Verify protocol: Proof of Concept (PoC)? 6 / 38

  7. Intro: Questions TL;DR ◮ Design Protocol ◮ Test with PoC 7 / 38

  8. Intro: Related solutions Closed options ◮ Ad based: World Wi-Fi ◮ Education Roaming: Eduroam ◮ Government Roaming: Govroam ◮ Share WiFi, earn points/data/credits: Karma ◮ Home router managed by provider: KPN’s Fon ◮ Paid / broker based: Tmobile/Vodafone hotspots Open solutions ◮ Open Wireless Movement, backed by Electronic Frontier Foundation 8 / 38

  9. Methodology ◮ Example flow: overview of concept ◮ 802.1x EAP identity ◮ Protocol in authentication server Figure 2: Extensible Authentication Protocol 9 / 38

  10. Method: example flow 1/3 AP (SoC) <-----L2----> router _____________|_____________ _____|____ client |hostapd auth pre filter| |DHCP WAN| VPN | | | | | | | | a | | | | | | | #---b---># | | | | | | # #--c--># | | | | | # # #--d--># | | | | # # # #--e-----------------------># # # # f | | | | # # # #--g--># | | | # # #<--h--# | | | | # #<--i--# | | | | | #<---j---# | | | | | | #---k-------------------------=-----># | | #<--------------------------------l--# | | #---m-------------------------=-------------------># 10 / 38

  11. Method: example flow 2/3 AP (SoC) <-----L2----> router _____________|_____________ _____|____ client |hostapd auth pre filter| |DHCP WAN| VPN | | | | | | | | a | | | | | | | #---b---># | | | | | | # #--c--># | | | | | # # #--d--># | | | | # # # #--e-----------------------># a. client (supplicant) scans for AP, finds foreign AP with SSID of protocol b. supplicant => authenticator ( hostapd ), VPN endpoint location in 802.1x identity c. authenticator => authentication server d. authentication server => custom pre -authorize script e. provided info points to a VPN server? 11 / 38

  12. Method: example flow 3/3 client |hostapd auth pre filter| |DHCP WAN| VPN # # # f--g--># | | | # # #<--h--# | | | | # #<--i--# | | | | | #<---j---# | | | | | | #---k-------------------------=-----># | | #<--------------------------------l--# | | #---m-------------------------=-------------------># f. if VPN: continue else return 802.1x rejected g. allow (whitelist) egress for provided VPN details h. OK i. OK j. 802.1x client accepted ( wlan bridged (L2) with eth0 ) k. client requests DHCP lease (IP address) l. router provides IP to client (thus NAT* in router) m. client => VPN server * Network Address Translation 12 / 38

  13. Method: example flow TL;DR ◮ SoC connected to router = ◮ VPN server ◮ Wi-Fi AP ◮ Authentication server ◮ When your phone finds foreign AP ◮ AP whitelists VPN server ◮ phone uses VPN 13 / 38

  14. Method: Client; VPN server ◮ Out of scope Figure 3: VPN client on Android 14 / 38

  15. Method: Client; 802.1x supplicant 15 / 38

  16. Method: 802.1x identities VPN ports + flags + delimiter ( @ ) + realm (hostname or IP) 32_33_2f_06443_11443 a @ 10.10.10.10 Anonymous id ( anonid ) Proxying server Regular id ( innerid ) Inside TLS tunnel ( Protected -EAP) 16 / 38

  17. Method: IP Protocols IP protocol + additional value (port) 32_33_2f_06443_11443a@10.10.10.10 IP protocol ID TCP (Transmission Control) 0x06 UDP (User Datagram) 0x11 GRE (Generic Routing Encapsulation) 0x2F ESP (Encap Security Payload) 0x32 AH (Authentication Header) 0x33 17 / 38

  18. Method: pre-authorize $ validate_anonid.py 11443_06443_00testA@tunroam.lent.ink WARNING the additional value is not a port number INFO suggesting whitelist rules { 'iptables-nft -A OUTPUT -j ACCEPT -d tunroam.lent.ink \ --protocol 17 --dport 443', 'iptables-nft -A OUTPUT -j ACCEPT -d tunroam.lent.ink \ --protocol 6 --dport 443' } INFO Welcome aboard 11443_06443_00testA@localhost ◮ VPN endpoint validation ◮ Network policies 18 / 38

  19. Method: Network requirements TUN works with IP frames. TAP works with Ethernet frames. 2 Shared SSID Like Eduroam / Govroam: TUNroam; tunroam.org 19 ◮ Version number indicates client requirements (20 19 ) 2 https://www.kernel.org/doc/Documentation/networking/tuntap.txt 19 / 38

  20. Method: Additional network traffic? Local scope ◮ Network management (e.g. ARP 3 ) Leaking to Internet Service Provider (ISP) ◮ DNS Figure 5: VPN endpoint discovery by client 3 Address Resolution Protocol 20 / 38

  21. Method: DNS AP provider doesn’t want DNS logged by ISP Required: specific subdomain iptables-nft -I OUTPUT -j ALLOW --algo bm \ -p udp --dport 53 \ --match string --hex-string "|07|tunroam|" 21 / 38

  22. Method: System on Chip SoC Test setup RPi ◮ Raspbian cat /proc/cpuinfo|grep Model Model : Raspberry Pi 3 Model B Rev 1.2 Entry level setup ◮ Armbian ◮ Orange Pi Zero Plus (1000M Ethernet, 512MB RAM, onboard WiFi) ◮ OPi + MicroSD + USB cable & power = 20EU 4 4 excl. shipping 22 / 38

  23. Results ◮ Protocol defined ◮ Protocol (partially) implemented ◮ PoC doing NAT ◮ Identity validation ◮ VPN endpoint validation 23 / 38

  24. Discussion TUNroam Pro ◮ client: ◮ privacy through VPN on any network ◮ More free Wi-Fi locations ◮ No captive portal ◮ AP: ◮ Open source ◮ Liability ◮ Decentralized: nobody controls it Con ◮ Decentralized: no financial incentive to join/promote ◮ Provider routers != Open(Wrt) ◮ VPN ◮ Latency ◮ Bandwidth 24 / 38

  25. Discuss: Potential APs: ◮ shared office space/housing ◮ home router ◮ current open Wi-Fi 25 / 38

  26. Discuss: Future work Missing in PoC ◮ Proxying RADIUS request Suggestions ◮ Bandwidth management ◮ Enforce network policies ◮ IPv6 ◮ Home != fixed IP: Dynamic DNS 26 / 38

  27. Demo PEAP, MS-CHAPv2, "password" Please connect to SSID “tunroam.org 19” # OpenVPN, TCP/UDP 443 06443_11443_00testA@tunroam.lent.ink Questions? ◮ Get involved at github.com/tunroam ◮ Reach me at linkedin.com/in/svlentink 27 / 38

  28. Appendix: bonus slides Slides to help answer possible questions. And things that didn’t fit due to time constraints. 28 / 38

  29. Appendix: tests using fast.com Figure 6: Eduroam network Surfnet office 29 / 38

  30. Appendix: tests using fast.com Figure 7: OrangePi doing NAT 30 / 38

  31. Appendix: Covert channel? Abuse? Using VPN is easier due to: ◮ Limited DNS requests ◮ Only one IP address ◮ Limited ports 31 / 38

  32. Appendix: Bridge vs. NAT Bridge ◮ Sequence diagram = bridged (home setup) ◮ Avoid double NAT ◮ Avoid NAT in software Network Address Translation ◮ NAT works everywhere ◮ PoC/Demo = NAT Multiple APs (Campus / Airport) ◮ Authentication server separate ◮ Network policies 32 / 38

  33. Appendix: RADIUS proxying $ ls /etc/freeradius/*/sites-enabled default inner-tunnel $ ss -4lpun|grep -E "(1812|Port)" State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 0.0.0.0:1812 0.0.0.0:* UNCONN 0 0 127.0.0.1:18120 0.0.0.0:* ◮ Inner does CHAP 33 / 38

  34. Appendix: Challenge-Handshake Authentication Protocol Microsoft CHAP v2 Authentication server: proxy-server if valid_vpn_endpoint and valid_anonid: # anonymous identity Authentication server: inner-tunnel return RLM_MODULE_OK, (), \ ( ('Cleartext-Password', 'password'), ) 34 / 38

  35. Appendix: VPN protocols Initial ◮ Which VPN protocol(s) fit in the protocol? ◮ What attributes do we need to validate to determine if a VPN server is listening on an endpoint? Different approach ◮ Stealth VPN servers ◮ IP protocols ◮ Check socket ◮ Allow evolution 35 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cityroam, Providing Secure Public Wireless LAN Services with International Roaming Hideaki Goto

Cityroam, Providing Secure Public Wireless LAN Services with International Roaming Hideaki Goto

Nov. 1516, 2018 RTUWO18, Riga, Latvia Cityroam, Providing Secure Public Wireless LAN Services with International Roaming Hideaki Goto Tohoku University, Japan 1 Security threats in the current Public WiFi No doubt, open Wi-Fi is

337 views • 15 slides
WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi

WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi

Advanced Network Security WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi IEEE 802.11 standard Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications original

721 views • 48 slides
WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home

WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home

Advanced Network Security (2019-2020) WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home WiFi network IEEE 802.11 WEP WPA/WPA2/WPA3 Personal/Enterprise Eduroam Attacks 2

674 views • 45 slides
Telco-driven Decentralized Identity Network Kang-Won Lee, Ph.D. Head of Cloud Labs Too

Telco-driven Decentralized Identity Network Kang-Won Lee, Ph.D. Head of Cloud Labs Too

Telco-driven Decentralized Identity Network Kang-Won Lee, Ph.D. Head of Cloud Labs Too expensive! I prefer free WiFi 44M people in 2018* * Korea Tourism Organization 2 3 67% of global population** MNOs have a right to authenticate

358 views • 22 slides
International Roaming for GSM 1 Outlines Introduction International GSM Call Setup

International Roaming for GSM 1 Outlines Introduction International GSM Call Setup

International Roaming for GSM 1 Outlines Introduction International GSM Call Setup Reducing the International Call Delivery Cost Summary 2 Introduction GSM supports roaming services that allow a subscriber in a GSM network

679 views • 37 slides
Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi

Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi

11/20/2019 Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi Networks 15-441 Fall 2019 Profs Peter Steenkiste &amp; Justine Sherry Fall 2019 https://computer-networks.github.io/fa19/ 2

717 views • 10 slides
SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If you already provide free wifi in your establishment then Zyppee would definitely be of interest, considering the high footfall your business enjoy 's

228 views • 10 slides
WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

Advanced Network Security WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise WPA3 Key reinstallaton aaacas 2 WiFi IEEE 802.11 standard Some terminology: Staton (STA) is a

479 views • 46 slides
Caribbean EVDO &amp; CDMA Roaming Market: Potential Revenue: 2005 2010 Jose F. Otero S

Caribbean EVDO &amp; CDMA Roaming Market: Potential Revenue: 2005 2010 Jose F. Otero S

Caribbean EVDO &amp; CDMA Roaming Market: Potential Revenue: 2005 2010 Jose F. Otero S ignals Telecom Consulting CDMA Roaming Forum Rio de Janeiro, Brazil April 18, 2005 Prepared for: About Signals Founded in August 2004

435 views • 22 slides
A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized and Distributed Systems Laboratory Andy Caforio Responsible: Prof. Bryan Ford Supervision: Linus Gasser, Philipp Jovanovic 1 Way back when

445 views • 20 slides
Medicaid Payments to Incentivize Delivery System Reform Webinar Dec. 17, 2013 2:00 3:00 pm

Medicaid Payments to Incentivize Delivery System Reform Webinar Dec. 17, 2013 2:00 3:00 pm

Medicaid Payments to Incentivize Delivery System Reform Webinar Dec. 17, 2013 2:00 3:00 pm ET TODAYS SPEAKERS: Beth h Feldpus ush, h, DrP rPH Senior Vice President for Policy and Advocacy, Americas Essential Hospitals Ba

461 views • 31 slides
SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If you already provide free wifi at your branches then Magico would definitely be of interest, considering the high footfall your branches enjoy.

590 views • 9 slides
JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16

JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16

Connect. Communicate. Collaborate JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16 17 October 2006 Introduction Connect. Communicate. Collaborate JRA5 will build a European Roaming

368 views • 14 slides
WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The

WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The

WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The Possibilities WiFi Brand name for wireless networking under IEEE standard 802.11 _________________ Wireless access to the internet Distribute

258 views • 12 slides
Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized trust layer Steven van der Vegt Open standard to enable safe and correct exchange of healthcare data. Goal Create a (inter)national network of

708 views • 35 slides
on Na4onal Roaming Stakeholder Workshop Presented by: Steve

on Na4onal Roaming Stakeholder Workshop Presented by: Steve

Regulatory Impact Assessment on Na4onal Roaming Stakeholder Workshop Presented by: Steve Esselaar &amp; Andrew Dymond with Kenneth Molosi Session 2

766 views • 52 slides
Disclosures No conflicts of interest 2 | Global Action Plan AMR Growing Awareness &amp;

Disclosures No conflicts of interest 2 | Global Action Plan AMR Growing Awareness &amp;

Global Strategies to Address AMR Carmem Lcia Pessoa-Silva, MD, PhD Antimicrobial Resistance Secretariat EMA Working Parties with Patients and Consumers Organisations (PCWP) and Healthcare Professionals Organisations (HCPWP) joint

738 views • 30 slides
Graph Model of an IEEE802.1 Based Network Structure and Its Application for Enterprise

Graph Model of an IEEE802.1 Based Network Structure and Its Application for Enterprise

Advances in Methods of Information and Communication Technology, 2015 Graph Model of an IEEE802.1 Based Network Structure and Its Application for Enterprise ICT-infrastructure Discovery Anton Andreev Iurii A. Bogoiavlenskii Aleksandr Kolosov

464 views • 34 slides
Presentation by the East African Community on Silencing the Guns in Africa: Nexus between

Presentation by the East African Community on Silencing the Guns in Africa: Nexus between

Presentation by the East African Community on Silencing the Guns in Africa: Nexus between Peace, Security, Governance and Development CHARLES NJOROGE,EBS EAC Deputy Secretary General (Political Federation). His Excellency Mahamat Zene

57 views • 5 slides
Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad

Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad

Introduction to Vulnerability Assessment Labs Ge Zhang ge.zhang@kau.se Dvg-C03 Karlstad University Schedule 3 Attacking methods Password cracking ARP spoofing &amp; sniffing Port Scanning 1 Defense methods

315 views • 31 slides
The Next Generation Blockchain for Network-as-a-Service (NaaS) INTERNET HAS BECOME

The Next Generation Blockchain for Network-as-a-Service (NaaS) INTERNET HAS BECOME

The Next Generation Blockchain for Network-as-a-Service (NaaS) INTERNET HAS BECOME Self-actualization BASIC HUMAN NEEDS Creativity. Problem.Solving. Authenticity.Spontaneity Esteem Self-Esteem,Confidence. Achievement Social needs

404 views • 22 slides
Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical

Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical

Addressing multiple threats of environmental crimes in East Asia and the Pacific Technical assistance strategy 2009 2012 Regional Centre for East Asia and the Pacific (RCEAP) Structure of presentation 1. Mandate 2. Challenges 3. Intervention

524 views • 29 slides
Restorative Justice (Community Resolution) Zoe Johnson-Marsh, Dr Roxana Zomorrody &amp; Gemma

Restorative Justice (Community Resolution) Zoe Johnson-Marsh, Dr Roxana Zomorrody &amp; Gemma

Restorative Justice (Community Resolution) Zoe Johnson-Marsh, Dr Roxana Zomorrody &amp; Gemma Ditchfield, Arbury Court, Elysium Healthcare Women Services Conference Leicester Marriott, Thursday 17 th October 2019 What is Restorative Justice?

315 views • 12 slides
Regional Task Force on the Homeless Intergovernmental Roundtable Councilmember Chris Ward Tamera

Regional Task Force on the Homeless Intergovernmental Roundtable Councilmember Chris Ward Tamera

Regional Task Force on the Homeless Intergovernmental Roundtable Councilmember Chris Ward Tamera Kohler Board Chair Chief Executive Officer Agenda Welcome Overview of the Regional Task Force on the Homeless Overview of Homeless

603 views • 42 slides

More recommend