the strongswan project
play

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias - PowerPoint PPT Presentation

May 18, 2023 •36 likes •226 views

The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil Where the heck is Rapperswil? Brunner/Steffen, 28.03.2018,

  1. The strongSwan Project IPsec Workshop Dresden, March 2018 Tobias Brunner & Andreas Steffen Institute for Networked Solutions HSR University of Applied Sciences Rapperswil

  2. Where the heck is Rapperswil? Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 2

  3. HSR - Hochschule für Technik Rapperswil • University of Applied Sciences with about 1500 students • Faculty of Information Technology (300-400 students) • Bachelor Course (3 years), Master Course (+1.5 years) Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 3

  4. Agenda • Overview of current strongSwan active/active HA solution • Proposed XFRM Extensions • Enforcing policies for inbound transport mode SAs • Different timeouts for acquire states and SPIs • Query available algorithms via XFRM • ESP in UDP encapsulation for IPv6 • Proper way to handle virtual IPv6 addresses • Marking inbound traffic after decryption Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 4

  5. The strongSwan Project IPsec Workshop Dresden, March 26-28 2018 Current Active/Active HA Solution

  6. High Availability Design Goals • Transparent to VPN clients • No extensions to the IKEv2 protocol required • No explicit synchronization of ESP sequence numbers between redundant gateways • Both Active/Passive (Hot-Standby) and Active/Active (Load Sharing) scenarios to be supported Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 6

  7. HA Solution using ClusterIP Mechanism Intranet ClusterIP: hash = jhash_2words(daddr.a4, spi) multicast clustermac Segment 1 Plaintext Segment 2 hash … range Heartbeat Segment n moon venus SA Updates Ciphertext (ESP) mars (Virtual VPN Gateway) multicast clustermac Internet Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 7

  8. Active/Passive Scenario with 1 ClusterIP Segment Intranet Intranet Segment 1 Segment 1 moon venus moon venus Segment 1 Segment 1 mars mars Internet Internet Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 8

  9. Active/Active Scenario with 2 ClusterIP Segments Intranet Intranet Segment 1 Segment 2 Segment 1 Segment 2 moon venus moon venus Segment 1 Segment 2 Segment 2 Segment 1 mars mars Internet Internet Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 9

  10. Two New Netfilter Hooks: XFMR_IN/XFRM_OUT Plaintext Decrypt PREROUTING Netfilter XFRM_OUT XFRM_IN Flow Encrypt INPUT Ciphertext (ESP) Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 10

  11. Changes to ClusterIP Module • Extended ClusterIP hash: jhash_2words(daddr.a4, spi) • Inbound packet handling • SA lookup to determine SPI • Responsible for segment: Decrypt ESP packet and update anti-replay window • Not responsible for segment: Decrypt every 16 th ESP packet, update anti-replay window and drop packet • Outbound packet handling • Policy/SA lookup to determine SPI and destination address • Increase sequence number • Responsible for segment: Encrypt packet • Not responsible for segment: Drop packet Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 11

  12. Next Generation HA? • IPv6 not supported by ClusterIP • HA kernel patch against a moving Linux kernel target • Possibility of a Linux kernel upstream solution? • Switch from ClusterIP to xt_cluster which supports IPv4 and IPv6 • Other ideas? Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 12

  13. The strongSwan Project IPsec Workshop Dresden, March 26-28 2018 Proposed XFRM Extensions

  14. Enforcing Policies for Inbound Transport Mode SAs • Currently the Linux kernel does not enforce policies for IPsec transport mode. • Policy: TCP *:80 -> Peer can send other protocols or to other ports • Patch by Tobias posted 2014 on netdev mailing list. Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 14

  15. Different Timeouts for Acquire States and SPIs • Currently, SPIs allocated with XFRM_MSG_ALLOCSPI expire after the same timeout that is also used for the temporary states allocated after sending an acquire to the IKE daemon (/proc/sys/net/core/xfrm_acq_expires). • However, keeping acquire states around that long might not be desired (e.g. in the trap-any scenario, although a populate-from- packet feature could help here too). • Using the lifetime config on struct xfrm_usersa_info that's part of struct xfrm_userspi_info this could easily be implemented. • Patch by Tobias sent a year ago to Steffen Klassert. Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 15

  16. Query Available Algorithms via XFRM • To prepare an automatic ESP proposal it would be necessary to query the algorithms the kernel supports via XFRM. Similar to the feature provided by PF_KEY via xfrm_probe_algs(), however, that’s not actually that useful because it’s based on a static list. • Ideally, we’d get a list of actually usable algorithms (modules? FIPS mode?) Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 16

  17. UDP Encapsulation of ESP for IPv6 • UDP encapsulation of ESP is supported for IPv4 but strangely not for IPv6 even though natting IPv6 has been possible for a while. • For us it is mainly of interest because our Android app requires UDP encapsulation to work in userland. • With the upcoming TCP encapsulation this might be less of a problem, but it's usually preferable to use UDP encap over TCP encap. • POC patch by Tobias available. • Handling of UDP header checksum (RFC 6935/RFC 6936)? Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 17

  18. Proper Way to Handle Virtual IPv6 Addresses • We currently install virtual IPv6 addresses received from a server on a local interface and install specific source routes with that address and the remote subnets. • The address is marked deprecated, the idea being that the kernel will only use this address for the explicit routes but not when doing address selection for other destinations. • The question is whether this is the proper way of doing this. Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 18

  19. Marking Inbound Traffic After Decryption • Similar to the new outbound mark that's applied after encryption (XFRMA_OUTPUT_MARK) we'd like to discuss the possibility of adding a similar feature that applies a mark to inbound packets right after decryption. • This would simplify applying a mark to specific tunnels (e.g. for QoS) without having to mark before encryption or based on possibly dynamic values like SPI/reqid. • Patch by Steffen Klassert exists. Brunner/Steffen, 28.03.2018, IPsec_Workshop.pptx 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas

Neue strongSwan VPN Features GUUG Frhjahrsfachgesprch 2015 Stuttgart Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule fr Technik Rapperswil andreas.steffen@strongswan.org Wo um Gottes Willen

608 views • 35 slides
A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one Gbit/s environment By Erik Dekker & Patrick Spaans Supervisors: Aristide Bouix and Mohammad Al Najar Introduction Organization host internal

629 views • 25 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
Project Project Project Evolution of project Structured Collaborative Project Unstructured

Project Project Project Evolution of project Structured Collaborative Project Unstructured

Alain Fournier Presentation: Project Management Tools for Increasing Project Success! Alain is a Project and Portfolio Management Solutions Executive with Microsoft Canada specializing in Cloud Productivity Solutions Have over 20 years of

428 views • 21 slides
evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A

evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A

Effective post project evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A successful project? Agenda for today Who are LCMB? The context for post project evaluation The project lifecycle Post project

476 views • 32 slides
BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title:

BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title:

BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title: Business Process Re-engineering and functional toolkit for GDPR compliance Contract number: 787149 Funded under the H2020 call DS-08-2017

421 views • 22 slides
HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT

HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT

HHS // IHS HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT Modernization Project is sponsored by the U.S. Department of Health and Human Services Office of the Chief Technology Officer (HHS OCTO)

712 views • 13 slides
NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization

NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization

2 nd Annual Rural Community Development Initiative Capacity Building and Wood Utilization Workshop NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization Major Milestones Accomplishments

631 views • 12 slides
2013 Project Excellence Awards Project Requirements In-house design project Project

2013 Project Excellence Awards Project Requirements In-house design project Project

2013 Project Excellence Awards Project Requirements In-house design project Project constructed or near completion Judging Criteria Unique design considerations Constructability Post-construction performance Stakeholder

682 views • 29 slides
This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps. Chapter One: The first step is about narrating some facts, by which my project and research were based on. Egypt is located in north east africa,

690 views • 46 slides
Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE

Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE

Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE Drainage Alternatives 6. Project Benefits 7. Open Forum 8. Adjourn Project Location Project Background ASCG Inc. completed a Project Development

321 views • 15 slides
Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project

Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project

Minimum Spanning Data Structures and Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project 4 Assigned Today - Same partners as project 3 - We will re-run project 3 grading on project 4, just like the

704 views • 59 slides
Presentation Agenda Project History/Background Project Overview Current Project Status

Presentation Agenda Project History/Background Project Overview Current Project Status

Presentation Agenda Project History/Background Project Overview Current Project Status Project Opportunities 1 1 Pre-Solicitation Conference June 2018 www.newnicebridge.com 2 Welcome and Introductions Project Team MDTA

776 views • 38 slides
1 We will begin with some background information on the project. We will then talk about why we

1 We will begin with some background information on the project. We will then talk about why we

Welcome. My name is Mark Frechette. I am the project director for the New York State Department of Transportations (NYSDOT) I 81 Viaduct Project. Thank you for being here tonight. The project team has been working hard and we are excited to

548 views • 39 slides
I-84 Danbury Project Project Advisory Committee (PAC) Meeting No. 3 September 24, 2019 0

I-84 Danbury Project Project Advisory Committee (PAC) Meeting No. 3 September 24, 2019 0

I-84 Danbury Project Project Advisory Committee (PAC) Meeting No. 3 September 24, 2019 0 Agenda PAC Membership and Recap of Outreach Efforts Perspective Gathering Exercise Project Need Project Need Check-in Project Purpose

940 views • 54 slides
PROJECT INFORMATION SESSION May 14, 2020 TOPICS TO COVER Project Purpose Project

PROJECT INFORMATION SESSION May 14, 2020 TOPICS TO COVER Project Purpose Project

WETLAND & RIPARIAN INVENTORIES FOR UGB EXPANSION AREAS PROJECT INFORMATION SESSION May 14, 2020 TOPICS TO COVER Project Purpose Project Approach Who is Involved What is Needed to Make it Happen How the Project Will

581 views • 46 slides
CS Lunch RABBIT TRACKS An Animated film by Luke Jaeger! A journey through a mortality-infused

CS Lunch RABBIT TRACKS An Animated film by Luke Jaeger! A journey through a mortality-infused

1 CS Lunch RABBIT TRACKS An Animated film by Luke Jaeger! A journey through a mortality-infused landscape populated by mysterious chickens, inconvenient frogs, and other cartoonish creatures. Today, 12:15 PM Kendade 307 2 Visitor Candidates

247 views • 11 slides
MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia

MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia

MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Topics Addressing schemes and software protection models Hardware/software protection support Kernel access GATEs

1.29k views • 113 slides
Segmentation: Promoting 2020 Census self-response Laura Kail, PSB Gina Walejko, U.S. Census

Segmentation: Promoting 2020 Census self-response Laura Kail, PSB Gina Walejko, U.S. Census

Mindsets and Segmentation: Promoting 2020 Census self-response Laura Kail, PSB Gina Walejko, U.S. Census Bureau Brian Kriz, PSB Robert Kulzick, PSB Shawnna Mullenax, PSB Hubert Shang, PSB July 12, 2019 The views and opinions expressed in this

910 views • 28 slides
Problems: Page Table Size Maximum virtual space can be considerable (e.g. 2 40 bytes) Disk space

Problems: Page Table Size Maximum virtual space can be considerable (e.g. 2 40 bytes) Disk space

Problems: Page Table Size Maximum virtual space can be considerable (e.g. 2 40 bytes) Disk space for program image (1TB per process!) Page Table size 0.5GB (with 16KB pages, 8 byte descriptors) Most programs use only a small fraction of maximum

211 views • 6 slides
Lecture 5: Data Representation 1 / 43 Data Representation Discussion Deep learning job postings

Lecture 5: Data Representation 1 / 43 Data Representation Discussion Deep learning job postings

Data Representation Lecture 5: Data Representation 1 / 43 Data Representation Discussion Deep learning job postings have collapsed in past 6 months Something Ive learned: when non-engineers ask for an AI or ML implementation, they almost

618 views • 43 slides
Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart

Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart

' $ Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart Lamiroy, Philippe Dosch August 2002 & % ' $ Text/Graphics Separation Revisited Text/Graphics Separation Text/Graphics Separation XY

735 views • 19 slides
Microprocessors & Interfacing Assembler directives Assembler expressions Macros

Microprocessors & Interfacing Assembler directives Assembler expressions Macros

Lecture Overview Assembly program structure Microprocessors & Interfacing Assembler directives Assembler expressions Macros AVR Programming (II) Memory access Assembly process First pass Second pass

609 views • 18 slides
Introduction to Geometry Return to Table of Contents Slide 6 / 209 The Origin of Geometry

Introduction to Geometry Return to Table of Contents Slide 6 / 209 The Origin of Geometry

Slide 1 / 209 Slide 2 / 209 Geometry Points, Lines & Planes 2015-10-21 www.njctl.org Slide 3 / 209 Table of Contents click on the topic to go to that section Introduction to Geometry Points and Lines Planes Congruence, Distance and

2.06k views • 105 slides

More recommend