Tunnels and VPN * s s November 6, 2020 *virtual private networks - PDF document

Tunnels and VPN * Tunnels and VPN * s s November 6, 2020 *virtual private networks *virtual private networks Administrative – Administrative – submittal instructions submittal instructions � answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) � deadline is start of your lab session the following week � reports not accepted (zero for lab) if late � submit via D2L 1

Administrative – – script files reminder script files reminder Administrative � re-download the script files' zip � to obtain the new vmconfigure scripts for this "sniffing" exercise Administrative – – employment employment Administrative � CS530 will be next offered Fall 2020 � lab graders will be needed – you are the automatically ideal candidates – you must remain a student in Fall 2020 – contact me with expression of interest now, or subsequently – hiring can only take place next August-September 2

What’ What ’s a tunnel? s a tunnel? � encapsulation of data packets in data packets � inner packets opaque to outer packets’ network � may or may not be encrypted– that’s outside “tunnel” definition Lab experiment topology Lab experiment topology eth0? eth2? eth3? interface names enumerated unpredictably, must be determined every swap-in session; Script “nicaddressing” provided 3

Tcpdump of of ipip ipip – – packet becomes payload Tcpdump packet becomes payload a ping shoots… in one side of tunnel endpoint …and out the other (simultaneous) IP header starts IP payload starts node3’s red incoming- packet & outgoing- payload are IP-identical* *allowing for TTL decrement and checksum recalc Lab tunnels you will build Lab tunnels you will build true non-tunnel tunnel channel unencrypted IP over IP ssh encrypted OpenVPN stunnel 4

Tunnels spawn new interfaces Tunnels spawn new interfaces Physical (hardware) Virtual (software) � eth0 � tunl0 (ip-ip) � eth1 � tap0 (OpenVPN) � ipsec0 (IPSec) � ppp0 (ppp-ssh) � vmnet8 (VMware) Using hardware interfaces Using hardware interfaces eth0 App eth1 (Technical note: the choice of interface by an app is indirect. App source code expresses only an IP address. Downstream, IP software in network stack maps the address into an interface via the routing table.) 5

Using software interfaces Using software interfaces eth0 App eth1 cipcb1 • looks like an interface to an app • looks like an app to an interface • gets to massage traffic passing through What’ ’s a VPN s a VPN What � a virtual net overlaid on an underlying net � a private net retaining exclusivity through confidentiality – implemented by encryption – applying cryptographic methods you have studied 6

TUNNELS TUNNELS Tunnel within a network Tunnel within a network C G E B H I A D F - Packet stream of protocol X - Packet stream of protocol Y - Packet stream: “X over Y” or “X tunneled in/through Y” 7

A packet to be tunneled A packet to be tunneled Source Address Destination Address Data Payload Tunnel packet Tunnel packet Tunnel Tunnel Tunnel Source Address Destination Address Header Source Address Destination Address Tunnel packet’s payload is Data Payload a(nother) packet 8

X over Y tunneling X over Y tunneling Tunnel Tunnel Tunnel Source Address Destination Address Header Source Address Destination Address Data Payload Packet of protocol X Packet of protocol Y Another way to draw it … … Another way to draw it high-level payload/cargo/freight protocol X header mid-level protocol Y header low-level protocol Z header 9

Uses of tunneling Uses of tunneling � carry payloads over domains where otherwise illegal – carry protocols that are illegal – carry addresses that are illegal � apply common services to multiple traffic flows ‘Illegal Illegal’ ’ protocols over IP protocols over IP ‘ IPX and/or IPv6 Network A IPX and/or IPv6 Network B IP Network C (e.g. the internet) e.g., e.g., Netware and/or Netware and/or IPv6 IPv6 10

‘Illegal ‘ Illegal’ ’ addresses over IP addresses over IP Private IP Network A Private IP Network B IP Network C (e.g. the internet) e.g., e.g., 192.168…. 192.168…. 172.16…. and/or 172.16…. and/or 10…. 10…. Applying common services Applying common services IPX Network A IPX Network B IP Network C (e.g. the internet) crypto and/or crypto and/or compression applied compression applied (to entire tunnel) by e.g. ssh or stunnel (ssl) or OpenVPN or IPSec 11

Layer 3 tunneling Layer 3 tunneling example: IP over IP example: IP over IP IP layer 3 payload header 1 IP layer 3 header 2 Layer 3 tunneling Layer 3 tunneling example: IPsec IPsec example: IP layer 3 payload header 1 extra IP layer 3 “security” header 2 header 12

VPNS VPNS Placement- -based Architectures based Architectures Placement � Site-to-site Intranet VPN � Remote access VPN 13

Site- Site -to to- -site VPN via internet site VPN via internet Network A Network B Remote access VPN Remote access VPN via internet connection via internet connection Network A Home telecommuter VPN Road warrior gateway ISP/hotel 14

lab exercise product 1 lab exercise product 1 IPIP IPIP What is it? What is it? � Conveys an IP packet between machines … not as a packet … but as cargo in another packet � Destination shucks carrier packet, releases cargo as packet into local networking machinery � “Tunnel” since one packet “passes through” another � Implemented in linux by module ipip.o 15

� Conveys a car between states – … not as a car/motor-vehicle S.S. Badger S.S. Badger – … but as cargo in a boat � Destination throws away boat, releases car as a motor vehicle onto local roadways � “Tunnel” since one vehicle “passes through” another � Implemented by Lake Michigan Carferry Service IP itself is an IP subprotocol subprotocol IP itself is an IP IP Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4 for IP (6 for TCP 17 for UDP 50 for ESP, etc) 16

Sample LAN Sample LAN Local Network – 192.168.1.0 Remote Network – 192.168.2.0 A 192.168.1.2 D B e m o S 192.168.1.1 o n i c t n e n c o 192.168.2.1 200.2.2.2 100.1.1.1 192.168.2.2 E Workstations – A and E Gateways – B and D “Some connection Some connection” ” “ � Could be the internet � Could be a single intermediate machine � Equivalent, for the 2 gateways 17

Sample LAN Sample LAN Local Network – 192.168.1.0 Remote Network – 192.168.2.0 A 192.168.1.2 C D B eth0 192.168.1.1 192.168.2.1 eth0 100.1.1.1 100.1.1.254 200.2.2.254 200.2.2.2 eth0 eth1 eth0 eth1 eth1 192.168.2.2 eth0 E Workstations – A and E Gateways – B and D Internet surrogate – C (B’s ISP; D’s ISP) nd bridge to cross Wanted: a 2 nd bridge to cross Wanted: a 2 Local Network – 192.168.1.0 Remote Network – 192.168.2.0 A 192.168.1.2 D B eth0 eth0 192.168.1.1 192.168.2.1 200.2.2.2 100.1.1.1 192.168.2.2 E tunl0 tunl0 192.168.1.1 192.168.2.1 18

lab exercise product 2 lab exercise product 2 ssh ssh A client- -server pair of programs server pair of programs A client � ssh - client – /usr/bin/ssh � sshd - server – /usr/sbin/sshd – assigned port number 22 19

ssh – ssh – why secure? why secure? � all session/command traffic passes through ssh/sshd (sshd runs on port 22) � encrypted going out/decrypted coming in � for duration of session/command � uses RSA (public-key) authentication � then strong-key symmetrical encryption ssh feature: port forwarding feature: port forwarding ssh Private Network – 192.168.1.0 206.170.218.30 64.54.209.204 192.168.1.1 ssh ssh client server 192.168.1.111:80 http (web) ssh port forwarding: server correspond some port on the client (e.g., 3000) to some port (e.g., 80) on a machine reachable thru the server…. Example: http://127.0.0.1:3000 in client’s browser gets served from 192.168.1.111 20

ssh syntax ssh syntax Normal log in ssh remote-user@remote-IP e.g., ssh root@64.54.209.204 Adding a tunnel ssh -L local-port : target-IP : remote-port remote-user@remote-IP e.g., ssh -L 3000:192.168.1.111:80 root@64.54.209.204 puTTY puTTY 21

puTTY puTTY lab exercise product 3 lab exercise product 3 stunnel stunnel 22