Tunnels and VPN * s. Administrative submittal instructions

Transcription

1 Tunnels and VPN * s November 3, 2017 *virtual private s Administrative submittal instructions answer the lab assignment s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) to csci530l@usc.edu exact subject title must be tunnelslab deadline is start of your lab session the following week reports not accepted (zero for lab) if late you did not attend the lab (except DEN or prior arrangement) subject title deviates 1

2 Administrative employment CS530 will be next offered Fall 2018 lab graders will be needed you are the automatically ideal candidates you must remain a student in Fall 2018 contact me with expression of interest now, or subsequently hiring can only take place next August-September What s s a tunnel? encapsulation of data packets in data packets inner packets opaque to outer packets may or may not be encrypted that s outside tunnel definition 2

3 Lab experiment topology eth0? eth2? eth3? interface names enumerated unpredictably, must be determined every swap-in session; Script nicaddressing provided Tcpdump of ipip packet becomes payload a ping shoots in one side of tunnel endpoint and out the other (simultaneous) IP header starts IP payload starts node3 s red incoming-packet & outgoing-payload are IP-identical* *allowing for TTL decrement and checksum recalc 3

4 Lab tunnels you will build true tunnel non-tunnel channel unencrypted IP over IP encrypted OpenVPN ssh stunnel Tunnels spawn new interfaces Physical (hardware) eth0 eth1 Virtual (software) tunl0 (ip-ip) tap0 (OpenVPN) ipsec0 (IPSec) ppp0 (ppp-ssh) cipcb1 (CIPE) 4

5 Using hardware interfaces eth0 App eth1 (Technical note: the choice of interface by an app is indirect. App source code expresses only an IP address. Downstream, IP software in stack maps the address into an interface via the routing table.) Using software interfaces eth0 App eth1 cipcb1 looks like an interface to an app looks like an app to an interface gets to massage traffic passing through 5

6 What s s a VPN a virtual net overlaid on an underlying net a private net retaining exclusivity through confidentiality implemented by encryption applying cryptographic methods you have studied TUNNELS 6

7 Tunnel within a B C E G H I A D F - Packet stream of protocol X - Packet stream of protocol Y - Packet stream: X over Y or X tunneled in/through Y A packet to be tunneled Source Address Destination Address Data Payload 7

8 Tunnel packet Tunnel Source Address Tunnel Destination Address Tunnel Header Source Address Data Payload Destination Address Tunnel packet s payload is a(nother) packet X over Y tunneling Tunnel Source Address Tunnel Destination Address Tunnel Header Source Address Destination Address Data Payload Packet of protocol X Packet of protocol Y 8

9 Another way to draw it high-level header payload/cargo/freight protocol X mid-level header protocol Y low-level header protocol Z Uses of tunneling carry payloads over domains where otherwise illegal carry protocols that are illegal carry addresses that are illegal apply common services to multiple traffic flows 9

10 Illegal protocols over IP IPX and/or IPv6 Network A IPX and/or IPv6 Network B IP Network C (e.g. the internet) e.g., Netware and/or IPv6 e.g., Netware and/or IPv6 Illegal addresses over IP Private IP Network A Private IP Network B IP Network C (e.g. the internet) e.g., and/or 10. e.g., and/or

11 Applying common services IPX Network A IPX Network B IP Network C (e.g. the internet) crypto and/or compression applied (to entire tunnel) crypto and/or compression applied by e.g. ssh or stunnel (ssl) or OpenVPN or IPSec Layer 3 tunneling example: IP over IP IP header 1 payload layer 3 IP header 2 layer 3 11

12 Layer 3 tunneling example: IPsec IP header 1 payload layer 3 IP header 2 extra security header layer 3 VPNS 12

13 Placement-based Architectures Site-to-site Intranet VPN Remote access VPN Site-to to-site VPN via internet Network A Network B 13

14 Remote access VPN via internet connection Network A Home telecommuter VPN gateway ISP/hotel Road warrior lab exercise product 1 IPIP 14

15 What is it? Conveys an IP packet between machines not as a packet but as cargo in another packet Destination shucks carrier packet, releases cargo as packet into local ing machinery Tunnel since one packet passes through another Implemented in linux by module ipip.o S.S. Badger Conveys a car between states not as a car/motor-vehicle but as cargo in a boat Destination throws away boat, releases car as a motor vehicle onto local roadways Tunnel since one vehicle passes through another Implemented by Lake Michigan Carferry Service 15

16 IP itself is an IP subprotocol IP Header Format Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding for IP (6 for TCP 17 for UDP 50 for ESP, etc) Sample LAN Local Network Remote Network A B Some connection D Workstations A and E E Gateways B and D 16

17 Some connection Could be the internet Could be a single intermediate machine Equivalent, for the 2 gateways Sample LAN Local Network Remote Network A eth eth0 B C eth1 eth0 eth1 eth1 D eth0 Workstations Gateways Internet surrogate A and E B and D C (B s ISP; D s ISP) eth0 E 17

18 Wanted: a 2 nd bridge to cross Local Network Remote Network A eth B D eth E tunl0 tunl lab exercise product 2 ssh 18

19 A client-server pair of programs ssh - client /usr/bin/ssh sshd - server /usr/sbin/sshd assigned port number 22 ssh why secure? all session/command traffic passes through ssh/sshd (sshd runs on port 22) encrypted going out/decrypted coming in for duration of session/command uses RSA (public-key) authentication then strong-key symmetrical encryption 19

20 ssh feature: port forwarding Private Network ssh client ssh server :80 ssh port forwarding: correspond some port on the client (e.g., 3000) to some port (e.g., 80) on a machine reachable thru the server. http (web) server Example: in client s browser gets served from ssh syntax Normal log in ssh remote-user@remote-ip e.g., ssh Adding a tunnel root@ ssh -L local-port:target-ip:remote-port remote-user@remote-ip e.g., ssh -L 3000: :80 root@

21 putty putty 21

22 lab exercise product 3 stunnel Encrypt the talk between clients and servers who don t The stunnel program is designed to work as SSL encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-ssl aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels. stunnel man page 22

23 Ordinary ssl-unaware applications client application server application socket API socket API not encrypted SSL-aware applications client application ssl crypto here server application ssl encrypted 23

24 stunnel 3 TCP conversations a client machine a server machine ssl-unaware client stunnel stunnel ssl-unaware server ssl ssl not encrypted encrypted not encrypted app viewpoint: stunnel-oblivious without stunnel with stunnel ssl-unaware client ssl-unaware server ssl-unaware client ssl-unaware server not encrypted encrypted 24

25 Ports: non-stunnel scenario client application server application talk to remote:60000 listen to stunnel 3 TCP conversations ssl-unaware client stunnel stunnel ssl-unaware server talk to local:2000 listen to local:2000 talk to remote:30000 listen to talk to listen to

26 Vanilla config files # stunnel client client=yes [stunnel service name] accept = :2000 connect = :30000 # stunnel server at cert = /etc/stunnel/stunnel.pem [example service name] accept = connect = stunnel genl case topology LAN with client untrusted net LAN with server a router a router ssl-unaware client stunnel stunnel ssl-unaware server ssl ssl not encrypted encrypted not encrypted 26

27 stunnel server needs certificate create it with cd /etc/stunnel openssl req -new -x509 -days nodes -out stunnel.pem -keyout stunnel.pem reference it in stunnel server s config file stunnel s not really a tunnel stunnel is a conversation endpoint and a (different) conversation startpoint arriving packets are stripped of header at endpoint their content repackaged, new header, at startpoint headers do not nest/accumulate as in tunnels 27

28 True tunneling header 1 payload header 2 headers accumulate Payload forward/relay/proxy header 1 payload header 2 payload headers replace each other 28

29 lab exercise product 4 OpenVPN Lab s OpenVPN tunnel scenarios a routed tunnel, unencrypted a routed tunnel, encrypted using static, preshared secret keys a bridged tunnel, encrypted using SSL 29

30 Given this setup LEFT MIDDLE RIGHT eth0 eth1 eth0 eth0 hub hub 2 configs could make em ping eth0 eth1 eth0 eth0 hub hub 1. Routing make 2 LANs out of it (2 broadcast domains) end-to-end connection achieved by routing the IP packets 2. Bridging make 1 consolidated LAN out of it (single broadcast domain) end-to-end by bridging the ethernet frames 30

31 Info s s usual trans-layer itinerary application application Signals via hub ( layer 1 device ) app app computer A hub computer B 31

32 Frames via bridge ( layer 2 device ) app app computer A bridge computer B Packets via router ( layer 3 device ) app app computer A router computer B 32

33 Note, bridge scenario: frame s s contained packet untouched app app computer A bridge computer B OpenVPN features unique certificate/key-pair for every client choice of ciphers bridged case extends LAN-local IP to remote joiner allows broadcast-dependent apps (printer sharing) makes remoteness transparent routing does it mostly bridging does it entirely 33

34 Summer build-a-test test-lab project at JPL we encompassed DETER experment s DETER Marina del Rey USC/ISI Cyber Defense Research Lab Pasadena JPL/NASA DETER s special risky experiments can admit outlanders Extra fields, you can request: node0/tcp/22 node0/tcp/1194 node0/udp /tcp/ /tcp/ /udp/

35 The resulting benefit DETER experiment nodes now say, You can talk to us and here s s how. What we did over summer vacation with port 1194 access at DETER (namely, OpenVPN) between gateways among workstations, via the gateways port 1194 DETER Marina del Rey gateway workstation JPL Pasadena gateway workstation cost: open inbound port 1194 (at DETER) benefit: free (all-port) crosstalk here 35

36 Virtues of OpenVPN multiplexes all ports/protocols over a single port and protocol (ask DETER for just that one) applies common encryption service to all machines in the 2 s Applying common services A 3-node DETER experiment JPL s CDRL β the internet A B α γ crypto and/or compression applied (to entire tunnel by e.g. OpenVPN or IPSec or ssh or stunnel) Conversations β B (red) γ C (yellow) both served in common C D E 36

37 Info IP over IP IP in IP Tunneling IP Encapsulation within IP Info - ssh Getting Started with ssh ssh resource page free clients for Windows putty OpenSSH for Windows 37

38 Info - stunnel Info OpenVPN client for Windows 38