Scribd Logo
Upload

Welcome to Scribd!

  • scg08 VPMN r1

    Uploaded by

    iosmaris2331
    21 views28 pages
    Virtual Private Mesh Network Decentralized VPN Application Summer Camp Garrotxa 2008 introduction State of Art Internals. Virtual Network a tunnel with no routing hops own IP addressing private exclusive for trusted parties traffic cannot be read by other parties.

    Original Description:

    Original Title

    scg08_vpmn_r1

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Virtual Private Mesh Network Decentralized VPN Application Summer Camp Garrotxa 2008 introduction State of Art Internals. Virtual Network a tunnel with no routing hops own IP addressing private exclusive for trusted parties traffic cannot be read by other parties.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views28 pages

    scg08 VPMN r1

    Uploaded by

    iosmaris2331
    Virtual Private Mesh Network Decentralized VPN Application Summer Camp Garrotxa 2008 introduction State of Art Internals. Virtual Network a tunnel with no routing hops own IP addressing private exclusive for trusted parties traffic cannot be read by other parties.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 28

    Introduction

    State of Art

    Internals

    Summary

    Virtual Private Mesh Network


    Decentralized VPN Application

    Pau Rodriguez-Estivill

    Summer Camp Garrotxa 2008

    Introduction

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Status

    State of Art

    Internals

    Summary

    Internet

    Insecure
    Trafc can be read by other parties Trafc can be modied by other parties Content can be faked (phishing)

    Untrusted
    IPs can be spoofed

    Divided
    NATs separate it in multiple private networks

    Introduction Status

    State of Art

    Internals

    Summary

    VPN

    Virtual Network
    a tunnel with no routing hops own IP addressing

    Private
    exclusive for trusted parties trafc cannot be read by other parties

    Introduction Status

    State of Art

    Internals

    Summary

    Security

    Encrypting it cannot be read by other parties Integrity validation ensure it has not been modied Authenticating ensure that it is from a trusted party No repudiation other parties cannot lie Anti-replay protect against malicious replay

    Introduction Objectives

    State of Art

    Internals

    Summary

    Project Aims

    Add dynamically nodes to the fully connected mesh Authenticate nodes and IP addressing together Low latency and low overhead NAT friendly

    Introduction

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction IPsec

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction IPsec

    State of Art

    Internals

    Summary

    IPsec vs VPMN

    Pros Standard Mandatory in IPv6 implementations DNSSEC enable possible dynamic tunneling Cons Different implementations are not compatible Must be supported in kernel Only one mode supported through NAT IP addressing authentication not centralized

    Introduction OpenVPN

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction OpenVPN

    State of Art

    Internals

    Summary

    OpenVPN vs VPMN

    Pros IP congurations can be pushed Standard encryption channel Cons Centralized, mesh alternative not easy IP addressing not authenticated

    Introduction Tinc VPN

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Tinc VPN

    State of Art

    Internals

    Summary

    Tinc VPN vs VPMN

    Pros Meshed Network Cons Not fully connected IP addressing not authenticated

    Introduction

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Overview

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Overview

    State of Art

    Internals

    Summary

    Application

    Multi-thread application Entirely written in C

    Introduction Security

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Security

    State of Art

    Internals

    Summary

    Security summary

    Datagram TLS (DTLS) Uses CA for trusting nodes from the same network Certicates contain ACLs for IP addressing NameConstraints (x509v3) nameConstraints=permitted;IP:192.168.0.0/255.255.0.0

    Introduction Security

    State of Art

    Internals

    Summary

    DTLS: Datagram TLS

    RFC 4347 All operations in UDP


    Exchange of certicates Negotiation of cryptography algorithms Transport of ciphered data

    Based on TLSv1 Cryptography mechanisms as TLS


    Encryption Integrity validation Authentication Anti-replay mechanism

    Introduction Security

    State of Art

    Internals

    Summary

    Type of packets

    Raw IP packets Identication packets


    IP-port pairs Shared networks

    3 4

    Identication acknowledgment packets Keep alive packets


    Information of other known peers
    All IP-port pairs Shared networks

    Introduction Architecture

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Architecture

    State of Art

    Internals

    Summary

    UDP Server Part

    Introduction Architecture

    State of Art

    Internals

    Summary

    TUN Server Part

    Introduction Conclusions

    State of Art

    Internals

    Summary

    Outline

    1 2

    Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions

    Introduction Conclusions

    State of Art

    Internals

    Summary

    Conclusions Pros Dynamic Fully Connected Mesh Network Authenticated IP addressing with certicates Standard encryption channel (DTLS) Cons No relay mode possible Fragmentation needed Future tasks Heterogeneous MTU support Let fragmentation be optional User-space NAT

    Introduction

    State of Art

    Internals

    Summary

    Summary

    Internet is insecure and VPN is needed Server-less architecture Dynamic Fully Connected Mesh Network Authenticated IP addressing with certicates Standard encryption channel (DTLS)

    Introduction

    State of Art

    Internals

    Summary

    Questions?

    You might also like