The difficulties of The difficulties of a peer-to-peer a peer-to-peer VPN on the hostile Internet VPN on the hostile Internet Guus Sliepen

Brussel, February 6, 2010 Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Guus Sliepen [email protected]

1.1 Tinc development started in September 1997, after The difficulties of introduction of ethertap in Linux 2.1.53. a peer-to-peer VPN on the hostile Internet Current features: Guus Sliepen • Connects multiple sites together • Can act as router (layer 3) or switch (layer 2) Introduction Communicating • Full support for IPv6 over the Internet The problem of • No central server NAT • You configure some endpoints, tinc will do the rest The problem of MTU Modus operandi: Other problems Authentiation and • Metadata exchanges via TCP authorization The end • VPN packets directly via UDP • Fall back to TCP if UDP is not possible

1.2 The competition: The difficulties of a peer-to-peer † VPN on the • CIPE hostile Internet • VTun† Guus Sliepen • IPsec • OpenVPN Introduction Communicating • Hamachi over the Internet The problem of But also: NAT The problem of • GVPE MTU • CloudVPN Other problems Authentiation and • SocialVPN authorization • n2n The end • VDE

1.3 Network before VPN is configured:

The difficulties of a peer-to-peer VPN on the hostile Internet Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Blue cloud: the Internet Black circles: VPN nodes

1.4 Initial connections configured by user:

The difficulties of a peer-to-peer VPN on the hostile Internet Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Green lines: initial connections

1.5 Full mesh created by tinc:

The difficulties of a peer-to-peer VPN on the hostile Internet Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Black lines: UDP tunnels

1.6 Reality is not so nice:

The difficulties of a peer-to-peer VPN on the hostile Internet Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Red arcs: NAT Red line: ISP blocking traffic Dotted lines: failed connections 1.7 The difficulties of a peer-to-peer VPN on the The problem of NAT: hostile Internet • Source address and port change Guus Sliepen • Incoming connections blocked Introduction

Communicating Solutions: over the Internet

The problem of • Routing via non-NAT node (not efficient) NAT • Port forwarding (not always possible, manual work) The problem of MTU • UPnP (needs router support, complex) Other problems • Authentiation and STUN/ICE (not always possible, complex) authorization

The end

1.8 Two nodes behind NAT:

The difficulties of a peer-to-peer VPN on the hostile Internet Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Both nodes can talk to a third node. NAT changes ports, nodes cannot talk to each other.

1.9 STUN in action:

The difficulties of a peer-to-peer VPN on the hostile Internet Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU

Other problems

Authentiation and authorization

The end

Third node tells other nodes about their addresses and ports. Nodes connect to each other using this information.

1.10 The problem of packet fragmentation: The difficulties of • MTU inside tunnel smaller than outside a peer-to-peer VPN on the • Outer layer fragments bad for performance hostile Internet Guus Sliepen • Some firewalls/ISPs block fragments

Introduction

Communicating over the Internet

The problem of NAT

The problem of MTU Solution: Other problems Authentiation and • Determine path MTU between nodes authorization • Generate ICMP Fragmentation Needed packets The end • Should work for all IPv4/IPv6 traffic • Fall back to TCP for other traffic

1.11 The problem of firewalls/ISPs blocking ICMP: The difficulties of a peer-to-peer VPN on the • ICMP Fragmentation Needed does not work! hostile Internet • Happens when network traffic leaves the VPN (for Guus Sliepen example, when having default gateway on VPN)

Introduction

ICMP Communicating ICMP ICMP ICMP over the Internet

The problem of NAT

The problem of MTU

Other problems Solution: Authentiation and authorization • Clamp MSS field in TCP packets to path MTU The end • Works only for TCP

1.12 The difficulties of a peer-to-peer VPN on the Other problems: hostile Internet Guus Sliepen • Frequently changing IP addresses • use dyndns • cache & forward known addresses between nodes Introduction Communicating • Only allowing certain ports, like HTTP over the Internet The problem of • tunnel over ICMP/DNS/HTTPS NAT

The problem of • ISPs dropping/delaying small UDP packets MTU • because they think it’s VoIP! Other problems • severely slows down TCP streams inside tunnel Authentiation and authorization

The end

1.13 Authentication and authorization

• Authentication = proving who you are The difficulties of a peer-to-peer VPN on the • Authorization = proving you are allowed to do hostile Internet something Guus Sliepen

Introduction

Communicating over the Internet

The problem of NAT

The problem of Two well known (mostly authentication) methods: MTU Other problems

• X.509 certificates Authentiation and • centralized approach authorization • focused on identities (LDAP like), and URLs The end • OpenPGP keys • decentralized approach • focused on email addresses

1.14 The difficulties of a peer-to-peer VPN on the We need OpenPGP-like features: hostile Internet • Completely decentralized Guus Sliepen • Web of trust Introduction

Communicating We need more than OpenPGP can offer: over the Internet The problem of • Authorise anything, not just email NAT The problem of • Everyone can add/remove authorizations MTU • Negative authorization: forbid things Other problems Authentiation and • Group decisions authorization The end

1.15 libfides: lightweight p2p authorization framework The difficulties of a peer-to-peer VPN on the • Create and maintain repository of many certificates hostile Internet "X said at time T that Y is allowed to do Z" Guus Sliepen • Newer certificates overrule older ones

"X said at time T+1 that Y is not allowed to do Z" Introduction • Communicating Make it simple to query the repository over the Internet

"Is Y allowed to do Z?" The problem of NAT

The problem of • Fast & easy synchronization of repositories MTU • Application does not need to know about crypto Other problems Authentiation and • Libfides itself uses only ECCDSA primitives authorization The end • Still in alpha stage.

1.16 Conclusions: • The Internet eats your packets. The difficulties of • a peer-to-peer Lots of techniques necessary to work around it. VPN on the • Distributed authorization is a challenge. hostile Internet Guus Sliepen

That’s it. Introduction Communicating • Questions? over the Internet The problem of NAT

The problem of Visit the website: MTU http://tinc-vpn.org/ Other problems Authentiation and authorization

The end

1.17