Asiabsdcon 2013 Proceedings

Asiabsdcon 2013 Proceedings

Copyright c 2013 AsiaBSDCon 2013 Organizing Committee. All rights reserved. ! Unauthorized republication is prohibited. Published in Japan, March 2013 5 6 7 8 OpenIKED Reyk Floeter ([email protected]) February 2013 Abstract history and my personal motivation of creating it. It is inteded to provide some complementary This paper introduces the OpenIKED project[14], information for my talk at AsiaBSDCon 2013 . the latest portable subproject of OpenBSD[13]. OpenIKED is a FREE implementation of the most ad- The project aims to provide a free implementa- vanced Internet security Internet Key Exchange ver- tion of the Internet Key Exchange (IKEv2) protocol sion 2 (IKEv2) Virtual Private Network (VPN) pro- which performs mutual authentication and which tocol using the strongest security, authentication and establishes and maintains IPsec VPN security policies encryption techniques. The project was born in need and Security Associations (SAs) between peers. of a modern Internet Protocol Security (IPsec) imple- The IKEv2 protocol is de ned in Request for Com- mentation for OpenBSD, but also for interoperability ments (RFC) 5996, which combines and updates the with the integrated IKEv2 client since Windows 7 and previous standards: Internet Security Association and to provide a compliant solution for the US Government Key Management Protocol (ISAKMP)/Oakley (RFC IPv6 (USGv6) standard. The project is still under ac- 2408[8]), Internet Key Exchange version 1 (IKE) tive development; it was started by Reyk Floeter as (RFC 2409[3]), and the Internet DOI (RFC 2407[17]). iked for OpenBSD in 2010 but ported to other plat- OpenIKED only supports the IKEv2 protocol; sup- forms including Linux, FreeBSD and NetBSD in late port for ISAKMP/Oakley and IKE is provided by 2012 using the OpenIKED project name. OpenBSD s isakmpd(8) or other implementations on non-OpenBSD platforms. It is intended to be a lean, clean, secure, better con- gurable and interoperable implementation that fo- cusses on supporting the main standards and most important features of IKEv2. I primarily wrote OpenIKED with signi cant contributions from Mike Belopuhov and various contributing OpenBSD hack- ers. OpenIKED is developed as part of the OpenBSD Project. The software is freely usable and re-usable by everyone under an Internet Systems Consortium (ISC) license. The OpenBSD project sells CDs, T-Shirts and Posters. Sales of these items help to fund development. 2Background&History 2.1 Why another VPN protocol? There are a number of free implementations of VPN protocols available that can provide a su cient secu- rity for private network connections. But these pro- 1Introduction tocols and implementations have di erent use cases, limitations, bene ts, and drawbacks. Most of them This paper provides a brief description of the are specialized in one aspect but cannot provide a so- OpenIKED project, including technical background, lution in another area. 9 10 11 12 13 14 The autoconf framework and compatibility library spired by the Windows client. Accordingly, the goal that is based OpenSSH s portable version made it sur- is to provide a very simple tool that allows to set up prisingly easy to port OpenIKED to Linux. IKEv2 client connections from Mac-based road war- AdrawbackisthefactthattheLinuxkerneldevel- riors. The dynamic negotiation of IKEv2 and the se- opers invented their own non-standard XFRM ker- cure defaults of OpenIKED allows to reduce the re- nel API that is intended to replace PFKEYv2, which quired con guration settings to the minimum on the is considered to be obsolete. The PFKEYv2 inter- client side: remote gateway address and optional con- face still exists but is poorly maintained and lacks nection name. Other optional settings can be con g- some features, like working support for HMAC-SHA2- ured in the Details tab. In di erence to the Win- 256 HMAC authentication for IPsec. Linux originally dows client, additional user-based authentication is added HMAC-SHA2-256 support based on the pre- currently not supported as EAP-based authentication standard speci cation with a truncation length of 96 is only implemented for the server (responder) side. bits that is incompatible to the standard length of The current version is a working proof of concept 128 bits that is described in RFC 4868[6]. PFKEYv2 that requires manual installation of keys and certi - uses pre-de ned identi ers and attributes for algo- cates into the con guration directory. rithms, e.g. SADB X AALG SHA2 256 for HMAC-SHA2- 256 with 128 bits truncation. The Linux kernel rec- ognizes the SADB X AALG SHA2 256 identi er but as- sumes 96 bits truncation. The kernel developers never xed this obvious bug to keep compatibility with one or two other implementations that use the pre- standard version. They refer to the XFRM API that allows to set the algorithm, and the key and truncation lengths individually. 4.4 User-friendly GUI There is actually no need to use a GUI to set up gate- way to gateway connections. The con guration le, iked.conf,usesawell-denedgrammarthatiseasy to understand for system administrators and most users of OpenIKED .Butwhenconnectingmobile users, or road warriors, to the gateway, an easy GUI is an important requirement for deploying the VPN. These users are most commonly non-technical laptop users that connect to a VPN gateway of their orga- 4.5 The Artwork nization, university or company. It is most desirable OpenBSD and its subprojects aren t just known for that they can set up and debug the client-side of the security, they re also known for their comic-style art- VPN connection without much interaction from the work. Each of these projects has a theme that is IT department. including the OpenBSD-styled logo and Pu y the pu er sh in some action. The artwork is used on T- Microsoft Windows Shirts, posters and CD covers and was originally de- signed by the Canadian artist Ty Semaka and some Microsoft Windows 7 introduced an integrated IKEv2 other artists today. client con guration dialog that is surprisingly easy to use for standard users. The con guration of tradi- tional IPsec/IKE used to be very di cult under Win- dows but the IKEv2 client only requires installing the required certi cates, setting the remote gateway ad- dress, and specifying a user name and password for additional EAP-MSCHAPv2 authentication. And of course, OpenIKED is a compatible gateway that can be used with the built-in Windows client. When I decided to turn iked into a portable project, OpenIKED.app it was clear that I needed a matching artwork. I had To get a similar level of IKEv2 user-friendliness on the idea of using a tin can telephone as a theme that OS X, I started working on a simple GUI that is in- represents VPN communication in an obscure way. 15 16 NPF in NetBSD 6 S.P.Zeidler [email protected]" Mindaugas Rasiukevicius [email protected]" The NetBSD Foundation The NetBSD Foundation Abstract form for a packet. This design has the advantage of pro- tocol independence, therefore support for new protocols NPF has been released with NetBSD 6.0 as an exper- (for example, layer 7) or custom filtering patterns can be imental packet filter, and thus has started to see actual easily added at userspace level without any modifications use. While it is going to take a few more cycles before to the kernel itself. it is fully ”production ready”, the exposure to users has NPF provides rule procedures as the main interface to given it a strong push to usability. Fixing small bugs use custom extensions. The syntax of the configuration and user interface intuitivity misses will help to evolve it file supports arbitrary procedures with their parameters, from a theoretical well-designed framework to a practical as supplied by the extensions. An extensions consists of packet filtering choice. The talk will cover distinguish- two parts: a dynamic module (.so file) supplementing the ing features of NPF design, give an overview of NPF’s npfctl(8) utility and a kernel module (.kmod file). Thus, current practical capabilities, ongoing development, and kernel interfaces can be used instead of modifications to will attempt to entice more people to try out NPF and the NPF core code. give feedback. The internals of NPF are abstracted into well defined modules and follow strict interfacing principles to ease 1 Introduction extensibility. Communication between userspace and the kernel is provided through the library libnpf, described NPF is a layer 3 packet filter, supporting IPv4 and IPv6, in the npf(3) manual page. It can be conveniently used as well as layer 4 protocols such as TCP, UDP and by developers who create their own extensions or third ICMP/IPv6-ICMP. NPF offers the traditional set of fea- party products based on NPF. Application-level gateways tures provided by most packet filters. This includes state- (ALGs), such as support for traceroute(8), are also ab- ful packet filtering, network address translation (NAT), stracted in separate modules. tables (using a hash or tree as a container), rule pro- cedures for easy development of NPF extensions (e.g. packet normalisation and logging), connection saving 2.1 Designed for SMP and high through- and restoring as well as other features. NPF focuses on put high performance design, ability to handle a large vol- NPF has been designed so its data structures can use ume of clients and using the speed of multi-core systems. lockless methods where suitable and fine-grained lock- Various new features were developed since NetBSD ing in general. 1 6.0 was released, and the upcoming 6.1 release will have Ruleset inspection is lockless. It uses passive serial- considerable differences regarding their user interface ization as a protection mechanism.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    116 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us