IP-in-IP encapsulation: basic tunneling David Morgan © David Morgan 2007 What is it? Conveys an IP packet between machines … not as a packet … but as cargo in another packet Destination shucks carrier packet, releases cargo as packet into local networking machinery “Tunnel” since one packet “passes through” another Implemented in linux by module ipip.o © David Morgan 2007 1 IP itself is an IP subprotocol IP Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4 for IP (6 for TCP 17 for UDP 50 for ESP, etc) © David Morgan 2007 Class LAN Local Network – 192.168.1.0 Remote Network – 192.168.2.0 A 192.168.1.2 D B Some on connecti 192.168.1.1 100.1.1.1 200.2.2.2 192.168.2.1 192.168.2.2 E Workstations – A and E Gateways – B and D © David Morgan 2007 2 “Some connection” Could be the internet Could be a single intermediate machine Equivalent, for the 2 gateways © David Morgan 2007 Class LAN Local Network – 192.168.1.0 Remote Network – 192.168.2.0 A 192.168.1.2 eth0 C B D 192.168.1.1 192.168.2.1 eth0 100.1.1.1 100.1.1.254 200.2.2.254 200.2.2.2 eth1 eth0 eth1 eth1 eth0 192.168.2.2 eth0 E Workstations Gateways Internet surrogate – A and E – B and D – C (B’s ISP; D’s ISP) © David Morgan 2007 3 Wanted: a 2nd bridge to cross Local Network – 192.168.1.0 Remote Network – 192.168.2.0 A 192.168.1.2 eth0 192.168.1.1 D B 100.1.1.1 eth0 192.168.2.1 200.2.2.2 192.168.2.2 E tunl0 192.168.1.1 tunl0 192.168.2.1 © David Morgan 2007 Essential steps (on gateway) Load ipip.o module (enabling code) Apply internal interface’s address to “tunl0” device Add gatewayed route to other network – specify other gateway by its outside IP – specify tunl0 device Reciprocate on opposite gateway (/root/bin/tunl/tunl-vpnb) ( /root/bin/tunl/tunl-vpnd) © David Morgan 2007 4 Load ipip.o module (if not automatic) modprobe ipip vpnd modprobe ipip vpnb © David Morgan 2007 Internal IP goes onto tunl0 ifconfig tunl0 192.168.2.1 vpnd ifconfig tunl0 192.168.1.1 vpnb © David Morgan 2007 5 Route to opposite network via its gateway’s outside IP, tunl0 route add –net 192.168.1.0 netmask 255.255.255.0 gw 100.1.1.1 tunl0 vpnd route add –net 192.168.2.0 netmask 255.255.255.0 gw 200.2.2.2 tunl0 vpnb © David Morgan 2007 Implementation - vpnb vpnb [root@vpnb root]# route -n Kernel IP routing table Destination Gateway 192.168.1.0 0.0.0.0 100.1.1.0 0.0.0.0 127.0.0.0 0.0.0.0 0.0.0.0 100.1.1.254 [root@vpnb root]# ./tunl-vpnb [root@vpnb root]# route -n Kernel IP routing table Destination Gateway 192.168.2.0 200.2.2.2 192.168.1.0 0.0.0.0 100.1.1.0 0.0.0.0 127.0.0.0 0.0.0.0 0.0.0.0 100.1.1.254 Genmask 255.255.255.0 255.255.255.0 255.0.0.0 0.0.0.0 Iface eth0 eth1 lo eth1 Genmask 255.255.255.0 255.255.255.0 255.255.255.0 255.0.0.0 0.0.0.0 Iface tunl0 eth0 eth1 lo eth1 © David Morgan 2007 6 Implementation - vpnd vpnd [root@vpnd root]# route -n Kernel IP routing table Destination Gateway 192.168.2.0 0.0.0.0 200.2.2.0 0.0.0.0 127.0.0.0 0.0.0.0 0.0.0.0 200.2.2.254 [root@vpnd root]# ./tunl-vpnd [root@vpnd root]# route -n Kernel IP routing table Destination Gateway 192.168.2.0 0.0.0.0 192.168.1.0 100.1.1.1 200.2.2.0 0.0.0.0 127.0.0.0 0.0.0.0 0.0.0.0 200.2.2.254 Genmask 255.255.255.0 255.255.255.0 255.0.0.0 0.0.0.0 Iface eth0 eth1 lo eth1 Genmask 255.255.255.0 255.255.255.0 255.255.255.0 255.0.0.0 0.0.0.0 Iface eth0 tunl0 eth1 lo eth1 © David Morgan 2007 Routing Local Network A – 192.168.1.0 Remote Network E – 192.168.2.0 for network E A C B E’ D 192.168.1.1 192.168.2.1 100.1.1.1 100.1.1.254 200.2.2.254 200.2.2.2 A’ for network A E default routes (via eth devices) network routes (via tunl devices) © David Morgan 2007 7 Outcomes: interfaces and routes tunl0 Link encap:IPIP Tunnel HWaddr inet addr:192.168.2.1 Mask:255.255.255.0 vpnd Kernel IP routing table Destination Gateway 192.168.1.0 100.1.1.1 tunl0 Genmask 255.255.255.0 Iface tunl0 Link encap:IPIP Tunnel HWaddr inet addr:192.168.1.1 Mask:255.255.255.0 vpnb Kernel IP routing table Destination Gateway 192.168.2.0 200.2.2.2 Genmask 255.255.255.0 Iface tunl0 © David Morgan 2007 Outcomes: new B-D link (1) vpnc [root@vpnc root]# tcpdump -n -i eth0 icmp eth0: Setting promiscuous mode. tcpdump: listening on eth0 18:46:29.290495 100.1.1.1 > 200.2.2.2: icmp: echo request (DF) 18:46:29.290773 200.2.2.2 > 100.1.1.1: icmp: echo reply 2 packets received by filter 0 packets dropped by kernel vpnb [root@vpnb root]# ping -c1 200.2.2.2 PING 200.2.2.2 (200.2.2.2) from 100.1.1.1 : 56 bytes 64 bytes from 200.2.2.2: icmp_seq=0 ttl=254 time=451 usec --- 200.2.2.2 ping statistics --1 packets transmitted, 1 packets received [root@vpnb root]# ping -c1 192.168.2.1 PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56 bytes 64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=488 usec --- 192.168.2.1 ping statistics --1 packets transmitted, 1 packets received © David Morgan 2007 8 Outcomes: new B-D link (2) vpnd [root@vpnd root]# tcpdump -n -i eth1 tcpdump: listening on eth1 19:46:49.828659 100.1.1.1 > 200.2.2.2: 19:46:49.828743 200.2.2.2 > 100.1.1.1: 19:46:52.935084 100.1.1.1 > 200.2.2.2: request (DF) (ipip) 19:46:52.935214 200.2.2.2 > 100.1.1.1: reply (ipip) icmp: echo request (DF) icmp: echo reply 192.168.1.1 > 192.168.2.1: icmp: echo 192.168.2.1 > 192.168.1.1: icmp: echo 4 packets received by filter 0 packets dropped by kernel vpnb [root@vpnb root]# ping -c1 200.2.2.2 PING 200.2.2.2 (200.2.2.2) from 100.1.1.1 : 56 bytes 64 bytes from 200.2.2.2: icmp_seq=0 ttl=254 time=451 usec --- 200.2.2.2 ping statistics --1 packets transmitted, 1 packets received [root@vpnb root]# ping -c1 192.168.2.1 PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56 bytes 64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=488 usec --- 192.168.2.1 ping statistics --1 packets transmitted, 1 packets received © David Morgan 2007 Outcomes: new B-D link (3) [root@vpnd root]# tcpdump -n -i tunl0 tcpdump: listening on tunl0 19:46:52.935084 192.168.1.1 > 192.168.2.1: icmp: echo request (DF) 19:46:52.935174 192.168.2.1 > 192.168.1.1: icmp: echo reply vpnd 2 packets received by filter 0 packets dropped by kernel vpnb [root@vpnb root]# ping -c1 200.2.2.2 PING 200.2.2.2 (200.2.2.2) from 100.1.1.1 : 56 bytes 64 bytes from 200.2.2.2: icmp_seq=0 ttl=254 time=451 usec --- 200.2.2.2 ping statistics --1 packets transmitted, 1 packets received [root@vpnb root]# ping -c1 192.168.2.1 PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56 bytes 64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=488 usec --- 192.168.2.1 ping statistics --1 packets transmitted, 1 packets received © David Morgan 2007 9 Outcomes: new A-E link Browse To E From A © David Morgan 2007 Outcomes – trace on C of “capitalizer” capitalizer” between A and E . . . is unencrypted 19:59:36.353508 100.1.1.1 > 200.2.2.2: 192.168.1.2.1032 > 192.168.2.2.8000: (ipip) E..L..@.?...d... ....E..8.%@.?..F sent from client ...........@.r.U (in the clear) ...q..}x........ .....1..ucla vpnc 19:59:36.354162 200.2.2.2 > 100.1.1.1: 192.168.2.2.8000 > 192.168.1.2.1032: (ipip) E..L..@.>....... returned from server d...E..8'}@.?... .........@.....q .r.Y..}x........ .1...…UCLA © David Morgan 2007 10 A stupid hack (but necessary) modprobe ipip this… …enables this ifconfig tunl0 192.168.1.1 up vpnb route add -host 200.2.2.2 tunl0 route add -net 192.168.2.0 netmask 255.255.255.0 gw 200.2.2.2 tunl0 route del -host 200.2.2.2 tunl0 route del -net 192.168.1.0 netmask 255.255.255.0 tunl0 get rid of it… …and of this © David Morgan 2007 Interfaces Physical (hardware) Virtual (software) eth0 eth1 tunl0 (ip-ip) ipsec0 (IPSec) ppp0 (ppp-ssh) cipcb1 (CIPE) © David Morgan 2007 11 Using hardware interfaces eth0 App eth1 © David Morgan 2007 Using software interfaces eth0 App eth1 cipcb1 •looks like an interface to an app •looks like an app to an interface •gets to massage traffic passing through © David Morgan 2007 12