IP-in-IP encapsulation: basic tunneling What is it?

advertisement
IP-in-IP encapsulation:
basic tunneling
David Morgan
© David Morgan 2007
What is it?
Conveys an IP packet between machines
… not as a packet
… but as cargo in another packet
Destination shucks carrier packet, releases cargo as
packet into local networking machinery
“Tunnel” since one packet “passes through” another
Implemented in linux by module ipip.o
© David Morgan 2007
1
IP itself is an IP subprotocol
IP Header Format
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service|
Total Length
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Identification
|Flags|
Fragment Offset
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live |
Protocol
|
Header Checksum
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Source Address
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Destination Address
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Options
|
Padding
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 for IP
(6 for TCP
17 for UDP
50 for ESP, etc)
© David Morgan 2007
Class LAN
Local Network – 192.168.1.0
Remote Network – 192.168.2.0
A
192.168.1.2
D
B
Some
on
connecti
192.168.1.1
100.1.1.1
200.2.2.2
192.168.2.1
192.168.2.2
E
Workstations – A and E
Gateways
– B and D
© David Morgan 2007
2
“Some connection”
Could be the internet
Could be a single intermediate machine
Equivalent, for the 2 gateways
© David Morgan 2007
Class LAN
Local Network – 192.168.1.0
Remote Network – 192.168.2.0
A
192.168.1.2
eth0
C
B
D
192.168.1.1
192.168.2.1
eth0
100.1.1.1
100.1.1.254
200.2.2.254
200.2.2.2
eth1
eth0
eth1
eth1
eth0
192.168.2.2
eth0
E
Workstations
Gateways
Internet surrogate
– A and E
– B and D
– C (B’s ISP; D’s ISP)
© David Morgan 2007
3
Wanted: a 2nd bridge to cross
Local Network – 192.168.1.0
Remote Network – 192.168.2.0
A
192.168.1.2
eth0
192.168.1.1
D
B
100.1.1.1
eth0
192.168.2.1
200.2.2.2
192.168.2.2
E
tunl0
192.168.1.1
tunl0
192.168.2.1
© David Morgan 2007
Essential steps (on gateway)
Load ipip.o module (enabling code)
Apply internal interface’s address to “tunl0”
device
Add gatewayed route to other network
– specify other gateway by its outside IP
– specify tunl0 device
Reciprocate on opposite gateway
(/root/bin/tunl/tunl-vpnb)
( /root/bin/tunl/tunl-vpnd)
© David Morgan 2007
4
Load ipip.o module (if not automatic)
modprobe ipip
vpnd
modprobe ipip
vpnb
© David Morgan 2007
Internal IP goes onto tunl0
ifconfig tunl0 192.168.2.1
vpnd
ifconfig tunl0 192.168.1.1
vpnb
© David Morgan 2007
5
Route to opposite network via
its gateway’s outside IP, tunl0
route add –net 192.168.1.0 netmask
255.255.255.0 gw 100.1.1.1 tunl0
vpnd
route add –net 192.168.2.0 netmask
255.255.255.0 gw 200.2.2.2 tunl0
vpnb
© David Morgan 2007
Implementation - vpnb
vpnb
[root@vpnb root]# route -n
Kernel IP routing table
Destination
Gateway
192.168.1.0
0.0.0.0
100.1.1.0
0.0.0.0
127.0.0.0
0.0.0.0
0.0.0.0
100.1.1.254
[root@vpnb root]# ./tunl-vpnb
[root@vpnb root]# route -n
Kernel IP routing table
Destination
Gateway
192.168.2.0
200.2.2.2
192.168.1.0
0.0.0.0
100.1.1.0
0.0.0.0
127.0.0.0
0.0.0.0
0.0.0.0
100.1.1.254
Genmask
255.255.255.0
255.255.255.0
255.0.0.0
0.0.0.0
Iface
eth0
eth1
lo
eth1
Genmask
255.255.255.0
255.255.255.0
255.255.255.0
255.0.0.0
0.0.0.0
Iface
tunl0
eth0
eth1
lo
eth1
© David Morgan 2007
6
Implementation - vpnd
vpnd
[root@vpnd root]# route -n
Kernel IP routing table
Destination
Gateway
192.168.2.0
0.0.0.0
200.2.2.0
0.0.0.0
127.0.0.0
0.0.0.0
0.0.0.0
200.2.2.254
[root@vpnd root]# ./tunl-vpnd
[root@vpnd root]# route -n
Kernel IP routing table
Destination
Gateway
192.168.2.0
0.0.0.0
192.168.1.0
100.1.1.1
200.2.2.0
0.0.0.0
127.0.0.0
0.0.0.0
0.0.0.0
200.2.2.254
Genmask
255.255.255.0
255.255.255.0
255.0.0.0
0.0.0.0
Iface
eth0
eth1
lo
eth1
Genmask
255.255.255.0
255.255.255.0
255.255.255.0
255.0.0.0
0.0.0.0
Iface
eth0
tunl0
eth1
lo
eth1
© David Morgan 2007
Routing
Local Network A – 192.168.1.0
Remote Network E – 192.168.2.0
for network E
A
C
B
E’
D
192.168.1.1
192.168.2.1
100.1.1.1
100.1.1.254
200.2.2.254
200.2.2.2
A’
for network A
E
default routes (via eth devices)
network routes (via tunl devices)
© David Morgan 2007
7
Outcomes: interfaces and routes
tunl0
Link encap:IPIP Tunnel HWaddr
inet addr:192.168.2.1 Mask:255.255.255.0
vpnd
Kernel IP routing table
Destination
Gateway
192.168.1.0
100.1.1.1
tunl0
Genmask
255.255.255.0
Iface
tunl0
Link encap:IPIP Tunnel HWaddr
inet addr:192.168.1.1 Mask:255.255.255.0
vpnb
Kernel IP routing table
Destination
Gateway
192.168.2.0
200.2.2.2
Genmask
255.255.255.0
Iface
tunl0
© David Morgan 2007
Outcomes: new B-D link (1)
vpnc
[root@vpnc root]# tcpdump -n -i eth0 icmp
eth0: Setting promiscuous mode.
tcpdump: listening on eth0
18:46:29.290495 100.1.1.1 > 200.2.2.2: icmp: echo request
(DF)
18:46:29.290773 200.2.2.2 > 100.1.1.1: icmp: echo reply
2 packets received by filter
0 packets dropped by kernel
vpnb
[root@vpnb root]# ping -c1 200.2.2.2
PING 200.2.2.2 (200.2.2.2) from 100.1.1.1 : 56 bytes
64 bytes from 200.2.2.2: icmp_seq=0 ttl=254 time=451 usec
--- 200.2.2.2 ping statistics --1 packets transmitted, 1 packets received
[root@vpnb root]# ping -c1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56 bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=488 usec
--- 192.168.2.1 ping statistics --1 packets transmitted, 1 packets received
© David Morgan 2007
8
Outcomes: new B-D link (2)
vpnd
[root@vpnd root]# tcpdump -n -i eth1
tcpdump: listening on eth1
19:46:49.828659 100.1.1.1 > 200.2.2.2:
19:46:49.828743 200.2.2.2 > 100.1.1.1:
19:46:52.935084 100.1.1.1 > 200.2.2.2:
request (DF) (ipip)
19:46:52.935214 200.2.2.2 > 100.1.1.1:
reply (ipip)
icmp: echo request (DF)
icmp: echo reply
192.168.1.1 > 192.168.2.1: icmp: echo
192.168.2.1 > 192.168.1.1: icmp: echo
4 packets received by filter
0 packets dropped by kernel
vpnb
[root@vpnb root]# ping -c1 200.2.2.2
PING 200.2.2.2 (200.2.2.2) from 100.1.1.1 : 56 bytes
64 bytes from 200.2.2.2: icmp_seq=0 ttl=254 time=451 usec
--- 200.2.2.2 ping statistics --1 packets transmitted, 1 packets received
[root@vpnb root]# ping -c1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56 bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=488 usec
--- 192.168.2.1 ping statistics --1 packets transmitted, 1 packets received
© David Morgan 2007
Outcomes: new B-D link (3)
[root@vpnd root]# tcpdump -n -i tunl0
tcpdump: listening on tunl0
19:46:52.935084 192.168.1.1 > 192.168.2.1: icmp: echo request (DF)
19:46:52.935174 192.168.2.1 > 192.168.1.1: icmp: echo reply
vpnd
2 packets received by filter
0 packets dropped by kernel
vpnb
[root@vpnb root]# ping -c1 200.2.2.2
PING 200.2.2.2 (200.2.2.2) from 100.1.1.1 : 56 bytes
64 bytes from 200.2.2.2: icmp_seq=0 ttl=254 time=451 usec
--- 200.2.2.2 ping statistics --1 packets transmitted, 1 packets received
[root@vpnb root]# ping -c1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56 bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=488 usec
--- 192.168.2.1 ping statistics --1 packets transmitted, 1 packets received
© David Morgan 2007
9
Outcomes: new A-E link
Browse
To E From A
© David Morgan 2007
Outcomes – trace on C
of “capitalizer”
capitalizer” between A and E
. . . is unencrypted
19:59:36.353508 100.1.1.1 > 200.2.2.2:
192.168.1.2.1032 > 192.168.2.2.8000: (ipip)
E..L..@.?...d...
....E..8.%@.?..F
sent from client
...........@.r.U
(in the clear)
...q..}x........
.....1..ucla
vpnc
19:59:36.354162 200.2.2.2 > 100.1.1.1:
192.168.2.2.8000 > 192.168.1.2.1032: (ipip)
E..L..@.>.......
returned from server
d...E..8'}@.?...
.........@.....q
.r.Y..}x........
.1...…UCLA
© David Morgan 2007
10
A stupid hack (but necessary)
modprobe ipip
this…
…enables this
ifconfig tunl0 192.168.1.1 up
vpnb
route add -host 200.2.2.2 tunl0
route add -net 192.168.2.0 netmask 255.255.255.0 gw 200.2.2.2 tunl0
route del -host 200.2.2.2 tunl0
route del -net 192.168.1.0 netmask 255.255.255.0 tunl0
get rid of it…
…and of this
© David Morgan 2007
Interfaces
Physical (hardware) Virtual (software)
eth0
eth1
tunl0
(ip-ip)
ipsec0 (IPSec)
ppp0 (ppp-ssh)
cipcb1 (CIPE)
© David Morgan 2007
11
Using hardware interfaces
eth0
App
eth1
© David Morgan 2007
Using software interfaces
eth0
App
eth1
cipcb1
•looks like an interface to an app
•looks like an app to an interface
•gets to massage traffic passing through
© David Morgan 2007
12
Download