RBridge V3

advertisement
RBridge V3
A secure remote Ethernet Bridge for Linux
Installation and Administration Manual
Status: CURRENT
Version: V3
Date:
Feb 14, 2011
Inlab Software GmbH
Josef-Würth-Str. 3
82031 Grünwald
Germany
Tel.:
Fax:
Email:
Home:
+49 89 6412795
+49 89 6411160
[email protected]
http://www.inlab.de
Legal Notices
© Copyright 2005-2010, 2011 by Inlab Software GmbH, Josef-Wuerth-Str. 3, Gruenwald,
Germany. All Rights Reserved / Alle Rechte vorbehalten.
This product or document is protected by copyright and distributed under licenses restricting
its use, copying, distribution, and decompilation. No part of this product or document may be
reproduced in any form by any means without prior written authorization of Inlab Software
GmbH.
BalanceNG is a trademark of Inlab Software GmbH. Gentoo is a trademark by Gentoo
Technologies, Inc. Debian is a registered trademark of Software In The Public Interest, Inc.
FreeBSD is a registered trademark of Walnut Creek CDROM, Inc. Linux is a registered
trademark of Linus Torvalds. All other trademarks and registered trademarks mentioned in
this document are properties by their respective holders.
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Date: Feb 14, 2011
Page 2 / 13
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Table of Contents
1. Introduction.................................................................................................... 4
2. Installation .....................................................................................................5
3. Licensing........................................................................................................5
4. Operation ...................................................................................................... 5
5. /etc/rbridge.conf............................................................................................. 5
6. Public RBridge Registry Service....................................................................7
7. Command Line Interface............................................................................... 7
7.1. copyright................................................................................................. 7
7.2. hash........................................................................................................ 7
7.3. help......................................................................................................... 8
7.4. license.....................................................................................................8
7.5. log........................................................................................................... 9
7.6. nodeid..................................................................................................... 9
7.7. quit.......................................................................................................... 9
7.8. registry.................................................................................................... 9
7.9. uptime..................................................................................................... 9
7.10. startuplog............................................................................................10
7.11. status.................................................................................................. 10
7.12. stop..................................................................................................... 10
7.13. version................................................................................................ 10
8. MAC Address Filtering.................................................................................10
9. The RBridge Protocol.................................................................................. 11
9.1. PACKET_TYPE_DATA........................................................................ 11
9.2. PACKET_TYPE_ZDATA......................................................................11
9.3. PACKET_TYPE_KEEPALIVE..............................................................12
9.4. PACKET_TYPE_REGISTRY_REQUEST........................................... 12
9.5. PACKET_TYPE_REGISTRY_REPLY................................................. 12
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Date: Feb 14, 2011
Page 3 / 13
1. Introduction
RBridge is a secure remote Ethernet bridge solution for Linux. It connects two trusted Ethernet
segments remotely over UDP using either IPv4 or IPv6 transport.
RBridge uses SHA-2 (precisely SHA-256) for authentication, AES for encryption and
timestamps for protection against replay attacks.
Using a registry mechanism and UDP protocol, RBridge is capable to connect directly to the
peer from within NAT or firewall protected areas by using a special “hole punching” technique
(thus requiring no configuration at the connecting routers). For this functionality, RBridge itself
is capable to act as a registry service for any associated pair of RBridges.
Per default, RBridge uses zlib compression of data (which can be disabled on the sender
side).
Additionally, RBridge offers a controlling command line interface (CLI) accessible using telnet.
WARNING: RBridge is a very powerful tool. RBridge should be setup and installed by
experienced network administrators only.
The following figure shows two networks separated by routers and the big Internet in between
as usual:
RBridge allows in that situation to connect the two Ethernet segments as if they were one
single Layer 2 network:
Both RBridges are learning automatically the Ethernet addresses on the other side and start
forwarding packets if necessary.
Date: Feb 14, 2011
Page 4 / 13
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
2. Installation
RBridge is currently available as an .deb Debian package and as a “tarball” distribution.
3. Licensing
Licensing is based on the MAC address of the eth0 interface (“nodeid”). A serial number and
a node-specific key needs to be present in the file /etc/rbridge.conf for full licensing.
An example licensing entry in /etc/rbridge.conf looks like this:
serial=TRIAL
lickey=4e2307aa78f9f0b6f43f80cf2a536a20
NOTE: RBridge in trial mode (without any licensing) will terminate after exactly one hour of
operation with a syslog message.
4. Operation
startup:
rbrigde [options] start
display nodeid:
rbrigde -N
show release:
rbrigde -r
show this usage information:
rbrigde -h
options:
[-c <conf>]
[-d]
[-h]
[-N]
[-r]
load specific configuration file instead of /etc/rbridge.conf
debug mode: stay in foreground and print debug messages
show this help and usage information
show nodeid and exit immediately
show release and exit immediately
5. /etc/rbridge.conf
Here's an example rbridge.conf file which needs to be copied to /etc/rbridge.conf and changed
at the indicated places. The rbridge.conf.example file may be found in the TAR archive
distribution or in /opt/RBridge (when the .deb package has been installed).
# $Id: rbridge.conf.example,v 1.4 2011/01/14 16:54:22 t Exp $
# Substitute the following with your serial number and key,
# RBridge will terminate after 1 hour of operation in trial mode.
serial=TRIAL
lickey=00000000000000000000000000000000
# The traffic on this interface will be bridged to the peer:
interface=eth0
# You can telnet to this to get a control connection:
control_address=127.0.0.1
control_port=10439
#
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Date: Feb 14, 2011
Page 5 / 13
local_address=
local_port=439
#
remote_address=
remote_port=
#
#
#
#
The following two secrets are used to authenticate and encrypt the
traffic between both RBridge peers (PLEASE CHANGE AND UNCOMMENT):
sha2secret=CHANGEME
aessecret=CHANGEME
# This is a unique name for the RBridge link used for registering
# (PLEASE CHANGE AND UNCOMMENT):
# registry_linkname=CHANGEME
# Contact information of first registry:
registry_address_1=rbridge-registry.inlab.net
registry_port_1=439
# Optional contact information of second registry:
# registry_address_2=rbridge-registry.secudos.com
# registry_port_2=439
# Secrets for communication with the registries and for this RBridge
# as a registry:
registry_sha2secret=Public-RBridge-Registry
registry_aessecret=Public-RBridge-Registry
# uncomment if you wish this RBridge acting as a registry:
#registry_enable=1
# comment the following line if you wish zlib compression to be disabled:
zlib_enable=1
# uncomment if you wish registry entries to be logged:
#registry_log=1
# Parameters (usually don't need to be changed):
registry_interval=10
timestamptolerance=300
keepaliveinterval=30
keepalivetimeout=90
# uncomment, if you wish to disable the CLI stop command
# stop_disable=1
# uncomment, if you wish DHCP packets to be passed along
# transparent=1
# Location of activity LED (ARM architecture only)
# - Slow blinking: RBridge active
# - Long ON, short OFF blinking: Connection to peer established
activityLED=/sys/class/leds/LED2/brightness
# uncomment for MAC address allow filters (and populate files accordingly):
# local_mac_allow=/etc/rbridge_local.allow
# remote_mac_allow=/etc/rbridge_local.allow
# uncomment for MAC address deny filters (and populate files accordingly):
# local_mac_deny=/etc/rbridge_local.deny
# remote_mac_deny=/etc/rbridge_remote.deny
Date: Feb 14, 2011
Page 6 / 13
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
6. Public RBridge Registry Service
The IPv4 Host rbridge-registry.inlab.net is available as a public RBridge registry service
(with the credentials in the rbridge.conf example). There's no warranty of availability, you may
use your own RBridge installation as a registry service.
7. Command Line Interface
The command line interface (CLI) may be accessed using telnet, if “control_address” and
“control_port” have been specified in rbridge.conf.
A typical dialog may look as follows:
$ telnet localhost 10439
Trying ::1...
Connected to localhost.
Escape character is '^]'.
This is RBridge 3.XYZ (created 20XX/YY/ZZ)
RBridge>
The following commands are available:
RBridge> help
the following commands are available:
copyright
show Copyright information
hash
show forwarding table and MAC filters
help (or ?) show this help information
license
show licensing information
log
show current log
nodeid
show nodeid
quit (or q) quit CLI
registry
show current registry entries
uptime
show uptime
startuplog
show startup log
status
show general status
stop
stop immediately
version
show version
The stop command may be disabled with “stop_disable=1”. The dialog is closed automatically
after 60 seconds of inactivity.
7.1. copyright
This command show the Copyright information.
Example:
RBridge> copyright
----------------------------------------------------------Copyright (C) 2011 by Inlab Software GmbH, Germany.
All rights reserved / Alle Rechte vorbehalten.
Visit http://www.inlab.de/rbridge/ for further information.
----------------------------------------------------------RBridge>
7.2. hash
This command displays the current hash information. There's the forwarding table and four
deny and allow hashes.
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Date: Feb 14, 2011
Page 7 / 13
Example:
RBridge> hash
forwarding table:
00:14:38:e6:d1:88 eth0
06:00:0a:05:10:01 eth0
00:e0:81:58:ef:2f eth0
00:0d:4b:08:29:73 eth0
00:00:48:b1:b5:10 eth0
00:04:13:25:06:90 eth0
00:04:13:25:06:97 eth0
00:19:5b:ef:12:93 REMOTE_PEER
00:24:b2:c7:f5:8f REMOTE_PEER
00:0e:0c:6c:ba:4a eth0
00:40:63:c9:f5:b5 eth0
00:18:4d:0a:c4:5c eth0
00:03:ba:27:87:33 eth0
00:00:5e:00:01:09 REMOTE_PEER
06:00:ac:11:02:37 eth0
00:50:7f:9e:da:f8 eth0
00:04:13:22:1b:03 eth0
local_rbridge.deny:
local_rbridge.allow:
remote_rbridge.deny:
remote_rbridge.allow:
RBridge>
7.3. help
This command displays the available help information (may be abbreviated with “?”).
Example:
RBridge> help
the following commands are available:
copyright
show Copyright information
hash
show forwarding table and MAC filters
help (or ?) show this help information
license
show licensing information
log
show current log
nodeid
show nodeid
quit (or q) quit CLI
registry
show current registry entries
uptime
show uptime
startuplog
show startup log
status
show general status
stop
stop immediately
version
show version
RBridge>
7.4. license
This command displays the current licensing status.
Example (with no licensing):
RBridge> license
no or invalid license, will terminate after 2787 seconds runtime
Example (with valid licensing):
RBridge> license
valid full license (serial=rbridge-registry.inlab.net)
Date: Feb 14, 2011
Page 8 / 13
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Example (with valid OEM licensing):
RBridge> license
valid full OEM license
7.5. log
This command shows the last 40 log messages (as reported to the syslog).
Example:
RBridge> log
2011/01/19 11:58:19 5 started
7.6. nodeid
This command displays the nodeid (which is needed for registry communication and for
licensing). The nodeid is always identical with the eth0 MAC address.
Example:
RBridge> nodeid
Node-ID (eth0 MAC) is 00:0e:0c:6c:ba:4a
7.7. quit
This command quits the CLI (may be abbreviated with “q”).
Example:
RBridge> q
Connection closed by foreign host.
$
7.8. registry
This command displays the current state of the registry. Entries may be “active” (waiting for a
peer) or “SOLVED” (peer found). Entries will be removed after 300 seconds (5 Minutes) if they
are SOLVED or if they are not refreshed anymore with a REGISTRY_REQUEST packet.
Example:
RBridge> registry
00:0e:0c:6c:ba:4a
00:e0:4b:2d:68:ab
00:19:66:b3:c8:e4
8 active ::ffff:10.79.150.186,34135
3 active ::ffff:10.79.150.186,38423
0 active ::ffff:10.13.196.120,439
7.9. uptime
This command shows the current uptime in seconds.
Example:
RBridge> uptime
uptime is 83589 seconds
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Date: Feb 14, 2011
Page 9 / 13
7.10. startuplog
This command shows the first 40 log messages that were logged after startup.
Example:
RBridge> startuplog
2011/01/18 13:07:47 5 started
2011/01/18 13:07:48 5 REGISTRY entry accepted for nodeid 00:19:66:b3:c8:e4 from
::ffff:10.13.196.120,439
2011/01/18 13:07:49 5 REGISTRY entry accepted for nodeid 00:e0:4b:2d:68:ab from
::ffff:10.79.150.186,38423
2011/01/19 11:38:13 5 REGISTRY entry accepted for nodeid 00:0e:0c:6c:ba:4a from
::ffff:10.79.150.186,34135
7.11. status
This command show current status information.
Example:
RBridge> status
this RBridge is acting as a registry
registry logs are enabled
zlib data compression is enabled
link ESTABLISHED to nodeid 00:0e:0c:6c:ba:4a
current peer address: ::ffff:92.79.150.186,34135
current registry_1 address: 217.13.196.120,439
current kernel statistics: 6535 packets received, 0 dropped
1135335 bytes locally received from eth0 in 9137 packets
130681 bytes locally received from eth0 in 2089 packets (and forwarded)
34002 bytes saved by compression in 1884 packets (forwarded)
59256 bytes received remotely in 327 packets
58384 bytes received remotely in 316 packets (and forwarded)
7.12. stop
This command stops the current running RBridge process and all associated threads. This
command may be disabled by including “disable_stop=1” in rbridge.conf.
Example:
RBridge> stop
Connection closed by foreign host.
7.13. version
This command displays the current version number.
Example:
RBridge> version
this is RBridge 3.XYZ (created 20XX/YY/ZZ)
8. MAC Address Filtering
RBridge offers “deny” and “allow” filtering mechanisms which are always checking the
Ethernet source address.
# uncomment for MAC address allow filters (and populate files accordingly):
Date: Feb 14, 2011
Page 10 / 13
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
# local_mac_allow=/etc/rbridge_local.allow
# remote_mac_allow=/etc/rbridge_local.allow
# uncomment for MAC address deny filters (and populate files accordingly):
# local_mac_deny=/etc/rbridge_local.deny
# remote_mac_deny=/etc/rbridge_remote.deny
The referenced files always contain a set of MAC addresses (one address per line) in a colon
separated ASCII format.
If a “deny” file exists, RBridge will drop any packet received on the local (or remote) side with
a matching source MAC address. All other packets are passed along.
If an “allow” file exists, RBridge will forward only packets which MAC source address is
contained in the specified set. All other packets are dropped.
9. The RBridge Protocol
The RBridge protocol uses UDP transport (either IPv4 or IPv6) and is defined by the following
packet types:
9.1. PACKET_TYPE_DATA
This packet type has the following format:
<32 bytes SHA2-256 authentication hash>
<4 bytes timestamp in network byte order>
<packet type=1>
<encryption: 1=encrypted, 0=not encrypted>
<2 bytes data length in network byte order>
<variable length data padded to 16 byte boundary>
The initial authentication hash is the result of SHA2-256 with the ASCII value of “sha2secret”
and the packet contents beginning with the timestamp (at offset 32) up to the end as input.
The timestamp transports the time notion of the sender in network byte order and protects
against replay attacks (see the “timestamptolerance” configuration value).
If the packet is encrypted (encryption=1), the data is encrypted with AES using the SHA2-256
hash of the value of “aessecret” as the actual AES key.
The length of the original data (the Ethernet packet) is 2 bytes in network byte order.
The data area is padded with zeros (0x00) to a boundary of 16 bytes (and encrypted
afterwards if encryption=1).
9.2. PACKET_TYPE_ZDATA
This packet type has the following format:
<32 bytes SHA2-256 authentication hash>
<4 bytes timestamp in network byte order>
<packet type=2>
<encryption: 1=encrypted, 0=not encrypted>
<2 bytes data length in network byte order>
<variable length data padded to 16 byte boundary>
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Date: Feb 14, 2011
Page 11 / 13
The packet semantics are the same as with PACKET_TYPE_DATA, but the data part is zlib
compressed (if enabled). The receiver needs to perform an additional decompression step
after authentication, timestamp validation and decryption.
9.3. PACKET_TYPE_KEEPALIVE
This packet type has the following format:
<32 bytes SHA2-256 authentication hash>
<4 bytes timestamp in network byte order>
<packet type=3>
<encryption: 1=encrypted, 0=not encrypted>
<2 bytes data length in network byte order (always 12)>
<6 bytes own nodeid>
<6 bytes peer nodeid>
<4 bytes padding>
This packets is sent out every “keepaliveinterval” seconds, if a peer address is known. The
data contains always the own nodeid and the peer nodeid (00:00:00:00:00:00 if not known
during the initial phase). The data part may be encrypted or not, the authentication works the
same way as with PACKET_TYPE_DATA.
9.4. PACKET_TYPE_REGISTRY_REQUEST
This packet type has the following format:
<32 bytes SHA2-256 authentication hash>
<4 bytes timestamp in network byte order>
<packet type=4>
<encryption: 1=encrypted, 0=not encrypted>
<2 bytes data length in network byte order (always 48)>
<32 bytes registry signature>
<6 bytes nodeid>
<10 bytes padding>
This packet is sent out every “registry_interval” seconds, if there's no current peer known, but
one or two registries specified. Authentication and encryption works similar as with
PACKET_TYPE DATA and PACKET_TYPE_KEEPALIVE, with the difference that
“registry_sha2secret” is used instead of “sha2secret” and “registry_aessecret” is used instead
of “aessecret”.
The registry signature is the SHA2-256 hash result with the values of “sha2secret” and
“registry_linkname” as input. This way two peers with the same “sha2secret” and
“registrylinkname” are able to find each other, if they are addressing the same registry.
Additionally, the RBridge nodeid is sent.
9.5. PACKET_TYPE_REGISTRY_REPLY
This packet type has the following format:
<32 bytes SHA2-256 authentication hash>
<4 bytes timestamp in network byte order>
<packet type=5>
<encryption: 1=encrypted, 0=not encrypted>
<2 bytes data length in network byte order (always 48)>
<32 bytes registry signature>
Date: Feb 14, 2011
Page 12 / 13
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
<6 bytes peer nodeid>
<variable length peer connection parameters>
<one byte binary 0>
<padding to 16 byte boundary>
This packet is send in response to a PACKET_TYPE_REGISTRY_REQUEST if the registry
has found a matching peer. Authentication and encryption are handled the same way as with
PACKET_TYPE_REGISTRY_REQUEST.
The peer nodeid is reported back together with the connection parameters of the peer in text
format (<IP-Address>,<port>). The connection parameters are reported as seen by the
registry.
RBridge V3 Installation and Administration Manual
© Copyright 2011 by Inlab Software GmbH
All Rights Reserved
Date: Feb 14, 2011
Page 13 / 13
Download