Beruflich Dokumente
Kultur Dokumente
Peer-to-Peer VPN
direction is called routing and is done by routers. These devices connect subnets. An IP address contains the
address of the subnet and the address of a host on that network.
The successor of IPv4 is IPv6, which is incompatible with the IPv4. IPv6 has a larger, 128b address space, and
numerous new features compared to IPv4 (RFC 2460, 1998). It drops the support for fragmentation. If a
packet is too big to be transmitted through a network segment, it is simply dropped by the routers. It simplifies
the routing process. IPv6 is also more secure, has better support for multicasting, and has a new addressing
method called anycast.
The number of available IPv addresses is decreasing. It is predicted that the full IPv4 address space will be
assigned by the middle of 2011. This exhaustion led to the development of different IP address preserving
techniques. One of these is Network Address Translation (NAT), which provides a way to hide a private IP
network behind only one public IP address (RFC 3022, 2001). There are IP address ranges assigned to be
used on private networks. The problem with NATs is that each connection has to be initiated from the private
network, and hosts from the public network cannot reach the hosts of the private network. It does also mean that
two hosts behind different NATs cannot connect to each other. For this reason, NAT traversal techniques were
developed. One of those is UDP hole punching, which solves the problem by using a server on the public
network to open the connection. The two clients connect to the public server. This opens a way through the
NAT for this connection; however, the server sends the clients where they can find each other, so they can use
the holes originally created for the communication with the server.
The User Datagram Protocol (UDP) is a connectionless protocol used over IPv4 and IPv6. It does not guarantee
that the messages (datagrams) will arrive or arrive in order (RFC 768, 1980). It is used where lost packages
do not need to be sent again because they would be invalidated before they would arrive, or where minimum
delay of communication is needed. Voice over IP and gaming are good examples of these protocols. UDP is
also suitable for simple devices because of its simplicity. That is why it is used for the Trivial File Transfer
Protocol (TFTP). The Domain Name System is also based on the UDP protocol.
Transmission Control Protocol (TCP) is a connection oriented protocol (RFC 761, 1980). Every data sent
over a TCP connection is guaranteed to arrive in order; however, that means that lost packets have to be
retransmitted before the communication can be reassembled on the receivers side. This retransmission can
cause delays in the communication. TCP is also more complicated than UDP, which makes it harder to
implement in embedded systems and makes connecting over TCP a relatively slow process. These make TCP
suitable for applications that require long term, reliable connections. TCP is used for the Hyper Text Transfer
Protocol (HTTP), the File Transfer Protocol (FTP), Post Office Protocol 3 (POP3), Simple Mail Transfer
Protocol (SMTP) and many other protocols.
Peer-to-Peer VPN
host
Hi!
attacker
host
(man-in-the-middle)
Hello!
storage
Figure 1. MITM attack. The attacker relays the communication between the two hosts. It can record and even modify packets.
One of the basic attacks is the Man-In-The-Middle (MITM) attack, which has the goal to bias the packet flow
between two hosts and relay it through the attackers computer (Schneier, 2004), which can record and modify
the communication on the network. Encryption and authentication can be used to protect protocols from MITM
attacks.
Replay attacks are usually used together with MITM attacks. The attacker replays (resends) previously recorded
packets, usually without knowing their exact content. This way a vulnerable protocol can identify the packets as
legitimate communication and authenticate the attackers computer or do other operations.
Figure 2. Real-world DDoS example. A Dunkin Donuts can serve limited number of customers in a given time period. If there are
too many customers waiting, some of them will timeout and leave the restaurant (Schedule, 2009; Starset, 2009).
Denial-of-Service (DoS) attack is a method for rendering services unavailable by excessive traffic. The goal is
to consume the resources of a service (bandwidth, computing power), so it cannot handle other requests (RFC
4732, 2006). Distributed DoS (DDoS) is a variant of DoS attacks, where multiple computers are used to attack
a service. It is harder to protect systems against DDoS attacks.
On Layer 2 Ethernet networks, hosts are identified by their Media Access Control (MAC) addresses. MAC is a
6Byte long number. The parity of the first Byte determines the addressing of the packet. MACs with even first
Bytes are unicast addresses (Gerg Kos, personal communication).
Peer-to-Peer VPN
VPNs
A virtual private network is a computer network that uses an existing computer network infrastructure to
provide secure access to a network. It encapsulates the communication between the connected network devices.
There are many different VPN uses of VPNs; however this paper focuses on the VPN protocols used over the
Internet to provide inexpensive connections between computers.
Figure 3. A typical VPN topology. Both clients are connected to the Internet, but every VPN traffic has to go
through a single server.
These virtual private networks were originally created to satisfy the need for a less expensive way to
interconnect corporate networks than leased or owned lines. Because they were originally designed to replace
leased or owned lines, a typical VPN uses a point-to-point topology; however, currently, VPNs are also used to
connect individual computers together. The problem in this case is that the communication between two
computers connected to the VPN is slowed and limited by the Internet connection and performance of the VPN
server, and the reliability of the network depends on a single computer because every packet has to reach the
VPN server first, which relays it to its destination computer. In this scenario the communication between the
two computers put excessive traffic on the VPN server, and the network infrastructure rendering the
communication slow, while the two communicating computers could reach each other through the underlying
network of the VPN connection.
Client
Internet Protocol
PPP
PPTP
Internet Protocol
Server
Internet
Figure 4. A VPN connection the PPTP protocol. A PPTP tunnel is created above the Internet Protocol for a PPP connection that
encapsulates Internet Protocol packages.
A frequently used protocol for VPNs is PPTP (Point-to-Point Tunneling Protocol), which encapsulates PPP
(Point-to-Point Protocol) connections (RFC 2637, 1999). When a client wants to connect to a VPN, it has to
build up a PPTP connection first, and then it should use this connection to create the actual network connection
by tunneling PPP through the PPTP connection. Because PPP was already supported by most operating systems
and devices this protocol was simple to implement. Any PPP traffic can be transferred transparently through a
PPTP tunnel, which makes it compatible with existing software and devices.
Although the point-to-point topology can make the communication slow, it has a security advantage. Because
clients communicate only with the VPN server through the sometimes not secure Internet connection they have
4
Peer-to-Peer VPN
to make only this connection secure by authentication and encryption; however, the security provided by the
VPN protocols becoming less important with the increasing security of the protocols on other levels.
Peer-to-Peer Communication
A peer-to-peer (P2P) network comprises equally privileged participants. No participants are clearly servers or
clients in the communication. They both provide and consume resources. Peer-to-peer networks are already
used for Voice over IP, file sharing, and several other applications.
peer
client
client
Server
peer
client
tracker
peer
Figure 6. BitTorrent file sharing. The only role of the
tracker is to help peers connecting to each other. The
peers download the files from each other.
Figure 5. Server-client file sharing. In the classical serverclient model the server has to provide the file to every client.
A highly used P2P protocol is the BitTorrent, which enables fast file sharing over the Internet by making the
downloaders uploaders at the same time (Cohen, 2008). As soon as a slice of the file is available at a peer,
others can start downloading that slice from that source, too. That way the original uploader of the file does not
have to upload it for every client, but the spare bandwidth of the peers can be utilized. P2P protocols can be
more reliable, too because they are distributed across a network.
The disadvantage of a P2P network is that they are usually more difficult to develop and implement, and they
can also have from security issues. Peers do not only have to authenticate a single server, but multiple peers. If
encryption is used, it is also important to have different encryption keys with each connected peer.
Peer-to-Peer VPN
scalable portable monolithic modular kernel, which runs on numerous kinds of computing devices. It can be
found on small embedded computers, mobile phones, desktops, servers, and even mainframe computers.
The TAP interface is a virtual Ethernet interface implemented as a kernel driver that allows userland
applications to easily communicate with the network stack of the host operating system (Krasnyansky, 2001).
Because TAP is a virtual Ethernet interface it works with Ethernet packets. Every TAP has two end points: one
for the kernel, and one for the userland application. From the point of view of the host operating system the
TAP appears as a usual Ethernet interface; however, every packet sent to it does not go to a physical Ethernet
card or interface, but is received by the application connected to the other end of the TAP. The application can
also construct and send packets to the operating system using the same mechanism. That way TAP can be used
to implement virtual network interfaces without modifying the operating system. It is used several VPN client
applications, and it is also used to connect operating systems running in a virtual machine to the host system.
Wireshark is an open source network analyzer (Wireshark, n.d.). It can be used to capture raw Ethernet traffic
on a network and analyze the contents of the packets. It is available to the major operating systems because it
relies on other cross-platform open source technologies. It uses the pcap Application Programming Interface to
capture network traffic, which is available for both Unix and Unix-like operating systems (Solaris, Mac OS X,
Linux, BSD) in the form of libpcap and for Windows in the form of WinPcap. Wireshark is useful for
troubleshooting networks, software, and network protocols.
Research Plan
The goal is to design, implement, and test a new virtual private network protocol that uses the recent
improvements in peer-to-peer communication to make client-to-client communication through the VPN faster.
The server application will be programmed in Java. Only a simple server will be made to test the protocol.The
client application will be programmed in Java and C. The TAP interface will be used to communicate with the
host operating system. Because there is no TAP library available for Java, it will be programmed using the Java
Native Interface (JNI). TAP interface is a virtual Ethernet network interface driver, which provides userland
applications a way to create virtual network interfaces to communicate with the built-in networking stack of the
operating system. It is already in use by several VPN applications and available for the major operating
systems, including Linux, Windows, Mac OS X, and different BSD variants. That makes it suitable for a project
like this. Although Java applications are platform independent, the client application will be only Linux
compatible because the JNI code is Linux-specific; however, the program will be easily portable for other
platforms.
The client-client communications will use the User Datagram Protocol (UDP) for fast communication. UDP
hole punching will be utilized to traverse Network Address Translators.
The clients will use the Transmission Control Protocol (TCP) to communicate with the server. Although TCP is
slower than UDP, it is more reliable. Because every communication between the clients and the server is
critical, TCP is more suitable for this part of the communication because it removes error handling from the
protocol.
Although encryption will not be used, a challenge-response authentication method will be used to authenticate
the clients on the network, and the protocol will be designed to be able to handle encryption with later
extensions.
During the testing a server computer and at least two client computers will be used. The computers will run
Linux. The program code will be written using NetBeans. To find programming errors in the communication
Wireshark, a network sniffing application, will be used to record the communication between the clients.
6
Peer-to-Peer VPN
Methodology
The programs were written using NetBeans (version 6.9.1, downloaded from netbeans.org). The computers used
for testing were running Ubuntu Linux (version 10.10, downloaded from ubuntu.com) with the latest updates
and the default-jdk installed. The computers were connected to the Internet through a standard 10Mb Ethernet
hub. One computer was used to write the program and run the server application. Two computers were used to
test the client application. One computer was running Wireshark and recording communication. This data was
used to find the causes of unexpected errors.
A single computer was set up as a VPSN and PPTP server, and it was connected to a Cisco Systems router
(Cisco 2620XM). Two other computers were connected to a standard 10Mb Ethernet hub that was also
connected to the router. The router was set to add a 25ms delay to the communication between the two subnets.
The two computers were connected to the VPSN and PPTP networks served by the third computer. A command
was given to one of the client computers to simultaneously measure and record the latency between the two
clients through the two VPNs and the direct path through the Ethernet hub and the latency to the server
computer. The latency was measured using the built-in ping application of the operating system. 2000
measurements were made using 200Byte packets. Five measurements were done in every second. Data was
recorded to text files. After these measurements, both the direct connection and the VPSN connection were
flooded with 20000 ICMP echo requests (200B each). Total time and packet loss were measured and recorded
in text files. The data was processed using
Microsoft Excel.
Peer-to-Peer VPN
Results
Figure 7. Comparison of latency on different networks. Network latency is an important aspect of network performance. The smaller values are better.
Peer-to-Peer VPN
Table 1. Average latency and performance comparison.
TP
er
PP
rv
se
to
n
n
tio
ec
tio
ec
nn
nn
Co
Co
ct
re
Di
VP
SN
Average
Performance:
(ms)
Di
VP
SN
n
io
t
ec
nn
Co
ct
re
Time
Figure 8. Comparison of network traffic between the clients and between the clients and the server on a logarithmic
scale. In traditional protocols, the clients traffic would go through the server.
Peer-to-Peer VPN
10
Peer-to-Peer VPN
Literature Cited
Schneier, B. (2004). Crypto-Gram. Retrieved November 15, 2010,
from http://www.schneier.com/crypto-gram-0404.html#6
Starset, R. (2009). Dunkin Donuts DDoS. Retrieved November 15, 2010,
from http://www.flickr.com/photos/rubin110/4229606152/in/photostream/
Internet Denial-of-Service Considerations (RFC 4732). (2006). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc4732/
Internet Protocol (RFC 791). (1981). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc791/
Internet Protocol, Version 6 (RFC 2460). (1998). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc2460/
Point-to-Point Tunneling Protocol (RFC 2637). (1999). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc2637/
Schedule 26C3 Public wiki. (2009). Retrieved November 15, 2010,
from http://events.ccc.de/congress/2009/wiki/Schedule
Cohen, B. (2008). The BitTorrent Protocol Specification. Retrieved November 15, 2010,
from http://www.bittorrent.org/beps/bep_0003.html
Traditional IP Network Address Translator (RFC 3022). (2001). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc3022/
Transmission Control Protocol (RFC 761). (1980). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc761/
Krasnyansky, M. (2001). Universal TUN/TAP device driver Frequently Asked Question.
Retrieved November 15, 2010, from http://vtun.sourceforge.net/tun/faq.html
11
Peer-to-Peer VPN
User Datagram Protocol (RFC 768). (1980). Retrieved November 15, 2010,
from http://datatracker.ietf.org/doc/rfc768/
Wireshark Go Deep. (n.d.) Retrieved November 15, 2010,
from http://www.wireshark.org/
Appendices
Included appendices:
I would like to express my appreciation for Ms. Karen Lang, my advisor who helped me with
several aspects of my project.
I would like to show my gratitude to Dr. Judith Sumner for helping me writing this paper.
I would also like to say thanks to Gerg Kos who helped me figure out how to handle the
Ethernet packets.
12