advanced virtual private network support on freebsd systems · advanced virtual private network...
TRANSCRIPT
![Page 1: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/1.jpg)
1
Advanced Virtual Private Network Advanced Virtual Private Network Support on FreeBSD systemsSupport on FreeBSD systems
Riccardo Scandariato, Fulvio RissoPolitecnico di Torino, Italy
2nd European BSD Conference, Amsterdam, 15-17 November 2002
![Page 2: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/2.jpg)
2
OutlineOutline
� PPVPN definition
� Needed support for PPVPN
� Roadmap of modifications
� Implementation details (FreeBSD 4.4)
� Conclusions
![Page 3: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/3.jpg)
3
Customer-based VPNCustomer-based VPN
mobile employee
enterprise HQenterprise branch
� VPN connectivity supported by customer equipment
� Network provider just as transport (VPN-unaware)
![Page 4: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/4.jpg)
4
Provider Provisioned VPNProvider Provisioned VPN
� VPN connectivity supported by the provider network
� Transparency to the end-user
� Multiple virtual network concurrently deployed on the same physical network
� Routers shared among different VPNs
� Addresses are chosen by clients (typically out from the private space)
� Overlaps and collisions across VPNs
![Page 5: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/5.jpg)
5
Site A Site C
Site B Site D
freebsd
core001
goomer
magodante
IP
CPE
IP
IP
![Page 6: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/6.jpg)
6
Access VPN router Access VPN router
eth0 (Pri)
eth1 (Pri)
eth2 (Inet)
gif0 on eth2
gif1 on eth2
freebsd(eth2) goomer(eth0)
Inet DSTInet SRC
10.0.1.1 10.0.2.7 payload
VPN SRC VPN DST
freebsd
mago
goomer
Identification EncapsulationVx lookup
![Page 7: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/7.jpg)
7
Core VPN router Core VPN router
eth0(Inet) eth1(Inet)
gif0 on eth0 gif1 on eth1
goomer(eth1) mago
10.0.1.1 10.0.2.7 payload
VPN SRC VPN DST
freebsd(eth2) goomer(eth0)
Inet DSTInet SRC
10.0.1.1 10.0.2.7 payload
VPN SRC VPN DSTInet DSTInet SRC
freebsd
mago
goomer
tunnel switch
![Page 8: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/8.jpg)
8
TunnelingTunneling
� IP-in-IP already provided by FreeBSD (gif pseudo-interfaces)
� Paired Point-to-Point numbered links
� freebsd# ifcongig gif0 create
� freebsd# ifconfig gif0 inet 10.0.0.1 10.0.0.2 netmask 255.255.255.0
� freebsd# gifconfig gif0inet 130.192.31.1 130.192.31.2
� Same on peer
![Page 9: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/9.jpg)
9
Summing upSumming up
� Many nets with their own topologies
� Same routers serving many nets
� No assumption about address spaces
� Cope with overlapped address spaces
� Each packet must be forwarded according to the pertaining VPN
![Page 10: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/10.jpg)
10
RationaleRationale
� Routing table virtualization
� Introduced by this work
� Forwarding virtualization
� Routing virtualization
� Tunneling (IP-in-IP)
� Already provided by FreeBSD (see issues...)
� Commitment
� As few modifications as possible
� Harmonize with existing code
� The simpler the better!
![Page 11: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/11.jpg)
11
Modified filesModified files
sys/sys/socket.hsys/sys/socketvar.hsys/sys/sockio.hsys/kern/uipc_socket.csys/kern/sys_socket.csys/net/if_var.hsys/net/if.hsys/net/if.csys/net/route.hsys/net/route.csys/net/raw_cb.hsys/net/rtsock.csys/net/raw_usrreq.csys/netinet/ip_input.csys/netinet/if_ether.c
netstat/netstat.hnetstat/route.cnetstat/main.c
route/keywordsroute/route.c
zebra/lib/vpn.hzebra/main.czebra/kernel_socket.czebra/rtread_sysctl.c
ifconfig/ifconfig.c
![Page 12: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/12.jpg)
12
RoadmapRoadmap
socket(RAW)ioctl()
setsockopt()sysctl()
Tables
netstatzebraroute
Interfaces & pseudo-interfaces
socket(DGRAM)ioctl()
struct ifreq
ifconfig
Routing
Forwarding
Kern
el space
User sp
ace
![Page 13: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/13.jpg)
13
Multiple routing tablesMultiple routing tables
rt_tables[]
Patricia's tree
AF_INET
AF_MAX+1
0
![Page 14: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/14.jpg)
14
Multiple routing tables cont'dMultiple routing tables cont'd
� vpn_rt_tables[VPN_MAX + 1]
� VPN_MAX defined in sys/socket.h
� Array statically allocated (net/route.c) for efficiency
� Tables dynamically initialized on demand the first time they are accessed
� route_output(RTM_ADD) =>
� vpn_rtrequest(RTM_ADD,vpnid) =>
� rn_inithead(&vpn_rt_tables[vpnid])
![Page 15: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/15.jpg)
15
Routing messagesRouting messages
...
user space process
Routing message
Socketreceive
buffer
raw_input()
Socket
rtalloc1()
route_output()
rtrequest()
ADDDELETE
GETCHANGE
Destination
Header(op type, length)
Netmask
Gateway
structrt_msghdr
structsockaddr
rtalloc()
protocols
![Page 16: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/16.jpg)
16
Routing socketsRouting sockets
� VPN ID added to socket structure (sys/socketvar.h)
� struct socket{ u_int vpnid; }
� VPN ID field initialized to zero when socket is created by socket() sys call
�
socreate() (kern/uipc_socket.c)
![Page 17: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/17.jpg)
17
Routing sockets cont'dRouting sockets cont'd
� VPN ID can be set through the SO_VPNID option (sys/socket.h) of setsockopt()
� sosetopt(), sogetopt() (kern/uipc_socket.c)
� VPN ID can be also set through the SIOC(G,S)VPNID options (sys/sockio.h) of ioctl()
� soo_ioctl() (kern/sys_socket.c)
![Page 18: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/18.jpg)
18
Table interactionTable interaction
� route_output() (net/rtsock.c)
� RTM_ADD and RTM_DELETE now call vpn_rtrequest() (net/route.h,c)
� RTM_GET now selects the table based on the socket's vpnid before rnh_lookup()
![Page 19: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/19.jpg)
19
Routing messages from kernelRouting messages from kernel
� VPN ID added as argument to raw_input()
� vpn_raw_input() (net/raw_cb.h, net/raw_usrreq.c)
� Message is now delivered only to routing sockets with the same VPN ID
![Page 20: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/20.jpg)
20
SysctlSysctl
� E.g. used by netstat to read the whole table
�
sysctl_rtsock() (net/rtsock.c)
� Example
� struct rt_msghdr *msg;int mib[6] = {CTL_NET, PF_ROUTE, 0, AF_INET, NET_RT_DUMP, 7}sysctl(mib,msg);
VPN ID(added)
![Page 21: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/21.jpg)
21
Packet forwarding processPacket forwarding process
NetworkInterface
ip_input() ip_forward() ip_output()
inputqueue
gif_input()
rtalloc_ign()
ref
table
rtalloc1()
![Page 22: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/22.jpg)
22
Forwarding virtualizationForwarding virtualization
� ip_forward() (netinet/ip_input.c)
� VPN ID is retrieved from the receiving interface (either physical or pseudo)
� It now calls vpn_rtalloc_ign() (net/route.h,c)
� Ancillary functions
�
vpn_rtalloc(), vpn_rtalloc1() (net/route.h,c)
![Page 23: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/23.jpg)
23
Traffic identificationTraffic identification
eth0
gif2lookup
data packet forward
colored interfaces
![Page 24: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/24.jpg)
24
Interface markingInterface marking
� VPN ID added to interface structure (net/if_var.h)
� struct ifnet{ u_int if_vpnid; }
� VPN ID field initialized to zero when interfaces are created at boot
�
if_attach() (net/if.c)
![Page 25: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/25.jpg)
25
Interface marking cont'dInterface marking cont'd
� VPN ID can be set through the SIOC(S,G)IFVPNID options (sys/sockio.h) of ioctl()
�
struct ifreq{ u_int ifr_vpnid; } (net/if.h)
�
ifioctl() (net/if.c)
![Page 26: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/26.jpg)
26
User space programsUser space programs
� route add default freebsd.polito.it-vpn 7
� netstat -v 7
� ifconfig gif0 10.0.0.1 netmask 255.255.255.0vpnid 7
� zebra -f zebra.mago.7.conf -V 7
� ospfd -f ospfd.mago.7.conf
![Page 27: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/27.jpg)
27
Issues (i)Issues (i)
� ARP cache update not virtualized
� ARP lookup is virtualized (netinet/if_ether.c)
� ARP entries still written into base table
� Issue does not affect if a L3 CPE is used between the destination and the egress router
![Page 28: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/28.jpg)
28
Issues (ii)Issues (ii)
� gif interfaces are colored to identify the pertaining VPN
� Different VPNs between the same couple of nodes need different tunnels/gifs
� Incoming gif is recognized through outer src address and outer dst address
� No multiple IP-in-IP tunnels between the same couple of physical interfaces (addresses)
� GRE (with KEY field) can be used to disambiguate
![Page 29: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/29.jpg)
29
ImprovementsImprovements
� VPN identification at ingress points
� Fine grained traffic filters
� Colors are better for gif interfaces
� Zebra support
� VPN_ID in communication protocol between ospfd daemons and the zebra router manager
� Secure transport of VPN traffic: IPSec
� Per-VPN QoS warranties: ALTQ
![Page 30: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/30.jpg)
30
InfoInfo
� Do you wanna try it?
� http://softeng.polito.it/freebsd/
� Do you wanna know more details?
� Riccardo Scandariato, [email protected]
� Fulvio Risso, [email protected]
![Page 31: Advanced Virtual Private Network Support on FreeBSD systems · Advanced Virtual Private Network Support on FreeBSD systems Riccardo Scandariato, Fulvio Risso Politecnico di Torino,](https://reader031.vdocuments.net/reader031/viewer/2022022116/5c85853209d3f2f2298cb90f/html5/thumbnails/31.jpg)
31
Q&AQ&A
?