GSoC 2011: L-VN Lite Virtual Network

L-VN is a tool for overlay network creation based on IP in UDP encapsulation performed in Kernel space without encryption/authentication of the tunneled packets. The idea of L-VN is to exploit the IP/UDP encapsulation kernel module proposed for GSoC 2010  to develop a VPN/Overlay tool based on IP/UDP encapsulation performed in kernel space with no “security services” for the encapsulated packets (i.e. no confidentiality, no authentication). The goal is to provide a lightweight overlay network tool that might be preferable to other VPN/Overlay solutions for devices with limited computational resources. The project is a proposal, and is sponsored by the Google Summer of Code 2011 program.

L-VN consists of 3 main elements:

  1. IPUDP encapsulation module: is a kernel module that exports a virtual network devices that perform ip-udp encapsulation. Packets routed through this network interfaces will be encapsulated in IP/UDP headers and sent to the proper tunnel endpoint.  As to the current status, ipudp module provides 2 virtual devices modes:  A) FIXED mode: a single ipudp tunnel is bound to a virtual ipudp device. This type of virtual interface is double-stack, in the sense that we can assign both IPv4 and IPv6 address to the device and use it for both IPv4 and IPv6 applications. B) MULTI_V4 mode: multiple ipudp tunnels can be bound to this type of virtual interface. For each encapsulated packet, the proper tunnel is chosen by a set of rules that bind the destination IP address of the inner packet, with a given tunnel. For GSoC2011 the module has been updated to be compatible with kernel 2.6.38 and modified in different points to implement the keepalive mechanism.
  2. IPUDP configuration tool: this tool can be compiled as both program or library and provides a set of primitives based on NETLINK sockets to configure the IPUDP encapsulation module. IPUDP_CONF provides the necessary primitives for addition/removal of virtual network devices, ipudp tunnels and forwarding rules.
  3. IPUDP signaling agents: a client and a server program written in C for automatic tunnel establishment and management. In details, these components provides the following services: a) mutual authentication based on X509 certificates and TLS (openssl); b) NAT reflexed address discovery and automatic tunnel establishment; c) NAT binding keep alive; d) automatic inactive tunnel de-allocation. This component has been completely implemented for GSoC2011 but it still needs some work.

The code is available through the ninux SVN repository, at the path: Comments, remarks or any kind of support will be truly appreciated.



Tags: , , , , ,

Leave a Reply