Ninux.org Wireless Community

L-VN is a tool for overlay network creation based on IP in UDP encapsulation performed in Kernel space without encryption/authentication of the tunneled packets. The idea of L-VN is to exploit the IP/UDP encapsulation kernel module proposed for GSoC 2010  to develop a VPN/Overlay tool based on IP/UDP encapsulation performed in kernel space with no “security services” for the encapsulated packets (i.e. no confidentiality, no authentication). The goal is to provide a lightweight overlay network tool that might be preferable to other VPN/Overlay solutions for devices with limited computational resources. The project is a Freifunk-Ninux.org proposal, and is sponsored by the Google Summer of Code 2011 program.

L-VN consists of 3 main elements:

1. IPUDP encapsulation module: is a kernel module that exports a virtual network devices that perform ip-udp encapsulation. Packets routed through this network interfaces will be encapsulated in IP/UDP headers and sent to the proper tunnel endpoint.  As to the current status, ipudp module provides 2 virtual devices modes:  A) FIXED mode: a single ipudp tunnel is bound to a virtual ipudp device. This type of virtual interface is double-stack, in the sense that we can assign both IPv4 and IPv6 address to the device and use it for both IPv4 and IPv6 applications. B) MULTI_V4 mode: multiple ipudp tunnels can be bound to this type of virtual interface. For each encapsulated packet, the proper tunnel is chosen by a set of rules that bind the destination IP address of the inner packet, with a given tunnel. For GSoC2011 the module has been updated to be compatible with kernel 2.6.38 and modified in different points to implement the keepalive mechanism.
2. IPUDP configuration tool: this tool can be compiled as both program or library and provides a set of primitives based on NETLINK sockets to configure the IPUDP encapsulation module. IPUDP_CONF provides the necessary primitives for addition/removal of virtual network devices, ipudp tunnels and forwarding rules.
3. IPUDP signaling agents: a client and a server program written in C for automatic tunnel establishment and management. In details, these components provides the following services: a) mutual authentication based on X509 certificates and TLS (openssl); b) NAT reflexed address discovery and automatic tunnel establishment; c) NAT binding keep alive; d) automatic inactive tunnel de-allocation. This component has been completely implemented for GSoC2011 but it still needs some work.

The code is available through the ninux SVN repository, at the path: https://svn.ninux.org/svn/ninuxdeveloping/ipudp/v02. Comments, remarks or any kind of support will be truly appreciated.

Contacts: marco.bonola@uniroma2.it, marco.giuntini@uniroma2.it

Most of the existing VPN solutions are based on user space tunneling (OPENVPN, TINC) and consume a large amount of CPU on copying packets from/to user space. Kernel based solutions (e.g.: IPsec VPNs) are more efficient in terms of CPU load but still consume CPU resources on cryptographic operations which sometimes are not even required. In many cases in facts, when the goal is simply the creation on a hub-and-spoke overlay network with a central server and several clients behind NAT, the preferred solution is to use OPENVPN with NULL CIPHER.

The idea of L-VN is to exploit the IP/UDP encapsulation kernel module proposed for GSoC 2010 https://blog.ninux.org/tag/udp-encapsulation/ to develop a VPN/Overlay tool based on IP/UDP encapsulation performed in kernel space with no “security services” for the encapsulated packets (i.e. no confidentiality, no authentication). The goal is to provide a lightweight overlay network tool that might be preferable to other VPN/Overlay solutions for devices with limited computational resources. The project is a Freifunk–Ninux.org proposal, and is sponsored by the Google Summer of Code 2011 program.

In details, this project requires 2 main tasks:

1) the IP/UDP encapsulation Kernel module needs to be finished and improved as for different technical details described in this README. Moreover, the incoming packets are currently intercepted with a NETFILTER hook and then decapsulated. To be eligible for a possible integration in the Linux Kernel, a different solution has to be found and implemented.

2) a client/server application for authentication, automatic tunnel establishment and NAT traversal has to be designed and developed. This application will basically provide the following features: a) (optional) mutual authentication; b) NAT reflexed address discovery and automatic tunnel establishment; c) NAT binding keep alive; d) automatic inactive tunnel de-allocation.

The source code will be publicly available through the ninux svn repository: https://svn.ninux.org/svn/ninuxdeveloping/lvn. Comments, remarks or any kind of support will be truly appreciated.

Marco

Contacts: marco.bonola@uniroma2.it, marco.giuntini@uniroma2.it

GSoC 2010 is over and it is time to evaluate the status of the project IPinUDP generic encapsulation module.

The main goal of this project is the development of a Linux 2.6 Kernel module and the relevant user-space tools to set up IP in UDP tunnels between two fixed and mobile end points. The project is a Freifunk–Ninux.org proposal, and is sponsored by the Google Summer of Code program.

IPinUDP encapsulation is a well known encapsulation mechanism mainly used for NAT traversal solutions (e.g.: RFC 3948). Moreover, IP/UDP encapsulation can be envisioned in end-to-end overlays and mobility management solutions. Despite its simplicity, a generic IPinUDP encapsulation Linux Kernel module independent from the IPsec framework is not currently available, and usually this kind of tunneling is realized with user-space tools.

The first task of this project is to create a Kernel module allowing a user to export one or more virtual interfaces so that packets routed through them will be encapsulated within a specific IP/UDP encapsulation header, as for other tunneling approaches based on virtual devices (like IP-IP, IP-GRE, etc..).

The second step will be the extension of the basic functionalities described above to realize a generic IP/UDP encapsulation driver to be used in different context that might require UDP encapsulation, like mobility, multihoming or VPNs approaches based on tunneling. The basic idea is that the IP/UDP tunnels are multiplexed on a single virtual interface, and the proper encapsulation header is retrieved from a “internal forwarding table” configurable from user-space.

As for the current status of the implementation, the first task is almost accomplished, as few details regarding locking are missing. The source code is publicly available at: https://svn.ninux.org/svn/ninuxdeveloping/ipudp. Comments, remarks and any kind of support will be appreciated.

Marco