… | |
… | |
127 | .\} |
127 | .\} |
128 | .rm #[ #] #H #V #F C |
128 | .rm #[ #] #H #V #F C |
129 | .\" ======================================================================== |
129 | .\" ======================================================================== |
130 | .\" |
130 | .\" |
131 | .IX Title "GVPE 5" |
131 | .IX Title "GVPE 5" |
132 | .TH GVPE 5 "2005-01-27" "1.7" "GNU Virtual Private Ethernet" |
132 | .TH GVPE 5 "2005-02-22" "1.7" "GNU Virtual Private Ethernet" |
133 | .SH "NAME" |
133 | .SH "NAME" |
134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
135 | .SH "DESCRIPTION" |
135 | .SH "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
138 | nodes over an untrusted network. |
138 | nodes over an untrusted network. This document first gives an introduction |
|
|
139 | to VPNs in general and then describes the specific implementation of \s-1GVPE\s0. |
|
|
140 | .Sh "\s-1WHAT\s0 \s-1IS\s0 A \s-1VPN\s0?" |
|
|
141 | .IX Subsection "WHAT IS A VPN?" |
|
|
142 | \&\s-1VPN\s0 is an acronym, it stands for: |
139 | .IP "\(bu" 4 |
143 | .IP "\(bu" 4 |
140 | .IX Xref "Virtual" |
144 | .IX Xref "Virtual" |
141 | Virtual means that no physical network is created (of course), but an |
145 | Virtual means that no physical network is created (of course), but a |
142 | ethernet is emulated by creating multiple tunnels between the member |
146 | network is \fIemulated\fR by creating multiple tunnels between the member |
143 | nodes. |
147 | nodes by encapsulating and sending data over another transport network. |
|
|
148 | .Sp |
|
|
149 | Usually the emulated network is a normal \s-1IP\s0 or Ethernet, and the transport |
|
|
150 | network is the Internet. However, using a \s-1VPN\s0 system like \s-1GVPE\s0 to connect |
|
|
151 | nodes over other untrusted networks such as Wireless \s-1LAN\s0 is not uncommon. |
144 | .IP "\(bu" 4 |
152 | .IP "\(bu" 4 |
145 | .IX Xref "Private" |
153 | .IX Xref "Private" |
146 | Private means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
154 | Private means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
147 | inject (\*(L"spoof\*(R") packets. |
155 | inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over |
|
|
156 | untrusted networks such as the public Internet without fear of being |
|
|
157 | eavesdropped while at the same time being able to trust data sent by other |
|
|
158 | nodes. |
148 | .Sp |
159 | .Sp |
149 | In the case of gvpe, even participating nodes cannot sniff packets send to |
160 | In the case of \s-1GVPE\s0, even participating nodes cannot sniff packets |
150 | other nodes or spoof packets as if sent from other nodes. |
161 | send to other nodes or spoof packets as if sent from other nodes, so |
|
|
162 | communications between any two nodes is private to those two nodes. |
151 | .IP "\(bu" 4 |
163 | .IP "\(bu" 4 |
152 | .IX Xref "Network" |
164 | .IX Xref "Network" |
153 | Network means that more than two parties can participate in the network, |
165 | Network means that more than two parties can participate in the network, |
154 | so for instance it's possible to connect multiple branches of a company |
166 | so for instance it's possible to connect multiple branches of a company |
155 | into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
167 | into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
156 | point-to-point tunnels. |
168 | point-to-point tunnels, which in turn can be used to build larger |
|
|
169 | networks. |
|
|
170 | .Sp |
|
|
171 | \&\s-1GVPE\s0 provides a true multi-point network in wich any number of nodes (at |
|
|
172 | least a few dozen in practise, the theoretical limit is 4095 nodes) can |
|
|
173 | participate. |
157 | .Sh "\s-1DESIGN\s0 \s-1GOALS\s0" |
174 | .Sh "\s-1GVPE\s0 \s-1DESIGN\s0 \s-1GOALS\s0" |
158 | .IX Subsection "DESIGN GOALS" |
175 | .IX Subsection "GVPE DESIGN GOALS" |
159 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
176 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
160 | .IX Item "SIMPLE DESIGN" |
177 | .IX Item "SIMPLE DESIGN" |
161 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
178 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
162 | at compile time \- this makes it possible to only link in algorithms |
179 | at compile time \- this makes it possible to only link in algorithms |
163 | you actually need. It also makes the crypto part of the source very |
180 | you actually need. It also makes the crypto part of the source very |
164 | transparent and easy to inspect. |
181 | transparent and easy to inspect, and last not least this makes it possible |
|
|
182 | to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step |
|
|
183 | further and internally reserves blocks of the same length for all packets, |
|
|
184 | which virtually removes all possibilities of buffer overflows, as there is |
|
|
185 | only a single type of buffer and it's always of fixed length. |
165 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
186 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
166 | .IX Item "EASY TO SETUP" |
187 | .IX Item "EASY TO SETUP" |
167 | A few lines of config (the config file is shared unmodified between all |
188 | A few lines of config (the config file is shared unmodified between all |
168 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
189 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
169 | make it work. |
190 | make it work. |