| … | |
… | |
| 127 | .\} |
127 | .\} |
| 128 | .rm #[ #] #H #V #F C |
128 | .rm #[ #] #H #V #F C |
| 129 | .\" ======================================================================== |
129 | .\" ======================================================================== |
| 130 | .\" |
130 | .\" |
| 131 | .IX Title "GVPE 5" |
131 | .IX Title "GVPE 5" |
| 132 | .TH GVPE 5 "2005-01-27" "1.7" "GNU Virtual Private Ethernet" |
132 | .TH GVPE 5 "2005-02-22" "1.7" "GNU Virtual Private Ethernet" |
| 133 | .SH "NAME" |
133 | .SH "NAME" |
| 134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
134 | GNU\-VPE \- Overview of the GNU Virtual Private Ethernet suite. |
| 135 | .SH "DESCRIPTION" |
135 | .SH "DESCRIPTION" |
| 136 | .IX Header "DESCRIPTION" |
136 | .IX Header "DESCRIPTION" |
| 137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
137 | \&\s-1GVPE\s0 is a suite designed to provide a virtual private network for multiple |
| 138 | nodes over an untrusted network. |
138 | nodes over an untrusted network. This document first gives an introduction |
|
|
139 | to VPNs in general and then describes the specific implementation of \s-1GVPE\s0. |
|
|
140 | .Sh "\s-1WHAT\s0 \s-1IS\s0 A \s-1VPN\s0?" |
|
|
141 | .IX Subsection "WHAT IS A VPN?" |
|
|
142 | \&\s-1VPN\s0 is an acronym, it stands for: |
| 139 | .IP "\(bu" 4 |
143 | .IP "\(bu" 4 |
| 140 | .IX Xref "Virtual" |
144 | .IX Xref "Virtual" |
| 141 | Virtual means that no physical network is created (of course), but an |
145 | Virtual means that no physical network is created (of course), but a |
| 142 | ethernet is emulated by creating multiple tunnels between the member |
146 | network is \fIemulated\fR by creating multiple tunnels between the member |
| 143 | nodes. |
147 | nodes by encapsulating and sending data over another transport network. |
|
|
148 | .Sp |
|
|
149 | Usually the emulated network is a normal \s-1IP\s0 or Ethernet, and the transport |
|
|
150 | network is the Internet. However, using a \s-1VPN\s0 system like \s-1GVPE\s0 to connect |
|
|
151 | nodes over other untrusted networks such as Wireless \s-1LAN\s0 is not uncommon. |
| 144 | .IP "\(bu" 4 |
152 | .IP "\(bu" 4 |
| 145 | .IX Xref "Private" |
153 | .IX Xref "Private" |
| 146 | Private means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
154 | Private means that non-participating nodes cannot decode (\*(L"sniff)\*(R" nor |
| 147 | inject (\*(L"spoof\*(R") packets. |
155 | inject (\*(L"spoof\*(R") packets. This means that nodes can be connected over |
|
|
156 | untrusted networks such as the public Internet without fear of being |
|
|
157 | eavesdropped while at the same time being able to trust data sent by other |
|
|
158 | nodes. |
| 148 | .Sp |
159 | .Sp |
| 149 | In the case of gvpe, even participating nodes cannot sniff packets send to |
160 | In the case of \s-1GVPE\s0, even participating nodes cannot sniff packets |
| 150 | other nodes or spoof packets as if sent from other nodes. |
161 | send to other nodes or spoof packets as if sent from other nodes, so |
|
|
162 | communications between any two nodes is private to those two nodes. |
| 151 | .IP "\(bu" 4 |
163 | .IP "\(bu" 4 |
| 152 | .IX Xref "Network" |
164 | .IX Xref "Network" |
| 153 | Network means that more than two parties can participate in the network, |
165 | Network means that more than two parties can participate in the network, |
| 154 | so for instance it's possible to connect multiple branches of a company |
166 | so for instance it's possible to connect multiple branches of a company |
| 155 | into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
167 | into a single network. Many so-called \*(L"vpn\*(R" solutions only create |
| 156 | point-to-point tunnels. |
168 | point-to-point tunnels, which in turn can be used to build larger |
|
|
169 | networks. |
|
|
170 | .Sp |
|
|
171 | \&\s-1GVPE\s0 provides a true multi-point network in wich any number of nodes (at |
|
|
172 | least a few dozen in practise, the theoretical limit is 4095 nodes) can |
|
|
173 | participate. |
| 157 | .Sh "\s-1DESIGN\s0 \s-1GOALS\s0" |
174 | .Sh "\s-1GVPE\s0 \s-1DESIGN\s0 \s-1GOALS\s0" |
| 158 | .IX Subsection "DESIGN GOALS" |
175 | .IX Subsection "GVPE DESIGN GOALS" |
| 159 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
176 | .IP "\s-1SIMPLE\s0 \s-1DESIGN\s0" 4 |
| 160 | .IX Item "SIMPLE DESIGN" |
177 | .IX Item "SIMPLE DESIGN" |
| 161 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
178 | Cipher, \s-1HMAC\s0 algorithms and other key parameters must be selected |
| 162 | at compile time \- this makes it possible to only link in algorithms |
179 | at compile time \- this makes it possible to only link in algorithms |
| 163 | you actually need. It also makes the crypto part of the source very |
180 | you actually need. It also makes the crypto part of the source very |
| 164 | transparent and easy to inspect. |
181 | transparent and easy to inspect, and last not least this makes it possible |
|
|
182 | to hardcode the layout of all packets into the binary. \s-1GVPE\s0 goes a step |
|
|
183 | further and internally reserves blocks of the same length for all packets, |
|
|
184 | which virtually removes all possibilities of buffer overflows, as there is |
|
|
185 | only a single type of buffer and it's always of fixed length. |
| 165 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
186 | .IP "\s-1EASY\s0 \s-1TO\s0 \s-1SETUP\s0" 4 |
| 166 | .IX Item "EASY TO SETUP" |
187 | .IX Item "EASY TO SETUP" |
| 167 | A few lines of config (the config file is shared unmodified between all |
188 | A few lines of config (the config file is shared unmodified between all |
| 168 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
189 | hosts) and a single run of \f(CW\*(C`gvpectrl\*(C'\fR to generate the keys suffices to |
| 169 | make it work. |
190 | make it work. |
