… | |
… | |
6 | protocol which is used to authenticate tunnels and send encrypted data |
6 | protocol which is used to authenticate tunnels and send encrypted data |
7 | packets. This protocol is described in more detail the second part of this |
7 | packets. This protocol is described in more detail the second part of this |
8 | document. |
8 | document. |
9 | |
9 | |
10 | The first part of this document describes the transport protocols which |
10 | The first part of this document describes the transport protocols which |
11 | are used by GVPE to send it's data packets over the network. |
11 | are used by GVPE to send its data packets over the network. |
12 | |
12 | |
13 | =head1 PART 1: Transport protocols |
13 | =head1 PART 1: Transport protocols |
14 | |
14 | |
15 | GVPE offers a wide range of transport protocols that can be used to |
15 | GVPE offers a wide range of transport protocols that can be used to |
16 | interchange data between nodes. Protocols differ in their overhead, speed, |
16 | interchange data between nodes. Protocols differ in their overhead, speed, |
… | |
… | |
54 | It should be used if RAW IP is not available. |
54 | It should be used if RAW IP is not available. |
55 | |
55 | |
56 | =head2 TCP |
56 | =head2 TCP |
57 | |
57 | |
58 | This protocol is a very bad choice, as it not only has high overhead (more |
58 | This protocol is a very bad choice, as it not only has high overhead (more |
59 | than 60 bytes), but the transport also retries on it's own, which leads |
59 | than 60 bytes), but the transport also retries on its own, which leads |
60 | to congestion when the link has moderate packet loss (as both the TCP |
60 | to congestion when the link has moderate packet loss (as both the TCP |
61 | transport and the tunneled traffic will retry, increasing congestion more |
61 | transport and the tunneled traffic will retry, increasing congestion more |
62 | and more). It also has high latency and is quite inefficient. |
62 | and more). It also has high latency and is quite inefficient. |
63 | |
63 | |
64 | It's only useful when tunneling through firewalls that block better |
64 | It's only useful when tunneling through firewalls that block better |
… | |
… | |
162 | Before nodes can exchange packets, they need to establish authenticity of |
162 | Before nodes can exchange packets, they need to establish authenticity of |
163 | the other side and a key. Every node has a private RSA key and the public |
163 | the other side and a key. Every node has a private RSA key and the public |
164 | RSA keys of all other nodes. |
164 | RSA keys of all other nodes. |
165 | |
165 | |
166 | When a node wants to establish a connection to another node, it sends an |
166 | When a node wants to establish a connection to another node, it sends an |
167 | RSA-OEAP-encrypted challenge and an ECDH key. The other node replies with |
167 | RSA-OEAP-encrypted challenge and an ECDH (curve25519) key. The other node |
168 | it's own ECDH key and a HKDF of the challange and both ECDH keys to proof |
168 | replies with its own ECDH key and a HKDF of the challenge and both ECDH |
169 | it's identity. |
169 | keys to prove its identity. |
170 | |
170 | |
171 | The remote node enganges in exactly the same protocol. When both nodes |
171 | The remote node enganges in exactly the same protocol. When both nodes |
172 | have exchanged their challenge and verified the response, they calculate a |
172 | have exchanged their challenge and verified the response, they calculate a |
173 | cipher key and a HMAC key and start exchanging data packets. |
173 | cipher key and a HMAC key and start exchanging data packets. |
174 | |
174 | |
… | |
… | |
180 | sequence number for data packets, key material for the HMAC key, key |
180 | sequence number for data packets, key material for the HMAC key, key |
181 | material for the cipher key, a salt used by the HKDF (as shown later) and |
181 | material for the cipher key, a salt used by the HKDF (as shown later) and |
182 | some extra random bytes that are unused except for authentication. It also |
182 | some extra random bytes that are unused except for authentication. It also |
183 | sends the public key of a curve25519 exchange. |
183 | sends the public key of a curve25519 exchange. |
184 | |
184 | |
185 | The remote node decrypts the RSA data, generates it's own ECDH key (ECDH2), and |
185 | The remote node decrypts the RSA data, generates its own ECDH key (ECDH2), |
186 | replies with: |
186 | and replies with: |
187 | |
187 | |
188 | HKDF-Expand (HKDF-Extract (ECDH2, RSA), ECDH1, AUTH_DIGEST_SIZE) ECDH2 |
188 | HKDF-Expand (HKDF-Extract (ECDH2, RSA), ECDH1, AUTH_DIGEST_SIZE) ECDH2 |
189 | |
189 | |
190 | That is, it extracts from the decrypted RSA challenge, using it's ECDH |
190 | That is, it extracts from the decrypted RSA challenge, using its ECDH |
191 | key as salt, and then expands using the requesting node's ECDH1 key. The |
191 | key as salt, and then expands using the requesting node's ECDH1 key. The |
192 | resulting has is returned as a proof that the node could decrypt the RSA |
192 | resulting hash is returned as a proof that the node could decrypt the RSA |
193 | challenge data, together with the ECDH key. |
193 | challenge data, together with the ECDH key. |
194 | |
194 | |
195 | After both nodes have done this to each other, they calculate the shared |
195 | After both nodes have done this to each other, they calculate the shared |
196 | ECDH secrets, cipher and HMAC keys for the session (each |
196 | ECDH secret, cipher and HMAC keys for the session (each node generates two |
197 | node generates two cipher and HMAC keys, one for sending and one for |
197 | cipher and HMAC keys, one for sending and one for receiving). |
198 | receiving). |
|
|
199 | |
198 | |
200 | The HMAC key for sending is generated as follow: |
199 | The HMAC key for sending is generated as follow: |
201 | |
200 | |
202 | HMAC_KEY = HKDF-Expand (HKDF-Extract (REMOTE_SALT, MAC ECDH_SECRET), info, HMAC_MD_SIZE) |
201 | HMAC_KEY = HKDF-Expand (HKDF-Extract (REMOTE_SALT, MAC ECDH_SECRET), info, HMAC_MD_SIZE) |
203 | |
202 | |
… | |
… | |
212 | perfect forward secrecy. |
211 | perfect forward secrecy. |
213 | |
212 | |
214 | The protocol has been overdesigned where this was possible without |
213 | The protocol has been overdesigned where this was possible without |
215 | increasing implementation complexity, in an attempt to protect against |
214 | increasing implementation complexity, in an attempt to protect against |
216 | implementation or protocol failures. For example, if the ECDH challenge |
215 | implementation or protocol failures. For example, if the ECDH challenge |
217 | was found to be flawed, perfect forward secrecy would be lost, but |
216 | was found to be flawed, perfect forward secrecy would be lost, but the |
218 | the data would still be protected. Likewise, standard algorithms and |
217 | data would likely still be protected. Likewise, standard algorithms and |
219 | implementations are used where possible. |
218 | implementations are used where possible. |
220 | |
219 | |
221 | =head2 Retrying |
220 | =head2 Retrying |
222 | |
221 | |
223 | When there is no response to an auth request, the node will send auth |
222 | When there is no response to an auth request, the node will send auth |
… | |
… | |
271 | |
270 | |
272 | =item Failing all that, the packet will be dropped. |
271 | =item Failing all that, the packet will be dropped. |
273 | |
272 | |
274 | =back |
273 | =back |
275 | |
274 | |
276 | A host can usually declare itself unreachable directly by setting it's |
275 | A host can usually declare itself unreachable directly by setting its |
277 | port number(s) to zero. It can declare other hosts as unreachable by using |
276 | port number(s) to zero. It can declare other hosts as unreachable by using |
278 | a config-file that disables all protocols for these other hosts. Another |
277 | a config-file that disables all protocols for these other hosts. Another |
279 | option is to disable all protocols on that host in the other config files. |
278 | option is to disable all protocols on that host in the other config files. |
280 | |
279 | |
281 | If two hosts cannot connect to each other because their IP address(es) |
280 | If two hosts cannot connect to each other because their IP address(es) |
… | |
… | |
287 | connection to the other peer, which is usually possible even when both |
286 | connection to the other peer, which is usually possible even when both |
288 | hosts are behind a NAT gateway. |
287 | hosts are behind a NAT gateway. |
289 | |
288 | |
290 | Routing via other nodes works because the SRCDST field is not encrypted, |
289 | Routing via other nodes works because the SRCDST field is not encrypted, |
291 | so the router can just forward the packet to the destination host. Since |
290 | so the router can just forward the packet to the destination host. Since |
292 | each host uses it's own private key, the router will not be able to |
291 | each host uses its own private key, the router will not be able to |
293 | decrypt or encrypt packets, it will just act as a simple router and |
292 | decrypt or encrypt packets, it will just act as a simple router and |
294 | protocol translator. |
293 | protocol translator. |
295 | |
294 | |
296 | |
295 | |