| … | |
… | |
| 89 | traffic even if it doesn't need to transport packets. |
89 | traffic even if it doesn't need to transport packets. |
| 90 | |
90 | |
| 91 | In addition, the same problems as the TCP transport also plague this |
91 | In addition, the same problems as the TCP transport also plague this |
| 92 | protocol. |
92 | protocol. |
| 93 | |
93 | |
| 94 | It's only use is to tunnel through firewalls that do not allow direct |
94 | Its only use is to tunnel through firewalls that do not allow direct |
| 95 | internet access. Similar to using a HTTP proxy (as the TCP transport |
95 | internet access. Similar to using a HTTP proxy (as the TCP transport |
| 96 | does), it uses a local DNS server/forwarder (given by the C<dns-forw-host> |
96 | does), it uses a local DNS server/forwarder (given by the C<dns-forw-host> |
| 97 | configuration value) as a proxy to send and receive data as a client, |
97 | configuration value) as a proxy to send and receive data as a client, |
| 98 | and an C<NS> record pointing to the GVPE server (as given by the |
98 | and an C<NS> record pointing to the GVPE server (as given by the |
| 99 | C<dns-hostname> directive). |
99 | C<dns-hostname> directive). |
| … | |
… | |
| 152 | |
152 | |
| 153 | Before nodes can exchange packets, they need to establish authenticity of |
153 | Before nodes can exchange packets, they need to establish authenticity of |
| 154 | the other side and a key. Every node has a private RSA key and the public |
154 | the other side and a key. Every node has a private RSA key and the public |
| 155 | RSA keys of all other nodes. |
155 | RSA keys of all other nodes. |
| 156 | |
156 | |
| 157 | A host establishes a simplex connection by sending the other node an |
157 | A host establishes a simplex connection by sending the other node an RSA |
| 158 | RSA encrypted challenge containing a random challenge (consisting of |
158 | encrypted challenge containing a random challenge (consisting of the |
| 159 | the encryption key to use when sending packets, more random data and |
159 | encryption and authentication keys to use when sending packets, more |
| 160 | PKCS1_OAEP padding) and a random 16 byte "challenge-id" (used to detect |
160 | random data and PKCS1_OAEP padding) and a random 16 byte "challenge-id" |
| 161 | duplicate auth packets). The destination node will respond by replying |
161 | (used to detect duplicate auth packets). The destination node will respond |
| 162 | with an (unencrypted) RIPEMD160 hash of the decrypted challenge, which |
162 | by replying with an (unencrypted) hash of the decrypted challenge, which |
| 163 | will authenticate that node. The destination node will also set the |
163 | will authenticate that node. The destination node will also set the |
| 164 | outgoing encryption parameters as given in the packet. |
164 | outgoing encryption parameters as given in the packet. |
| 165 | |
165 | |
| 166 | When the source node receives a correct auth reply (by verifying the |
166 | When the source node receives a correct auth reply (by verifying the |
| 167 | hash and the id, which will expire after 120 seconds), it will start to |
167 | hash and the id, which will expire after 120 seconds), it will start to |
| … | |
… | |
| 203 | will try to connect every few seconds. |
203 | will try to connect every few seconds. |
| 204 | |
204 | |
| 205 | =head2 Routing and Protocol translation |
205 | =head2 Routing and Protocol translation |
| 206 | |
206 | |
| 207 | The GVPE routing algorithm is easy: there isn't much routing to speak |
207 | The GVPE routing algorithm is easy: there isn't much routing to speak |
| 208 | of: When routing packets to another node, GVPE trues the following |
208 | of: When routing packets to another node, GVPE tries the following |
| 209 | options, in order: |
209 | options, in order: |
| 210 | |
210 | |
| 211 | =over 4 |
211 | =over 4 |
| 212 | |
212 | |
| 213 | =item If the two nodes should be able to reach each other directly (common |
213 | =item If the two nodes should be able to reach each other directly (common |
