… | |
… | |
127 | .\} |
127 | .\} |
128 | .rm #[ #] #H #V #F C |
128 | .rm #[ #] #H #V #F C |
129 | .\" ======================================================================== |
129 | .\" ======================================================================== |
130 | .\" |
130 | .\" |
131 | .IX Title "GVPE.PROTOCOL 7" |
131 | .IX Title "GVPE.PROTOCOL 7" |
132 | .TH GVPE.PROTOCOL 7 "2005-03-15" "1.8" "GNU Virtual Private Ethernet" |
132 | .TH GVPE.PROTOCOL 7 "2005-03-17" "1.8" "GNU Virtual Private Ethernet" |
133 | .SH "The GNU-VPE Protocols" |
133 | .SH "The GNU-VPE Protocols" |
134 | .IX Header "The GNU-VPE Protocols" |
134 | .IX Header "The GNU-VPE Protocols" |
135 | .SH "Overview" |
135 | .SH "Overview" |
136 | .IX Header "Overview" |
136 | .IX Header "Overview" |
137 | \&\s-1GVPE\s0 can make use of a number of protocols. One of them is the \s-1GNU\s0 \s-1VPE\s0 |
137 | \&\s-1GVPE\s0 can make use of a number of protocols. One of them is the \s-1GNU\s0 \s-1VPE\s0 |
… | |
… | |
141 | .PP |
141 | .PP |
142 | The first part of this document describes the transport protocols which |
142 | The first part of this document describes the transport protocols which |
143 | are used by \s-1GVPE\s0 to send it's data packets over the network. |
143 | are used by \s-1GVPE\s0 to send it's data packets over the network. |
144 | .SH "PART 1: Tansport protocols" |
144 | .SH "PART 1: Tansport protocols" |
145 | .IX Header "PART 1: Tansport protocols" |
145 | .IX Header "PART 1: Tansport protocols" |
|
|
146 | \&\s-1GVPE\s0 offers a range of transport protocols that can be used to interchange |
|
|
147 | data between nodes. Protocols differ in their overhead, speed, |
|
|
148 | reliability, and robustness. |
|
|
149 | .PP |
|
|
150 | The following sections describe each transport protocol in more |
|
|
151 | detail. They are sorted by overhead/efficiency, the most efficient |
|
|
152 | transprot is listed first: |
146 | .Sh "\s-1RAW\s0 \s-1IP\s0" |
153 | .Sh "\s-1RAW\s0 \s-1IP\s0" |
147 | .IX Subsection "RAW IP" |
154 | .IX Subsection "RAW IP" |
|
|
155 | This protocol is the best choice, performance\-wise, as the minimum |
|
|
156 | overhead per packet is only 38 bytes. |
|
|
157 | .PP |
|
|
158 | It works by sending the \s-1VPN\s0 payload using raw ip frames (using the |
|
|
159 | protocol set by \f(CW\*(C`ip\-proto\*(C'\fR). |
|
|
160 | .PP |
|
|
161 | Using raw ip frames has the drawback that many firewalls block \*(L"unknown\*(R" |
|
|
162 | protocols, so this transport only works if you have full \s-1IP\s0 connectivity |
|
|
163 | between nodes. |
148 | .Sh "\s-1ICMP\s0" |
164 | .Sh "\s-1ICMP\s0" |
149 | .IX Subsection "ICMP" |
165 | .IX Subsection "ICMP" |
|
|
166 | This protocol offers very low overhead (minimum 42 bytes), and can |
|
|
167 | sometimes tunnel through firewalls when other protocols cannot. |
|
|
168 | .PP |
|
|
169 | It works by prepending a \s-1ICMP\s0 header with type \f(CW\*(C`icmp\-type\*(C'\fR and a code |
|
|
170 | of \f(CW255\fR. The default \f(CW\*(C`icmp\-type\*(C'\fR is \f(CW\*(C`echo\-reply\*(C'\fR, so the resulting |
|
|
171 | packets look like echo replies, which looks rather strange to network |
|
|
172 | admins. |
|
|
173 | .PP |
|
|
174 | This transport should only be used if other transports (i.e. raw ip) are |
|
|
175 | not available or undesirable (due to their overhead). |
150 | .Sh "\s-1UDP\s0" |
176 | .Sh "\s-1UDP\s0" |
151 | .IX Subsection "UDP" |
177 | .IX Subsection "UDP" |
|
|
178 | This is a good general choice for the transport protocol as \s-1UDP\s0 packets |
|
|
179 | tunnel well through most firewalls and routers, and the overhead per |
|
|
180 | packet is moderate (minimum 58 bytes). |
|
|
181 | .PP |
|
|
182 | It should be used if \s-1RAW\s0 \s-1IP\s0 is not available. |
152 | .Sh "\s-1TCP\s0" |
183 | .Sh "\s-1TCP\s0" |
153 | .IX Subsection "TCP" |
184 | .IX Subsection "TCP" |
|
|
185 | This protocol is a very bad choice, as it not only has high overhead (more |
|
|
186 | than 60 bytes), but the transport also retries on it's own, which leads |
|
|
187 | to congestion when the link has moderate packet loss (as both the \s-1TCP\s0 |
|
|
188 | transport and the tunneled traffic will retry, increasing congestion more |
|
|
189 | and more). It also has high latency and is quite inefficient. |
|
|
190 | .PP |
|
|
191 | It's only useful when tunneling through firewalls that block better |
|
|
192 | protocols. If a node doesn't have direct internet access but a \s-1HTTP\s0 proxy |
|
|
193 | that supports the \s-1CONNECT\s0 method it can be used to tunnel through a web |
|
|
194 | proxy. For this to work, the \f(CW\*(C`tcp\-port\*(C'\fR should be \f(CW443\fR (\f(CW\*(C`https\*(C'\fR), as |
|
|
195 | most proxies do not allow connections to other ports. |
|
|
196 | .PP |
|
|
197 | It is an abuse of the usage a proxy was designed for, so make sure you are |
|
|
198 | allowed to use it for \s-1GVPE\s0. |
|
|
199 | .PP |
|
|
200 | This protocol also has server and client sides. If the \f(CW\*(C`tcp\-port\*(C'\fR is set |
|
|
201 | to zero, other nodes cannot connect to this node directly (and \f(CW\*(C`tcp\-port\*(C'\fR |
|
|
202 | zero cannot be used). If the \f(CW\*(C`tcp\-port\*(C'\fR is non\-zero, the node can act |
|
|
203 | both as a client as well as a server. |
154 | .Sh "\s-1DNS\s0" |
204 | .Sh "\s-1DNS\s0" |
155 | .IX Subsection "DNS" |
205 | .IX Subsection "DNS" |
|
|
206 | \&\fB\s-1WARNING:\s0\fR Parsing and generating \s-1DNS\s0 packets is rather tricky. The code |
|
|
207 | almost certainly contains buffer overflows and other, likely exploitable, |
|
|
208 | bugs. You have been warned. |
|
|
209 | .PP |
|
|
210 | This is the worst choice of transport protocol with respect to overhead |
|
|
211 | (overhead can be 2\-3 times higher than the transferred data), and latency |
|
|
212 | (which can be many seconds). Some \s-1DNS\s0 servers might not be prepared to |
|
|
213 | handle the traffic and drop or corrupt packets. The client also has to |
|
|
214 | constantly poll the server for data, so the client will constantly create |
|
|
215 | traffic even if it doesn't need to transport packets. |
|
|
216 | .PP |
|
|
217 | In addition, the same problems as the \s-1TCP\s0 transport also plague this |
|
|
218 | protocol. |
|
|
219 | .PP |
|
|
220 | Most configuration needs to be done by editing \f(CW\*(C`src/vpn_dns.C\*(C'\fR directly. |
|
|
221 | .PP |
|
|
222 | It's only use is to tunnel through firewalls that do not allow direct |
|
|
223 | internet access. Similar to using a \s-1HTTP\s0 proxy (as the \s-1TCP\s0 transport |
|
|
224 | does), it uses a local \s-1DNS\s0 server/forwarder (given by the \f(CW\*(C`dns\-forw\-host\*(C'\fR |
|
|
225 | configuration value) as a proxy to send and receive data as a client, |
|
|
226 | and a \f(CW\*(C`NS\*(C'\fR record pointing to the \s-1GVPE\s0 server (as given by the |
|
|
227 | \&\f(CW\*(C`dns\-hostname\*(C'\fR directive). |
|
|
228 | .PP |
|
|
229 | The only good side of this protocol is that it can tunnel through most |
|
|
230 | firewalls undetected, iff the local \s-1DNS\s0 server/forwarder is sane (which is |
|
|
231 | true for most routers, wlan gateways and nameservers). |
156 | .SH "PART 2: The GNU VPE protocol" |
232 | .SH "PART 2: The GNU VPE protocol" |
157 | .IX Header "PART 2: The GNU VPE protocol" |
233 | .IX Header "PART 2: The GNU VPE protocol" |
158 | This section, unfortunately, is not yet finished, although the protocol |
234 | This section, unfortunately, is not yet finished, although the protocol |
159 | is stable (until bugs in the cryptography are found, which will likely |
235 | is stable (until bugs in the cryptography are found, which will likely |
160 | completely change the following description). Nevertheless, it should give |
236 | completely change the following description). Nevertheless, it should give |