Solve Virtual Private Network (VPN) Seed Lab

networking report and need the explanation and answer to help me learn.

solve all tasks with screenshots and observations .
Requirements:
SEEDLabs–VPNLab1VirtualPrivateNetwork(VPN)LabCopyright©2006-2016WenliangDu,Allrightsreserved.Freetousefornon-commercialeducationalpurposes.Commercialusesofthematerialsareprohibited.TheSEEDprojectwasfundedbymultiplegrantsfromtheUSNationalScienceFoundation.1OverviewAVirtualPrivateNetwork(VPN)isusedforcreatingaprivatescopeofcomputercommunicationsorpro-vidingasecureextensionofaprivatenetworkintoaninsecurenetworksuchastheInternet.VPNisawidelyusedsecuritytechnology.VPNcanbebuiltuponIPSecorTLS/SSL(TransportLayerSecurity/Se-cureSocketLayer).ThesearetwofundamentallydifferentapproachesforbuildingVPNs.Inthislab,wefocusontheTLS/SSL-basedVPNs.ThistypeofVPNsisoftenreferredtoasTLS/SSLVPNs.Thelearningobjectiveofthislabisforstudentstomasterthenetworkandsecuritytechnologiesunder-lyingVPNs.Toachievethisgoal,studentswillbeaskedtoimplementasimpleTLS/SSLVPN.AlthoughthisVPNissimple,itdoesincludealltheessentialelementsofaVPN.ThedesignandimplementationofTLS/SSLVPNsexemplifyanumberofsecurityprinciples,includingthefollowing:•VirtualPrivateNetwork•TUN/TAP,andIPtunneling•Routing•Public-keycryptography,PKI,andX.509certificate•TLS/SSLprogramming•AuthenticationReadingsandvideos.DetailedcoverageofVPN,PKI,andTLScanbefoundinthefollowing:•Chapters19,24,and25oftheSEEDBook,Computer&InternetSecurity:AHands-onApproach,2ndEdition,byWenliangDu.Seedetailsathttps://www.handsonsecurity.net.•Section8oftheSEEDLecture,InternetSecurity:AHands-onApproach,byWenliangDu.Seedetailsathttps://www.handsonsecurity.net/video.html.Relatedlabs.WehaveaseparateSEEDlabonPKI,andanotheroneonTLS.ItisrecommendedthatstudentsfinishthesetwocryptolabsbeforeworkingonthiscomprehensiveVPNlab.IfstudentsareonlyinterestedinthetunnelingpartoftheVPN(withoutthecryptopart),theyshouldusetheVPNTunnelingLab,insteadofthisone.LabEnvironment.Thislabhasbeentestedonourpre-builtUbuntu16.04VM.Weneedtousetheopensslpackageinthislab.Thepackageincludestheheaderfiles,libraries,andcommands.Thepackagewasalreadyinstalledinourpre-builtVMimage.
SEEDLabs–VPNLab22LabTasksInthislab,studentsneedtoimplementasimpleVPNforLinux.WewillcallitminiVPN.2.1Task1:VMSetupWewillcreateaVPNtunnelbetweenacomputer(client)andagateway,allowingthecomputertosecurelyaccessaprivatenetworkviathegateway.WeneedatleastthreeVMs:VPNclient(alsoservingasHostU),VPNserver(thegateway),andahostintheprivatenetwork(HostV).ThenetworksetupisdepictedinFigure1.Figure1:VMsetupforthislabInpractice,theVPNclientandVPNserverareconnectedviatheInternet.Forthesakeofsimplicity,wedirectlyconnectthesetwomachinestothesameLANinthislab,i.e.,thisLANsimulatestheInternet.Wewillusethe“NATNetwork”adaptorforthisLAN.Thethirdmachine,HostV,isacomputerinsidetheprivatenetwork.UsersonHostU(outsideoftheprivatenetwork)wanttocommunicatewithHostVviatheVPNtunnel.Tosimulatethissetup,weconnectHostVtoVPNServer(alsoservingasagateway)viaan“InternalNetwork”.Insuchasetup,HostVisnotdirectlyaccessiblefromtheInternet;norisitdirectlyaccessiblefromHostU.NoteifaVMusesthe“InternalNetwork”mode,VirtualBoxprovidesnoDHCPtoit,sotheVMmustbestaticallyconfigured.Todothis,clickthenetworkicononthetop-rightcornerofthedesktop,andselect”EditConnections”.Youwillseealistof”Wiredconnections”,oneforeachofthenetworkadaptorsusedbytheVM.ForHostV,thereisonlyoneconnection,butforVPNServer,wewillseetwo.Tomakesurethatyoupicktheonethatiscorrespondingtothe“InternalNetwork”adapter,YoucanchecktheMACaddressdisplayedinthepop-upwindowafteryouhavepickedaconnectiontoedit.ComparethisMACaddresswiththeonethatyougetfromifconfig,andyouwillknowwhetheryoupickedtherightconnection.Afteryouhaveselectedtherightconnectiontoedit,pickthe”ipv4Settings”tabandselectthe”Manual”method,insteadofthedefault”Automatic(DHCP)”.Clickthe”Add”buttontosetupthenewIPaddressfortheVM.SeeFigure2fordetails.
SEEDLabs–VPNLab3Figure2:ManuallysetuptheIPaddressforthe”InternalNetwork”adaptoronVPNServer.2.2Task2:CreatingaVPNTunnelusingTUN/TAPTheenablingtechnologyfortheTLS/SSLVPNsisTUN/TAP,whichisnowwidelyimplementedinmodernoperatingsystems.TUNandTAParevirtualnetworkkerneldrivers;theyimplementnetworkdevicethataresupportedentirelyinsoftware.TAP(asinnetworktap)simulatesanEthernetdeviceanditoperateswithlayer-2packetssuchasEthernetframes;TUN(asinnetworkTUNnel)simulatesanetworklayerdeviceanditoperateswithlayer-3packetssuchasIPpackets.WithTUN/TAP,wecancreatevirtualnetworkinterfaces.Auser-spaceprogramisusuallyattachedtotheTUN/TAPvirtualnetworkinterface.PacketssentbyanoperatingsystemviaaTUN/TAPnetworkinterfacearedeliveredtotheuser-spaceprogram.Ontheotherhand,packetssentbytheprogramviaaTUN/TAPnetworkinterfaceareinjectedintotheoperatingsystemnetworkstack;totheoperatingsystem,itappearsthatthepacketscomefromanexternalsourcethroughthevirtualnetworkinterface.WhenaprogramisattachedtoaTUN/TAPinterface,theIPpacketsthatthecomputersendstothisinterfacewillbepipedintotheprogram;ontheotherhand,theIPpacketsthattheprogramsendstotheinterfacewillbepipedintothecomputer,asiftheycamefromtheoutsidethroughthisvirtualnetworkinterface.Theprogramcanusethestandardread()andwrite()systemcallstoreceivepacketsfromorsendpacketstothevirtualinterface.WehavecreatedasampleVPNclientprogram(vpnclient)andaserverprogram(vpnserver),bothofwhichcanbedownloadedfromthislab’swebsite.TheprogramsareexplainedindetailsinChapter16oftheSEEDbooktitledComputer&InternetSecurity:AHands-onApproach,2ndEdition;thechapteralsoexplainshowTUN/TAPworksandhowtouseittocreateVPN.ThevpnclientandvpnserverprogramsarethetwoendsofaVPNtunnel.TheycommunicatewitheachotherusingeitherTCPorUDPviathesocketsdepictedinFigure3.Inoursamplecode,wechoosetouseUDPforthesakeofsimplicity.ThedottedlinebetweentheclientandserverdepictsthepathfortheVPNtunnel.TheVPNclientandserverprogramsconnecttothehostingsystemviaaTUNinterface,throughwhichtheydotwothings:(1)getIPpacketsfromthehostingsystem,sothepacketscanbesentthroughthetunnel,(2)getIPpacketsfromthetunnel,andthenforwardittothehostingsystem,whichwillforwardthepackettoitsfinaldestination.ThefollowingproceduredescribeshowtocreateaVPNtunnelusingthevpnclientandvpnserverprograms.
SEEDLabs–VPNLab4Figure3:VPNclientandserverStep1:RunVPNServer.WefirstruntheVPNserverprogramvpnserverontheServerVM.Af-tertheprogramruns,avirtualTUNnetworkinterfacewillappearinthesystem(wecanseeitusingthe”ifconfig-a”command;thenameoftheinterfacewillbetun0inmostcases,buttheycanbetunX,whereXisanumber).Thisnewinterfaceisnotyetconfigured,soweneedtoconfigureitbygivingitanIPaddress.Weuse192.168.53.1forthisinterface.Runthefollowingcommands.Thefirstcommandwillstarttheserverprogram,andthesecondcommandassignsanIPaddresstothetun0interfaceandthenactivatesit.Itshouldbenotedthatthefirstcommandwillblockandwaitforconnections,soweneedtofindanotherwindowrunthesecondcommand.$sudo./vpnserverRunthefollowingcommandinanotherwindow:$sudoifconfigtun0192.168.53.1/24upUnlessspecificallyconfigured,acomputerwillonlyactasahost,notasagateway.TheVPNServerneedstoforwardpacketsbetweentheprivatenetworkandthetunnel,soitneedstofunctionasagateway.WeneedtoenabletheIPforwardingforacomputertobehavelikeagateway.IPforwardingcanbeenabledusingthefollowingcommand:$sudosysctlnet.ipv4.ip_forward=1Step2:RunVPNClient.WenowruntheVPNclientprogramontheClientVM.Werunthefollow-ingcommandonthismachine(thefirstcommandwillconnecttotheVPNserverprogramrunningon10.0.2.8.Thiscommandwillblockaswell,soweneedtofindanotherwindowtoconfigurethetun0interfacecreatedbytheVPNclientprogram.WeassignIPaddress192.168.53.5tothetun0interface.OnVPNClientVM:$sudo./vpnclient10.0.2.8Runthefollowingcommandinadifferentwindow$sudoifconfigtun0192.168.53.5/24up
SEEDLabs–VPNLab5Step3:SetUpRoutingonClientandServerVMs:Aftertheabovetwosteps,thetunnelwillbeestablished.Beforewecanusethetunnel,weneedtosetuproutingpathsonbothclientandservermachinestodirecttheintendedtrafficthroughthetunnel.Ontheclientmachine,weneedtodirectallthepacketsgoingtotheprivatenetwork(192.168.60.0/24)towardsthetun0interface,fromwherethepacketscanbeforwardedthroughtheVPNtunnel.Withoutthissetup,wewillnotbeabletoaccesstheprivatenetworkatall.Wecanusetheroutecommandtoaddanroutingentry.Thefollowingexampleshowshowtoroutethe10.20.30.0/24-boundpacketstotheinterfaceeth0.$sudorouteadd-net10.20.30.0/24eth0Onbothclientandservermachines,wealsoneedtosetuparoutingentrysoallthetrafficgoingtothe192.168.53.0/24networkaredirectedtothetun0interface.Thisentrywillusuallybeautomaticallyaddedwhenweassign192.169.53.Xtothetun0interface.Ifforsomereasonsitisnotadded,wecanusetheroutecommandtoaddit.Step4:SetUpRoutingonHostV.WhenHostVrepliestoapacketsentfromHostU,itneedstoroutethepacketstotheVPNServerVM,fromwhere,itcanbefedintotheVPNtunneltowardtheotherend.Youneedtofindoutwhatentrytoadd,andthenusetheroutecommandtoaddtheroutingentry.Hint:whenHostVreceivesapacketfromHostU(viathetunnel),youneedtoknowwhatthesourceIPisinthepacket;inthereplypacket,thesourceIPbecomesthedestinationIP,whichwillbeusedbytheroutingtable.Therefore,youneedtofigureoutthesourceIPofthepacketsfromUtoV.Itisyourtasktofigurethisoutandsettheroutingcorrectlyinthisstep.Step5:TesttheVPNTunnel:Aftereverythingissetup,wecanaccessHostVfromHostUviathetunnel.Pleaseconductthefollowingtestsusingpingandtelnet;pleasereportyourresults.YoushoulduseWiresharktocapturethenetworktrafficsonalltheinterfacesontheclientVM,andpinpointwhichpacketsarepartofthetunneltraffic,andwhichpacketsarenotthetunneltraffic.OnHostU:$ping192.168.60.101$telnet192.168.60.101Step6:Tunnel-BreakingTest.OnHostU,telnettoHostV.Whilekeepingthetelnetconnectionalive,webreaktheVPNtunnel.Wethentypesomethinginthetelnetwindow,andreportwhatyouobserve.WethenreconnecttheVPNtunnel.Whatisgoingtohappentothetelnetconnection?Willitbebrokenorresumed?Pleasedescribeandexplainyourobservations.2.3Task3:EncryptingtheTunnelAtthispoint,wehavecreatedanIPtunnel,butourtunnelisnotprotected.Onlyafterwehavesecuredthistunnel,canwecallitaVPNtunnel.Thisiswhatwearegoingtoachieveinthistask.Tosecurethistunnel,weneedtoachievetwogoals,confidentialityandintegrity.Theconfidentialityisachievedusingencryption,i.e.,thecontentsthatgothroughthetunnelisencrypted.Theintegritygoalensuresthatnobodycantamperwiththetrafficinthetunnelorlaunchareplayattack.IntegritycanbeachievedusingMessageAuthenticationCode(MAC).BothgoalscanbeachievedusingTransportLayerProtocol(TLS).TLSistypicallybuiltontopofTCP.ThesampleVPNclientandserverprogramsinTask2useUDP,sowefirstneedtoreplacetheUDPchannelinthesamplecodewithaTCPchannel,andthenestablishaTLSsessionbetweenthetwoendsofthetunnel.AsampleTLSclientandserverprogram(tlsclient
SEEDLabs–VPNLab6andtlsserver)isprovidedinazipfilethatcanbedownloadedfromthewebsite.InstructionsonhowtocompileandrunthecodeisprovidedintheREADMEfileincludedinthezipfile.Fordetailedexplanationofthesamplecode,pleasereadChapter25oftheSEEDbook(Computer&InternetSecurity:AHands-onApproach,2ndEdition).Inyourdemonstration,youneedtouseWiresharktocapturethetrafficinsidetheVPNtunnel,andshowthatthetrafficisindeedencrypted.2.4Task4:AuthenticatingtheVPNServerBeforeaVPNisestablished,theVPNclientmustauthenticatetheVPNserver,makingsurethattheserverisnotafraudulentone.Ontheotherhand,theVPNservermustauthenticatetheclient(i.e.user),makingsurethattheuserhasthepermissiontoaccesstheprivatenetwork.Inthistask,weimplementtheserverauthentication;theclientauthenticationisinthenexttask.Atypicalwaytoauthenticateserversistousepublic-keycertificates.TheVPNserverneedstofirstgetapublic-keycertificatefromaCertificateAuthority(CA).WhenaclientmakesaconnectiontotheVPNserver,theserverwillusethecertificatetoproveitistheintendedserver.TheHTTPSprotocolusesthisapproachtoauthenticatewebservers,ensuringthatyouaretalkingtoanintendedwebserver,notafakeone.Inthislab,MiniVPNshouldusesuchamethodtoauthenticatetheVPNserver.Wecanimplementanauthenticationprotocol(suchasTLS/SSL)fromthescratch,butfortunately,opensslhastakencaremostoftheworkforus.WejustneedtoconfigureourTLSsessionproperly,soopensslcanconducttheauthenticationautomaticallyforus.Therearethreeimportantstepsinserverauthentication:(1)verifyingthattheservercertificateisvalid,(2)verifyingthattheserveristheownerofthecertificate,and(3)verifyingthattheserveristheintendedserver(forexample,iftheuserintendstovisitexample.com,weneedtoensurethattheserverisindeedexample.com,notanothersite).Pleasepointoutwhatlinesofthecodeinyourprogramcarryouttheaboveverifications.Inyourdemonstration,youneedtodemonstratetwodifferentcasesregardingthethirdverification:asuccessfulserverauthenticationwheretheserveristheintendedserver,andafailedserverauthenticationwheretheserverisnottheintendedserver.Note:OurMiniVPNprogramshouldbeabletocommunicatewithVPNserversondifferentmachines,soyoucannothardcodethehostnameoftheVPNserverintheprogram.Thehostnameneedstobetypedinfromthecommandline.Thisnamerepresentstheuser’sintention,soitshouldbeusedintheverification.ThisnameshouldalsobeusedtofindtheIPaddressoftheserver.Section3.2providesasampleprogramtoshowyouhowtogettheIPaddressforagivenhostname.OursampleTLSclientandserverprograms.Serverauthenticationisimplementedinthesamplepro-gramsprovidedbyus.PartoftheauthenticationrequiresthecertificateoftheCAwhoissuestheservercertificate.WehaveputtwoCAcertificatesinthe./caclientfolder:oneistheCAthatissuesourserver’scertificate(thehostnameoftheserverisvpnlabserver.com),andtheotheristheCAthatis-suesGoogle’scertificate.Therefore,thesampleTLSclientprogramcantalktoourownserver,aswellasGoogle’sHTTPSserver:$./tlsclientvpnlabserver.com4433$./tlsclientwww.google.com443Itshouldbenotedthatstudentsshouldnotusevpnlabserver.comfromthesamplecodeastheirVPNservername;instead,theyshouldincludetheirlastnameintheservername.Studentsshouldgen-
SEEDLabs–VPNLab7eratetheirownCAinordertocreateservercertificates.Theobjectiveofthisrequirementistodifferentiatestudent’swork.TouseourclienttotalktoanHTTPSserver,weneedtogetitsCA’scertificate,savethecertificateinthe./caclientfolder,andcreateasymboliclinktoit(orrenameit)usingthehashvaluegeneratedfromitssubjectfield.Forexample,toenableourclienttotalktoGoogle,whogetsitscertificatefromarootCAcalled“GeoTrustGlobalCA”,wegetthisrootCA’scertificate(GeoTrustGlobalCA.pem)fromtheFirefoxbrowser,andrunthefollowingcommandtogetitshashandthensetupthesymboliclink:$opensslx509-inGeoTrustGlobalCA.pem-noout-subject_hash2c543cd1$ln-sGeoTrustGlobalCA.pem2c543cd1.0$ls-llrwxrwxrwx1…2c543cd1.0->GeoTrustGlobalCA.pemlrwxrwxrwx1…9b58639a.0->cacert.pem-rw-r–r–1…cacert.pem-rw-r–r–1…GeoTrustGlobalCA.pem2.5Task5:AuthenticatingtheVPNClientAccessingthemachinesinsideaprivatenetworkisaprivilegethatisonlygrantedtoauthorizedusers,nottoeverybody.Therefore,onlyauthorizedusersareallowedtoestablishaVPNtunnelwiththeVPNserver.Inthistask,authorizedusersarethosewhohaveavalidaccountontheVPNserver.Wewillthereforeusethestandardpasswordauthenticationtoauthenticateusers.Basically,whenausertriestoestablishaVPNtunnelwiththeVPNserver,theuserwillbeaskedtoprovideausernameandapassword.Theserverwillcheckitsshadowfile(/etc/shadow);ifamatchingrecordisfound,theuserisauthenticated,andtheVPNtunnelwillbeestablished.Ifthereisnomatch,theserverwillbreakitsconnectionwiththeuser,andthusnotunnelwillbeestablished.SeeSection3.3forsamplecodeonhowtoauthenticateusersusingtheshadowfile.2.6Task6:SupportingMultipleClientsIntherealworld,oneVPNserveroftensupportsmultipleVPNtunnels.Namely,theVPNserverallowsmorethanoneclientstoconnecttoitsimultaneously,witheachclienthavingitsownVPNtunnel(andthusitsownTLSsession).OurMiniVPNshouldsupportmultipleclients.Inatypicalimplementation,theVPNserverprocess(theparentprocess)willcreateachildprocessforeachtunnel(seeFigure4).Whenapacketcomesfromthetunnel,itscorrespondingchildprocesswillgetthepacket,andforwardittotheTUNinterface.Thisdirectionisthesameregardlessofwhethermultipleclientsaresupportedornot.Itistheotherdirectionthatbecomeschallenging.WhenapacketarrivesattheTUNinterface(fromtheprivatenetwork),theparentprocesswillgetthepacket,nowitneedstofigureoutwhichtunnelthispacketshouldgoto.Youneedtothinkabouthowtoimplementthisdecision-makinglogic.Oncethedecisionismadeandatunnelisselected,theparentprocessneedstosendthepackettothechildprocess,towhichtheselectedtunnelisattached.ThiscallsforIPC(Inter-ProcessCommunication).Atypicalapproachistousepipes.WeprovideasampleprograminSection3.4todemonstratehowtousepipesforIPC.Childprocessesneedtomonitorthispipeinterface,andreaddatafromitiftherearedata.Sincechildprocessesalsoneedtowatchoutfordatacomingfromthesocketinterface,theyneedtosimultaneously
SEEDLabs–VPNLab8Figure4:SupportingmultipleVPNclientsmonitormultipleinterfaces.Section3.5showshowtoachievethat.3Guidelines3.1DisplayingTLSTrafficinWiresharkWiresharkidentifiesTLS/SSLtrafficbasedonportnumbers.Itknows443isthedefaultportnumberforHTTPS,butourVPNserverlistenstoadifferentandnon-standardportnumber.WeneedtoletWiresharkknowthat;otherwise,WiresharkwillnotlabelourtrafficasSSL/TLStraffic.Hereiswhatwecando:gototheEditmenuinWireshark,andclickPreferences,Protocols,HTTP,andthenfindthe”SSL/TLSPorts”entry.AddyourSSLserverport.Forexample,wecanchangethecontentoftheentryto443,4433,where4433istheportusedbyourSSLserver.Displayingdecryptedtraffic.TheapproachshownaboveonlygetsWiresharktorecognizethetrafficasTLS/SSLtraffic;Wiresharkcannotdecrypttheencryptedtraffic.Fordebuggingpurposes,wewouldliketoseethedecryptedtraffic.Wiresharkprovidessuchafeature;allweneedtodoistoprovidetheserver’sprivatekeytoWireshark,andWiresharkwillautomaticallyderivethesessionkeysfromtheTLS/SSLhand-shakeprotocol,andusethesekeystodecrypttraffic.Toprovidetheserver’sprivatekeytoWireshark,dothefollowing:ClickEdit->Preferences->Protocols->SSLFindthe”RSAkeylist”,andclicktheEditbuttonProvidetherequiredinformationabouttheserver,seethisexample:IPAddress:10.0.2.65Port:4433Protocol:sslKeyFile:/home/seed/vpn/server-key.pem(privatkeyfile)Password:deesdees
SEEDLabs–VPNLab93.2GettingIPAddressfromHostnameGivenahostname,wecangettheIPaddressforthisname.Inoursampletlsclientprogram,weusethegethostbyname()functiontogettheIPaddress.However,thisfunctionisobsoletebecauseitdoesnotsupportIPV6.Applicationsshouldusegetaddrinfo()instead.ThefollowingexampleshowstohowtousethisfunctiontogetIPaddresses.#include#include#include#include#include#includestructaddrinfohints,*result;intmain(){hints.ai_family=AF_INET;//AF_INETmeansIPv4onlyaddressesinterror=getaddrinfo(“www.example.com”,NULL,&hints,&result);if(error){fprintf(stderr,”getaddrinfo:%s\n”,gai_strerror(error));exit(1);}//TheresultmaycontainalistofIPaddress;wetakethefirstone.structsockaddr_in*ip=(structsockaddr_in*)result->ai_addr;printf(“IPAddress:%s\n”,(char*)inet_ntoa(ip->sin_addr));freeaddrinfo(result);return0;}3.3AuthenticationUsingtheShadowFileThefollowingprogramshowshowtoauthenticateauserusingtheaccountinformationstoredintheshadowfile.Theprogramusesgetspnam()togetagivenuser’saccountinformationfromtheshadowfile,includingthehashedpassword.Itthenusescrypt()tohashagivenpasswordandseewhethertheresultmatcheswiththevaluesfetchedfromtheshadowfile.Ifso,theusernameandthepasswordmatch,andtheauthenticationissuccessful.#include#include#include#includeintlogin(char*user,char*passwd){structspwd*pw;char*epasswd;
SEEDLabs–VPNLab10pw=getspnam(user);if(pw==NULL){return-1;}printf(“Loginname:%s\n”,pw->sp_namp);printf(“Passwd:%s\n”,pw->sp_pwdp);epasswd=crypt(passwd,pw->sp_pwdp);if(strcmp(epasswd,pw->sp_pwdp)){return-1;}return1;}voidmain(intargc,char**argv){if(argc<3){printf("Pleaseprovideausernameandapassword\n");return;}intr=login(argv[1],argv[2]);printf("Result:%d\n",r);}Wecancompilethecodeaboveandrunitwithausernameandapassword.Itshouldbenotedthattherootprivilegeisneededwhenreadingfromtheshadowfile.Seethefollowingcommandsforcompilationandexecution.$gcclogin.c-lcrypt$sudo./a.outseeddeesItshouldbenotedthatweuse-lcryptintheabovecompilation;weused-lcryptowhencompilingourTLSprograms.Thecryptandcryptoaretwodifferentlibraries,sothisisnotatypo.3.4Inter-ProcessCommunicationUsingPipeThefollowingprogramshowshowaparentprocesssendsdatatoitschildprocessusingpipe.Theparentprocesscreatesapipeusingpipe()inLineÀ.Eachpipehastwoends:theinputend’sfiledescriptorisfd[0],andtheoutputend’sfiledescriptorisfd[1].Afterthepipeiscreated,achildprocessisspawnedusingfork().Bothparentandchildprocesseshavethefiledescriptorsassociatedwiththepipe.Theycansenddatatoeachotherusingthethepipe,whichisbi-directional.However,wewillonlyusethispipetosenddatafromtheparentprocesstothechildprocess,andtheparentwillnotreadanythingfromthepipe,soweclosetheinputendfd[0]intheparentprocess.Similarly,thechilddoesnotsendanythingviathepipe,soitclosestheoutputendfd[1].Atthispoint,wehaveestablishedauni-directionalpipefromtheparentprocesstothechildprocess.Tosenddataviathepipe,theparentprocesswritestofd[1](seeLineÁ);toreceivedatafromthepipe,thechildprocessreadsfromfd[0](seeLineÂ). SEEDLabs–VPNLab11#include#include#include#includeintmain(void){intfd[2],nbytes;pid_tpid;charstring[]=”Hello,world!\n”;charreadbuffer[80];pipe(fd);Àif((pid=fork())==-1){perror(“fork”);exit(1);}if(pid>0){//parentprocessclose(fd[0]);//Closetheinputendofthepipe.//Writedatatothepipe.write(fd[1],string,(strlen(string)+1));Áexit(0);}else{//childprocessclose(fd[1]);//Closetheoutputendofthepipe.//Readdatafromthepipe.nbytes=read(fd[0],readbuffer,sizeof(readbuffer));Âprintf(“Childprocessreceivedstring:%s”,readbuffer);}return(0);}3.5UsingselecttoMonitorMultipleInputInterfacesOurVPNprogramneedstomonitormultipleinterfaces,includingtheTUNinterface,thesocketinterface,andsometimes,thepipeinterface.Alltheseinterfacesarerepresentedbyfiledescriptors,soweneedtomonitorthemtoseewhethertherearedatacomingfromthem.Onewaytodothatistokeeppollingthem,andseewhethertherearedataoneachoftheinterfaces.Theperformanceofthisapproachisundesirable,becausetheprocesshastokeeprunninginanidleloopwhenthereisnodata.Anotherwayistoreadfromaninterface.Bydefault,readisblocking,i.e.,theprocesswillbesuspendediftherearenodata.Whendatabecomeavailable,theprocesswillbeunblocked,anditsexecutionwillcontinue.Thisway,itdoesnotwasteCPUtimewhenthereisnodata.Theread-basedblockingmechanismworkswellforoneinterface.Ifaprocessiswaitingonmultipleinterfaces,itcannotblockonjustoneoftheinterfaces.Ithastoblockonallofthemaltogether.Linuxhasasystemcallcalledselect(),whichallowsaprogramtomonitormultiplefiledescriptorssimultaneously.Touseselect(),weneedtostoreallthefiledescriptorstobemonitoredinasetusingtheFDSETmacro(seeLinesÀandÁinthecodebelow).Wethengivethesettotheselect()systemcall(LineÂ),
SEEDLabs–VPNLab12whichwillblocktheprocessuntildataareavailableononeofthefiledescriptorsintheset.WecanthenusetheFDISSETmacrotofigureoutwhichfiledescriptorhasreceiveddata.Inthefollowingcodeexample,weuseselect()tomonitoraTUNandasocketfiledescriptor.fd_setreadFDSet;intret,sockfd,tunfd;FD_ZERO(&readFDSet);FD_SET(sockfd,&readFDSet);ÀFD_SET(tunfd,&readFDSet);Áret=select(FD_SETSIZE,&readFDSet,NULL,NULL,NULL);Âif(FD_ISSET(sockfd,&readFDSet){//Readdatafromsockfd,anddosomething.}if(FD_ISSET(tunfd,&readFDSet){//Readdatafromtunfd,anddosomething.}3.6Anexample:usingtelnetinourVPNTohelpyoufullyunderstandhowpacketsfromanapplicationflowtoitsdestinationthroughourMiniVPN,wehavedrawntwofigurestoillustratethecompletepacketflowpathwhenusersruntelnet10.0.20.100fromahostmachine,whichisthePointAofahost-to-gatewayVPN.TheotherendoftheVPNisonagateway,whichisconnectedtothe10.0.20.0/24network,whereourtelnetserver10.0.20.100resides.Figure5(a)showshowapacketflowfromthetelnetclienttotheserver.Figure5(b)showshowapacketflowfromthetelnetserverbacktotheclient.WewillonlydescribethepathinFigure5(a)inthefollowing.Thereturnpathisself-explainedfromFigure5(b)onceyouhaveunderstoodthepathinFigure5(a).1.Thedataofthepacketstartsfromthetelnetprogram.2.ThekernelwillconstructanIPpacket,withthedestinationIPaddressbeing10.0.20.100.3.Thekernelneedstodecidewhichnetworkinterfacethepacketshouldberoutedthrough:eth1ortun0.Youneedtosetupyourroutingtablecorrectlyforthekerneltopicktun0.Oncethedecisionismade,thekernelwillsetthesourceIPaddressofthepacketusingtheIPaddressofthenetworkinterface,whichis10.0.4.1.4.ThepacketwillreachourVPNprogram(PointA)throughthevirtualinterfacetun0,thenitwillbeencrypted,andthenbesentbacktothekernelthroughaUDPport(notthroughthetun0interface).ThisisbecauseourVPNprogramusetheUDPasourtunnel.5.ThekernelwilltreattheencryptedIPpacketasUDPdata,constructanewIPpacket,andputtheentireencryptedIPpacketasitsUDPpayload.ThenewIP’sdestinationaddresswillbetheotherendofthetunnel(decidedbytheVPNprogramwewrite);inthefigure,thenewIP’sdestinationaddressis128.230.208.97.6.Youneedtosetupyourroutingtablecorrectly,sothenewpacketwillberoutedthroughtheinterafaceeth1;therefore,thesourceIPaddressofthisnewpacketshouldbe209.164.131.32.
SEEDLabs–VPNLab137.ThepacketwillnowflowthroughtheInternet,withtheoriginaltelnetpacketbeingentirelyen-crypted,andcarriedinthepayloadofthepacket.Thisiswhyitiscalledatunnel.8.Thepacketwillreachourgateway128.230.208.97throughitsinterfaceeth1.9.ThekernelwillgivetheUDPpayload(i.e.theencryptedIPpacket)totheVPNprogram(PointB),whichiswaitingforUDPdata.ThisisthroughtheUDPport.10.TheVPNprogramwilldecryptthepayload,andthenfeedthedecryptedpayload,whichistheoriginaltelnetpacket,backtothekernelthroughthevirtualnetworkinterfacetun0.11.Sinceitcomesthroughanetworkinterface,thekernelwilltreatitasanIPpacket(itisindeedanIPpacket),lookatitsdestinationIPaddress,anddecidewheretorouteit.Remember,thedestinationIPaddressofthispacketis10.0.20.100.Ifyourroutingtableissetupcorrectly,thepacketshouldberoutedthrougheth2,becausethisistheinterfacethatconnectstothe10.0.20.0/24network.12.Thetelnetpacketwillnowbedeliveredtoitsfinaldestination10.0.20.100.4SubmissionandDemonstrationYoushouldsubmitadetailedlabreporttodescribeyourdesignandimplementation.Youshouldalsode-scribehowyoutestthefunctionalitiesandsecurityofyoursystem.Youalsoneedtodemonstrateyoursystemtous.PleasesignupademonstrationtimeslotwiththeTA.Pleasetakethefollowingintoconsider-ationwhenyoupreparefordemonstraiton:•Thetotaltimeofthedemowillbe15minutes,nomoreadditionaltimewouldbegiven.Soprepareyourdemonstrationsoyoucancovertheimportantfeatures.•Youareentirelyresponsibleforshowingthedemo.WewillNOTeventouchthekeyboardduringthedemonstration;soyoushouldnotdependonustotestyoursystem.Ifyoufailtodemosomeimportantfeaturesofyoursystem,wewillassumethatyoursystemdoesnothavethosefeatures.•Youneedtopracticebeforeyoucometothedemonstration.Ifthesystemcrashesoranythinggoeswrong,itisyourownfault.Wewillnotdebugyourproblems,norgiveyouextratimeforit.•Duringthedemo,youshouldconsideryourselfassalesmen,andyouwanttosellyoursystemtous.Youaregiven15minutestoshowushowgoodyoursystemis.Sothinkaboutyoursalesstrategies.Ifyouhaveimplementedagreatsystem,butfailtoshowushowgooditis,youarenotlikelytogetagoodgrade.•Doturnoffthemessagesyoursystemprintsoutfordebuggingpurposes.Thosemessagesshouldnotappearinademonstration.5ChecklistforDemonstrationDuringtheCOVID-19outbreak,wecannotdoin-persondemo.Althoughdoingdemoonlineisanoption,wedecidetoexperimentwithadifferentapproach:askingstudentstorecordtheirdemoandsubmitthevideofile.Tohelpthemconductaself-guideddemo,weprovideachecklistinTable1.Evenifwedoin-persondemo,thischecklistisstillquiteuseful.
SEEDLabs–VPNLab14(a)AnExampleofpacketflowfromtelnetclienttoserverinHost-to-GatewayTunnel(b)AnExampleofpacketflowfromtelnetservertoclientinHost-to-GatewayTunnelFigure5:AnExampleofPacketFlowinVPN.
SEEDLabs–VPNLab15Table1:ChecklistforVPNdemonstrationRequirementsDetailsInitialState•RebootingallthreeVMs.StartrecordingaftertheVMsarerebooted.Youshouldstartdemoimmediatelyafterrebooting.Ifyouwaittoolong,youwillhavetodotherebootingagain.•Type”lastreboot;date”inaterminaltoshowtherebootingtimeandcur-renttimeonallthreeVMs.Thedifferencebetweenthesetwotimesshouldnotbemorethan5minute.•DisplaytheroutingtablesonallthreeVMs.Pre-TunnelTest•BeforeVPNissetup,pingHostVfromHostUandexplainyourobservation.TunnelCreation•Startvpnclientandvpnserverprograms.–Youneedtotypepasswordstoauthenticateyourselftotheserver,thepasswordshouldnotbevisible(10pointswillbedeductedifweseeyourpasswords).Youcanusegetpass()toachievethat(type“mangetpass”toseeitsmanual).–Passwordscannotbehardcodedinyourprogram.Ifyoudothis,50pointswillbededucted.•PerformconfigurationonallVMs.Althoughyoucanputtheconfigurationcom-mandsinascript,youdoneedtoshowthescriptandexplainthecommandsinyourscript.•ShowroutingtablesonallthreeVMsaftertheconfiguration.PingTest•OnHostU:pingHostV.•UseWiresharktoprovethatyourVPNworkscorrectly.•Showustheproofthatthetunnelisindeedencrypted.TelnetTest•OnHostU:telnettoHostV.•UseWiresharktoprovethatyourVPNworkscorrectly.
SEEDLabs–VPNLab16Tunnel-BreakingTest•OnHostU,telnettoHostV.Whilekeepingthetelnetconnectionalive,breaktheVPNtunnelbystoppingthevpnclientand/orvpnserverprograms.Thentypesomethinginthetelnetwindow.Doyouseewhatyoutype?WhathappenstotheTCPconnection?Istheconnectionbroken?•LetusnowreconnecttheVPNtunnel(donotwaitfortoolong).Runtheclientandserverprogramsagain,andconductthenecessaryconfiguration(noneedtoexplainorshowcommands).Oncethetunnelisre-established,whatisgoingtohappentothetelnetconnection?Pleasedescribeandexplainyourobservation.LargePacketTest•Sendalargepacket(size>3000)fromHostUtoHostV.Youcanuse”ping-s”todothat.•UseWiresharktodescribeandexplainyourobservations.TLSSetup•ShowushowyousetupyourTLSonbothclientandserversides.•Showuswhereyouplacetheservercertificatesandself-signedcertificate.•Showuswhichlinesofcodeloadthosecertificates.MITMTest•DemonstratethatyoursystemcansuccessfullydefeatMITMattacks.YouneedtosetupasimulatedMITMattack,anddemonstratethatyourclientprogramcandefeatit.CodeExplanation1Whichlinesofcodeareresponsibleforthefollowing:•verifyingthattheservercertificateisvalid•verifyingthattheserveristheownerofthecertificate•verifyingthattheserveristheintendedserverCodeExplanation2WhichlineofcodeintheclientforcesTLShandshaketostopiftheservercertificateverificationfails?CodeExplanation3Whichline(s)ofcodedothefollowing?•sendingusernameandpasswordtotheserver•gettingaccountinformationfromtheshadowfileEndingTimeType”lastreboot;date”commandstodisplaythetimebeforeendingyourdemo.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *