[Olsr-dev] RFC: secure access control for SmartGW tunnels

Daniel (spam-protected)
Tue Jan 22 16:02:45 CET 2013 

Hi everyone!

Looking for a way to add secure access control to SmartGW, I played around with
an olsrd IPv6 mesh and managed to establish an
Ethernet-over-L2TPv3-IPSec-transport-AH-HMAC(SHA1) tunnel using iproute2 3.7.0.
This provides a tunnel authenticated by pre-shared keys at the cost of only
little CPU, ROM and RAM resources (tested => impressive even on small MIPS
cores, whole image incl. olsrd, kmod-ipsec*, iproute2 and luci web-interface
also still easily fits on 4M devices).

SmartGW currently uses plain IP-over-IP tunnels. While this might be suitable
for the simple case, it would be nice to also have the option to choose other
gateway/tunnel setups, like the one above (and illustrated by the attached script).

Other possible setups are IPv6-over-IPSec-tunnel-AH-HMAC(SHA1) or even just
plain IPSec-transport-AH-HMAC(SHA1) between a gateway and a gateway-client.

This could be accomplished (on Linux) by either implementing the communication
with the IPSec stack via netlink or by allowing to call an external script to
setup the tunnel e.g. using iproute2.

Gateway tunnels would have to either store and use a static key for the whole
gateway or use per-user keys. Both parties would also need to exchange session
parameters and/or store (at least some) static per-tunnel parameters permanently.

Obviously it's worth trying not to re-invent IKE but making something way more
simple...

-------------- next part --------------
# script to setup static Ethernet-over-L2TPv3-IPSec-transport-AH-HMAC(SHA1)-over-IPv6

# this can provide an authenticated generic tunnel interface over the mesh
# outgoing packages are signed and signatures on incoming packages are checked
# while the payload is in the clear. in this way secure access control can be
# achieved without a significant performance impact.

#LOCALIP=aac1:909a:2081:0:f8d1:11ff:feaf:ae38
#REMOTEIP=aac1:909a:2081:0:f8d1:11ff:fe77:779b

# this is the 
LOCALIP=aac1:909a:2081:0:f8d1:11ff:fe77:779b
REMOTEIP=aac1:909a:2081:0:f8d1:11ff:feaf:ae38
SHA1KEY=0xecf02a5cf6568556e1bdcd961c7ec3f92afd01cc # shared key
LPORT=20001 # unique local
RPORT=20001 # unique remote
RXREQID=64 # local and remote unique, picked locally
TXREQID=65 # local and remote unique, picked by remote end
LOCALTUNNELID=1 # unique local
REMOTETUNNELID=1 # unique remote

# sessions are per tunnel and we'll probably have only one session per tunnel,
# so this can be static
LOCALSESSION=1
REMOTESESSION=1

echo "xfrm flush"
ip xfrm state flush

ip xfrm policy flush

echo "tx state"
ip xfrm state add \
	src $LOCALIP \
	dst $REMOTEIP \
	proto ah spi 0x00001000 \
	auth hmac\(sha1\) $SHA1KEY \
	mode transport reqid $RXREQID replay-window 32 \
	sel src $LOCALIP \
	    dst $REMOTEIP \
	    proto udp sport $LPORT dport $RPORT

echo "rx state"
ip xfrm state add \
	src $REMOTEIP \
	dst $LOCALIP \
	proto ah spi 0x00002000 \
	auth hmac\(sha1\) $SHA1KEY \
	mode transport reqid $TXREQID replay-window 32 \
	sel src $REMOTEIP \
	    dst $LOCALIP \
	    proto udp sport $RPORT dport $LPORT

echo "tx policy"
ip xfrm policy add \
	src $LOCALIP \
	dst $REMOTEIP \
	proto udp sport $LPORT dport $RPORT dir out \
	ptype main action allow \
	tmpl src $LOCALIP \
	     dst $REMOTEIP \
	     proto ah mode transport \
	     reqid $RXREQID

echo "rx policy"
ip xfrm policy add \
	src $REMOTEIP \
	dst $LOCALIP \
	proto udp sport $RPORT dport $LPORT dir in \
	ptype main action allow \
	tmpl src $REMOTEIP \
	     dst $LOCALIP \
	     proto ah mode transport \
	     reqid $TXREQID


echo "l2tp flush"
ip l2tp del session tunnel_id $LOCALTUNNELID session_id $LOCALSESSION
ip l2tp del tunnel tunnel_id $LOCALTUNNELID

echo "l2tp tunnel"
ip l2tp add tunnel remote $REMOTEIP \
	local $LOCALIP \
	tunnel_id $LOCALTUNNELID peer_tunnel_id $REMOTETUNNELID \
	encap udp udp_sport $LPORT udp_dport $RPORT

echo "l2tp session"
ip l2tp add session tunnel_id $LOCALTUNNELID session_id $LOCALSESSION peer_session_id $REMOTESESSION

echo "iface"
ip addr add 192.168.22.2/24 dev l2tpeth0
ip link set l2tpeth0 up

# obviously, we can run whatever we want on this link. dhcp(v4/v6), NDP, zeroconf, UPnP and the whole mess

# try to ping and run
# ip xfrm monitor
# you should see something like
# Async event  (0x10)  replay update 
#         src aac1:909a:2081:0:f8d1:11ff:fe77:779b dst aac1:909a:2081:0:f8d1:11ff:feaf:ae38  reqid 0x40 protocol ah  SPI 0x1000
# Async event  (0x10)  replay update 
#         src aac1:909a:2081:0:f8d1:11ff:feaf:ae38 dst aac1:909a:2081:0:f8d1:11ff:fe77:779b  reqid 0x41 protocol ah  SPI 0x2000
# Async event  (0x10)  replay update 
#         src aac1:909a:2081:0:f8d1:11ff:fe77:779b dst aac1:909a:2081:0:f8d1:11ff:feaf:ae38  reqid 0x40 protocol ah  SPI 0x1000
# Async event  (0x10)  replay update 
#         src aac1:909a:2081:0:f8d1:11ff:feaf:ae38 dst aac1:909a:2081:0:f8d1:11ff:fe77:779b  reqid 0x41 protocol ah  SPI 0x2000
# Async event  (0x20)  timer expired 
#         src aac1:909a:2081:0:f8d1:11ff:fe77:779b dst aac1:909a:2081:0:f8d1:11ff:feaf:ae38  reqid 0x40 protocol ah  SPI 0x1000
# Async event  (0x20)  timer expired

More information about the Olsr-dev mailing list