TCPoverUDP

iproxy:RunningTCPservicesoverUDPHorms(SimonHorman)horms@ary2002/linux/iproxy/I’vebeentocitiesthatneverclosedown,FromNewYorktoRioandoldLondontown,ButnomatterhowfarorhowwideIroam,llen—IStillCallAustraliaHome

6th–9thFebruary2002UniversityofQueenslandBrisbane,Queensland,AustraliaThanksSpecialthanksgoesto:TonyGuntharpwhosecouchinSanFranciscowaspartytomuchoftheworkonthisproject,alongwithsignifi’tbutnotleast,AndrewTridgellforconceivingiproxyandinspiringmetocodelots.

Abstractiproxycomprisesofaclient-sideproxyandaserver-sideproxythatallowsarbitraryTCP/IPservicestorunoverBroadcast,riginallyconceivedasamethodtoconfigureserversperwillfocustheimplementationissuesinsendingandreceivingUDPtraffiillustratehowtocreatesimpleMulticast,alsodiscusstheproblemsandsolutionsrealisedwhentryingtocarryTCPconnectionsoverUDP.

...4Applications5Conclusioniii6779910

1INTRODUCTION11IntroductionWhileworkingonadoomedNAS1project,itwasthoughtthatitwouldbenicetobeabletoconfiguretheNASboxenwithouthavingtoconfitheNASboxsetuptouseDHCP[15]r,wewereafaofcommunicatingusingbroadcastUDPwasraisedasitallowscommunicationswithnodesonthesamesub-net,ltotheideawasthatweshouldbeabletouseexistingadministrativeinterfacesprovidedviaHTTP[1][8],HTTPS[16],Telnet[10]andSSH[19].iproxywasbornandajourneyintotunnellingTCP[12]overUDP[13]began.2ImplementationWorkstationNASClientDaemoniproxy-clientiproxy-serverLANFigure1:BasiciproxyArchitectureTheiproxyarchitectureconsistsoftwoproxyservers,-clientrunsontheuser’ybefromawebbrowser,SSHorTelnetclient,-serverrunsontheNAopensaconnectiontothelocaldaemon,whetheritbeHTTP,SSH,Telnet1NAS:NetworkAttachedStorage

2IMPLEMENTATION2oranotherTCPprotocolandrelaystheencapsulatedinformationfromtheuser’sfromthedaemonfollowthereversepath.2.1EncapsulationFlagClient IdServer IdLengthOffsetChecksumVersionFigure2:iproxyPacketHeaderToenableaTCPconnectiontobetunnelledinUDPdatagramssomeiden-tifievethisiproxypackmiseportability,eachfifieldsareasfollows:•Checksum:Rolling8-bitchecksumoftheheaderfieldsotherthanthechecksumandthedata.•Version:tly1.•Flag:Flagstospecifyspecialpackets,suchasAcknowledgements,KeepAliveandFinishPackets.•ClientId:Uniqueidentifieroftheclient.•ServerId:Uniqueidentifieroftheserver.•Length:Totallengthofthepacketincludingtheheaderanddata.•Offset:OffLieuofasequencenumber.2.2ServerDiscoveryGiventhatthemotivationforiproxyistoenableconfigurationofhostsrunningiproxy-serverwithoutpriorknowledgeoftheirsetup,implementedbyiproxy-clientsendingoxy-serversthatreceivethisdiscoverypacketshouldreplywithusingtheClientIdinthepacketandtheirownServerId.

2IMPLEMENTATION3Atthisstagethisisdonemanuallybyrunningiproxy-clientwiththe-lcommand-lineoptionwhichcausesittoissueadiscoverypacket,displayanypacketsreceivedfromiproxy-servers.#iproxy-client-l[12841]Hellofrom66![12841]Hellofrom67![12841]TiredofwaitingforHellorunaninstanceofiproxy-clienttocommunicatewiththeiproxy-serverwithServerId67usingthe-scommand-lineoption.#iproxy-client-s672.3OpeningaConnectionToopenaconnectiiptofanewconnectioniproxy-clientsendsaUDPdatagramwithitsClientId,theServerIdthatithasbeenconfieiproxaemonreturnsanydataatthisstageitisreturnedinthereplyUDPpacket,mple:OntheWorkstation,configureiproxy-clienttocommunicatewithiproxy-serverwithServerId67,andlistenforincomingTCPconnectionsonport7777.--client-s67-p7777-vOntheServerconfigureiproxy-servertohaveServerId67andproxyin-comingUDPconnectionstotheapache2daemonrunninglocallyonport80.2ApacheHTTPServer:

2IMPLEMENTATION4iproxy-server-s67-d80-vIfaconnectionisnowopenedtoport7777ontheerveraconnectiontolocaseofanapacheHTTPdaemon,thedaemondoesnotsendanydataatthisstagesonothingfurtherhappensuntaseofaservicewheretheserverdoesissuesomedatauponconnect,suchaTelnet,thiswouldbesenttoiproxy-clientbyiproxy-serverandanACKwouldbereturnedbyiproxy-client.2.4ConnectionTrackingOneofthekeydifferencesbetweenTansthatinordertoticular,asiproxy-servermaybereceivingUDPdatagramsfromthesameiproxy-serverfordifferentconnectionsatthesametimeitmustbeabletodiffisthefollowinginformationisusedforeachpacket:sourceport,inadditiontothedestinationportwhichismatchedbyUDPanddiscardingofallpacketsnotaddressedtotheiproxy-server’ketmatchesoneoftheseconnectionsthenitisconsideredpartofthatconnection,elseisitconsideredtobethefirstpacketinanewconnection.2.5ClosingaConnectionAconnectionmaybeclosedbysendingapacketwithanemptydatasectionandtheflagentryintheiproxyheadersettoIPROXYFINFLAG,--serverontheotherhanddoesnotforkandwillmarktheconnectionasclosedandandignoreanyother

heexpiretimeout,EXPIRETIMEOUTsecondstheconnectionwillbepurged,andthusanysubsequentpacketswillbeassumedtobepacketsforanewconnection,tionsthataremarkedasclosedmaybepurgedbeforetheexpiretimeoutiftheconnectiontable,whichisfixedinsize,occurs,theclosedconnectionclosesttoitsexpiretimeoutwillbeused.2.6AcknowledgementForapacketwithanemptydatasectionandtheflpacketisAcknowledged,noadditionalpacketswillbesent,thisschemeissimpleandineffixpisalsoaresendtimeout,poseofthisistoresendpacketsnotethattheexpiretimeoutshouldgenerallybelongerthantheresendtimeout,elsearesendwillneveroccurasthepacketwillexpireandtheconnectionwillbeclosedfirst.2.8KeepAliveInordertopreventprotocolsthatmayhavebeidleforatime,suchasTelnetorSSH,fromcausingtheconnectiontotimeoutkeepalivepacketsaresent.

3VARIATIONSONATHEME6AkeepalivepacketisapacketwithanemptydatasectionandtheflouldbelessthanEXPIRETIMEOUT,iptofakeepalivepacket,iivepacketsareignorediftheconnectionisawaitinganAcknowledgement.2.9MultipleInterfacesGiventhatthemotivationforiproxyistocommunicatewithmachineswhosenetworkconfigurationisnotknown,isethepacketsmaybesentoutanin-terfacewhichisnotconnectedtothenetwork,,thisisonlyanissuebecausenothingisknownaboutthenetworkconfievethisiproxyhascodetofiingasockettoeachoftheseaddressesandsendingeachpackettoeachofthesesockets,nectiontrackingcodehandlesthisbyrejectingpacketswhomatchanexistingcon-nection,otherthanthatthesourceIPaddressdifftion,checksontheoffsetfieldintheiproxyheaderguardagainstoutoforderandduplicatepackets.3Variabe-inr,stionwasmadethatusingMulticastwouldenablecommunicationwithnodesondiffewasdrawnatAnycast[11].ThemaindifferencebetweentheBroadcast,eusedbelowisforIPv4[14].AnalogouscodeforIPv6[5]maybewrittenbutisnotcurrently

ctioncouldnothavebeenwrittenwithouttheassis-tanceofUNIXNetworkProgramming[17].3.1BroadcastWhenusingbroadcastUDP,packetionedpreviouslyitisdesir-ableforiproxytosendpacketsouteachandeveryinterface,tisopenedtolistenforincomingdatagrams,thisisboundto0.0.0.0fortheconfiguredport,isasotheseoutgoingsocketshasth;intone=1;/**/setsockopt(s,SOL_SOCKET,SO_BROADCAST,(char*)&one,sizeof(one));Figure3:SettingtheSOBROADCASTOptionforaSocket3.2MulticastMulticast,likebroadcastallowspacketstobereceivedbymultiplehosts,asiproxy-serverisamemberofaknownmulticastgroupitcanbeaadvantageofmulticastoverbroadcastforiproxyisthatmulticasttrafficmayberoutedbetweenphysicalsubnets,incontrasttobroadcasttraffidifferenceprogramaticallybetweenbroadcastandmulticastisthattheSOBROADCASTsocketoptionisnotsetandthatthemulticasttimeUDPbroadcasttrafficisnotroutedbetweensubnets,withthenotableexceptionofthedubiousiphelper-addresscommand[4]inCisco’sIOS.3

3VARIATIONSONATHEME8tolive(TTL)routaultisone,meaningthatthepacketwillbedroppedatthefirstrouteritencounters,;intmcast_ttl=1;/*TTLofmulticastpacketsinhops.*1isthedefault*//**/setsockopt(iface_fd[i],IPPROTO_IP,IP_MULTICAST_TTL,(char*)&mcast_ttl,sizeof(mcast_ttl));Figure4:SettingtheMulticastTTLforaSocketTusesanIGMP5messagetobesent,announcingtolocal;structip_mreqmreq;structin_addraddr;structiface_structiface;/*sisanopensocketboundtoalocalinterface*addristheIPaddressofthemulticastgroup*ifaceisaportablestructureprovidedbyiproxy,*borrowedfromsambacontainingtheinterface’s*address*/_multiaddr.s_addr=mcast_addr_bin.s_addr;_interface.s_addr=.s_addr;setsockopt(fd_out,IPPROTO_IP,IP_ADD_MEMBERSHIP,(void*)&mreq,sizeof(mreq));Figure5:JoiningaMulticastGroupClassD:224.0.0.0/4,:mewhatanalogoustothewaythatICMPisusedforUnicastrouting54

advantageofunicastisthatitisuniversallyroutedacrosstheInternet,r,unicastdoesrequirepriorknowledgeofthenetworkconfigurationofbothendpointsand,hence,isofnousefortheconfimatically,unicastwasmuchsimplertoimplementasonlyasinglesialsocketoptionsarerequiredforunicast.4ApplicationsOneofthemostfrequentreactionstotunnellingTCPoverUDPis,”Why?”.Asoutlinedearliertheoriginalmotivationforiproxywastoprovideamethodtoconfigurenetworkdeviceswithouttheneedfisabletodothis,thougproxy’sunicastsupporttwoesotericapplicationsspringtomindowingtoUDPtraffinotethatmanynetworkadministratorsdeploystate-lesspacketfil-terstoprotecttheirnetworksfromunwantednastiescomingyondthescopeofthispapertodiscusstherelativemeritsofstate-lesspacketfiltering,state-fullpacketfilteringandproxy-basedfir,itisofnotethatifUDPtrafficisallowedtopassthroughapacket-filterwith-outinspectiontheniproxymaybeusedtotunnellarbitraryTCPservicesthroughthepacket-filter,xistingsolutionsexisttodothisbytunnellingtrafficviaDNS[9],HTTP[2],HTTPS[3],ICMP[6]andevenSMTP[7],iproxypotentiallyoffuingthethemeofunnoticedUDPtrafficitisofparticularnotethatInternetPacketQuota(IPQ)[18]doesnotattempttocountUDPtraffirtiallyanimplementationissuerelatingtoidentifytheuserthataparticulardatagrambelongsandpartlybecauseUDPtrafficwasnotseenassomethingofparticularinterestintermsofpercentageofnetworkutilisationwhenIPQwasbeingdevelopedAcreativeuserwithiproxyinhandcouldeasilychangethissituation.

5CONCLUSION105-plementationybeusedtocommunicatewithhostswhosenetworkconfigurationisunknown,inparticulartoconfilsobeusedtogetTCPtrafficpastunsuspectingnetworkadministrators.

REFERENCES11References[1]s-Lee,ng,1945:Hyper-texttransferprotocol–http/etEngineeringTaskForce:/,May1996.[2]LarsBrinkoff.:///software/,2001.[3]:///griffon/ssh-https-tunnel,March2000.[4]CiscoSystems,OSIPConfigurationGuide,ciscoios12.2edition,:///.[5]1883:Internetprotocol,version6(ipv6)specifietEngineeringTaskForce:/,December1995.[6]MagnusLundstr¨:///icmptunnel/,1999.[7]MagnusLundstr¨:///mailtunnel/,nnel.[8]ng,,,k,2068:Hypertexttransferprotocol–http/etEngineer-ingTaskForce:/,January1997.[9]elingthroughnameservers,:///.[10]405:TelnetprotocolspecifietEngineer-ingTaskForce:/,May1973.[11]dge,,1546:etEngineeringTaskForce:/,November1993.[12]761:Dodstandard:-netEngineeringTaskForce:/,January1980.[13]768:etEngineeringTaskForce:/,August1980.[14]791:Darpainternetprogram:Protocolspecifi-ternetEngineeringTaskForce:/,September1981.

REFERENCES12[15]2131:DynamichostconfietEngineeringTaskForce:/,March1997.[16]2818:etEngineeringTaskForce:/,May2000.[17]ceHallPTR,2edition,1997.[18]::///ipq/doc/,2000.[19],n,en,,et-draft:etEngineeringTaskForce:/,November2001.