Hello OpenSSL users,
I would like to tell you of a project I am currently thinking about. I
have done some very preliminary coding and am I thinking about the future
of this project. This is a rather brief e-mail, as I would first like to
hear some comments.
What it is all about:
I want a VPN solution that is
* free / open / GPL'd
* UDP based instead of TCP based (see below for reasons)
* Certificate based for first level authentication/authorization
* Based on UNIX(r) on the server side (Linux being the primary goal)
* available for Windows clients (Currently I am targeting for
W98/W2000, Support for other/older versions would be very nice) and
UNIX clients alike
* Uses PPP for the actual transport
If anybody knows of a product that can do this already, please say
so. Also please comment if the project is a waste of time or not.
What is a VPN
-------------
A VPN (Virtual Private Network) is a way to securely connect
Computers/Networks to some private network over an insecure channel (like
the internet).
UDP based
---------
The problem with TCP (or any stream based protocol that guarantees
delivery) is that problems on the transport layer lead to retransmits on
the VPN (the encapsulating) layer and on the encapsulated layer(s) (in
case of eg. TCP traffic through the tunnel).
To avoid this situation, it is necessary to drop the guaranteed
encapsulating layer and to switch to a protocol that can drop
packets "legally", like UDP.
Another reason for UDP is that the protocol is well known to firewall
people.
Using PPP as the encapsulated protocol
--------------------------------------
I think about using PPP as the protocol to be encapsulated through an
encrypted channel. This is because
+ some other VPN solutions use this mechanism
+ Server and client side software exists for this
Current Status
--------------
Currently, I have done some testing wrt a UDP VPN server that accepts
connections and encapsulates PPP packets (unencrypted). The code is quite
simple. I have used this code to connect two Linux boxes via ethernet. I
have done tests with dropped UDP packets, etc. Everything worked quite
well.
I have also done some thinking about the encryption to be used and
about the control protocol to be used. (mixed with data packets).
The MS Windows side exists in my brain only, at the moment. I think of the
following architecture:
+ There is a special (virtual) modem driver that can be used with the dial
up networking of Windows. This driver communicates with a user
level service running in the background. This background service does
the actual network side of the game. The device driver is there to hook
the system into the dial up networking of windows.
+ The background service uses OpenSSL for its encryption/certificate
handling.
What is needed - Call for Participants
--------------------------------------
I would like to start of this project by
+ Discussing if it is worth the effort, or if anything like this already
exists.
+ Discussing the protocol to be used, with a focus on security.
+ Discussing the developing model, location of the project.
+ Finding people to work on this. Particularly I look for people with
enough Windows experience to write the Device Driver parts. The
Unix/OpenSSL part can also need good programmers. Windows programmers
should have legal access to all the needed parts to write a device
driver, of course [Probably VC++, DDKs, etc].
Expectations
------------
* I would like this to become a serious alternative to any other VPN
software. It can be done.
* The whole of the software should be GPL'd, being as portable as
possible, using automake/autoconf. I expect that CVS will be used for
development.
* It should be rock solid.
* I would like to see a working prototype soon (particularly of the
windows side).
* The protocol to be used on the UDP channel should be well
documented. Maybe we could make an RFC of it.
I am willing to invest serious time into this project. The project could
be hosted on Sourceforge or somewhere else. I could also provide Webspace
or a CVS Server myself.
Looking forward to hear from you.
peter
--
_________________________________________________________________________
Peter Stamfest UNIX, Networking & Computing Consultant
Tel: +43/699/20711205 Software Development - Internetservices
E-Mail: [EMAIL PROTECTED]
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
