JakeHillion/dissertation-4-dissertation
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Update on Overleaf.

Browse Source
This commit is contained in:
jsh77 2021-05-13 14:57:00 +00:00 committed by overleaf
parent 67a8a5aeb6
commit c17f6a6410
2 changed files with 2 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
2_Preparation/preparation.tex
View File

@ -86,90 +86,7 @@ When applying message authentication, it was sufficient to authenticate messages
It was previously mentioned that my solution is transparent to the higher layer security encapsulated by proxied packets. Further to this, my solution provides transparent security in the other direction, where proxied packets are encapsulated by another security solution. Consider the case of a satellite office that employs both a whole network corporate VPN and my solution. The network can be configured in each of two cases: the multipath proxy runs behind the VPN, or the VPN runs behind the multipath proxy.
Packet structures for proxied packets in each of these cases are given in Figure \ref{fig:whole-network-vpn-behind} and Figure \ref{fig:whole-network-vpn-infront}, for the VPN Wireguard \citep{donenfeld_wireguard_2017}. In Figure \ref{fig:whole-network-vpn-infront}, the portals are only accessible via the VPN protected network. It can be seen that the packet in Figure \ref{fig:whole-network-vpn-infront} is shorter, given the removal of the message authentication code and the data sequence number. The data sequence number is unnecessary, given that Wireguard uses the same anti-replay algorithm, and thus replayed packets would have been caught entering the secure network. Further, the message authentication code is unnecessary, as the authenticity of packets is now guaranteed by Wireguard.
\begin{figure}
\begin{leftfullpage}
\centering
\begin{bytefield}[bitwidth=0.6em]{32}
\bitheader{0-31} \\
\wordbox[tlr]{1}{IPv4 Header} \\
\wordbox[blr]{1}{$\cdots$} \\
\begin{rightwordgroup}{UDP\\Header}
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
\bitbox{16}{Length} & \bitbox{16}{Checksum}
\end{rightwordgroup} \\
\begin{rightwordgroup}{CC\\Header}
\bitbox{32}{Acknowledgement number} \\
\bitbox{32}{Negative acknowledgement number} \\
\bitbox{32}{Sequence number}
\end{rightwordgroup} \\
\begin{rightwordgroup}{Proxied\\Wireguard\\Packet}
\wordbox[tlr]{1}{IPv4 Header} \\
\wordbox[blr]{1}{$\cdots$} \\
\begin{leftwordgroup}{UDP Header}
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
\bitbox{16}{Length} & \bitbox{16}{Checksum}
\end{leftwordgroup} \\
\begin{leftwordgroup}{Wireguard\\Header}
\bitbox{8}{type} & \bitbox{24}{reserved} \\
\wordbox{1}{receiver} \\
\wordbox{2}{counter}
\end{leftwordgroup} \\
\wordbox[tlr]{1}{Proxied IP packet} \\
\skippedwords\\
\wordbox[blr]{1}{}
\end{rightwordgroup} \\
\begin{rightwordgroup}{Security\\Footer}
\bitbox{32}{Data sequence number} \\
\wordbox[tlr]{1}{Message authentication code} \\
\wordbox[blr]{1}{$\cdots$}
\end{rightwordgroup}
\end{bytefield}
\caption{Packet structure for a configuration with a Wireguard client behind my multipath proxy.}
\label{fig:whole-network-vpn-behind}
\end{leftfullpage}
\end{figure}
\begin{figure}
\begin{fullpage}
\centering
\begin{bytefield}[bitwidth=0.6em]{32}
\bitheader{0-31} \\
\wordbox[tlr]{1}{IPv4 Header} \\
\wordbox[blr]{1}{$\cdots$}\\
\begin{rightwordgroup}{UDP\\Header}
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
\bitbox{16}{Length} & \bitbox{16}{Checksum}
\end{rightwordgroup} \\
\begin{rightwordgroup}{Wireguard\\Header}
\bitbox{8}{type} & \bitbox{24}{reserved} \\
\wordbox{1}{receiver} \\
\wordbox{2}{counter}
\end{rightwordgroup} \\
\begin{rightwordgroup}{Tunnelled\\Proxy\\Packet}
\wordbox[tlr]{1}{IPv4 Header} \\
\wordbox[blr]{1}{$\cdots$}\\
\begin{leftwordgroup}{UDP Header}
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
\bitbox{16}{Length} & \bitbox{16}{Checksum}
\end{leftwordgroup} \\
\begin{leftwordgroup}{CC\\Header}
\bitbox{32}{Acknowledgement number} \\
\bitbox{32}{Negative acknowledgement number} \\
\bitbox{32}{Sequence number}
\end{leftwordgroup} \\
\wordbox[tlr]{1}{Proxied IP packet} \\
\skippedwords\\
\wordbox[blr]{1}{}
\end{rightwordgroup}
\end{bytefield}
\caption{Packet structure for a configuration with a Wireguard client in front of my multipath proxy.}
\label{fig:whole-network-vpn-infront}
\end{fullpage}
\end{figure}
Packet structures for proxied packets in each of these cases are given in Appendix \ref{appendix:layered-security}, as Figure \ref{fig:whole-network-vpn-behind} and Figure \ref{fig:whole-network-vpn-infront} for the VPN Wireguard \citep{donenfeld_wireguard_2017}. In Figure \ref{fig:whole-network-vpn-infront}, the portals are only accessible via the VPN protected network. It can be seen that the packet in Figure \ref{fig:whole-network-vpn-infront} is shorter, given the removal of the message authentication code and the data sequence number. The data sequence number is unnecessary, given that Wireguard uses the same anti-replay algorithm, and thus replayed packets would have been caught entering the secure network. Further, the message authentication code is unnecessary, as the authenticity of packets is now guaranteed by Wireguard.
Supporting and encouraging this layering of protocols provides a second benefit: if the security in my solution degrades with time, there are two options to repair it. One can either fix the open source application, or compose it with a security solution that is not broken, but perhaps provides redundant security guarantees, translating to additional overhead. To this end, the security features mentioned are all configurable. This allows for flexibility in implementation.

1
thesis.tex
View File

@ -176,6 +176,7 @@
\begin{appendices} % Using appendices environment for more functunality
\include{A1_LanguageSamples/languagesamples}
\include{A2_LayeredSecurity/layeredsecurity}
\include{A3_OutboundGraphs/outboundgraphs}
\include{A4_ProjectProposal/projectproposal}