Update on Overleaf.
This commit is contained in:
parent
67a8a5aeb6
commit
c17f6a6410
@ -86,90 +86,7 @@ When applying message authentication, it was sufficient to authenticate messages
|
|||||||
|
|
||||||
It was previously mentioned that my solution is transparent to the higher layer security encapsulated by proxied packets. Further to this, my solution provides transparent security in the other direction, where proxied packets are encapsulated by another security solution. Consider the case of a satellite office that employs both a whole network corporate VPN and my solution. The network can be configured in each of two cases: the multipath proxy runs behind the VPN, or the VPN runs behind the multipath proxy.
|
It was previously mentioned that my solution is transparent to the higher layer security encapsulated by proxied packets. Further to this, my solution provides transparent security in the other direction, where proxied packets are encapsulated by another security solution. Consider the case of a satellite office that employs both a whole network corporate VPN and my solution. The network can be configured in each of two cases: the multipath proxy runs behind the VPN, or the VPN runs behind the multipath proxy.
|
||||||
|
|
||||||
Packet structures for proxied packets in each of these cases are given in Figure \ref{fig:whole-network-vpn-behind} and Figure \ref{fig:whole-network-vpn-infront}, for the VPN Wireguard \citep{donenfeld_wireguard_2017}. In Figure \ref{fig:whole-network-vpn-infront}, the portals are only accessible via the VPN protected network. It can be seen that the packet in Figure \ref{fig:whole-network-vpn-infront} is shorter, given the removal of the message authentication code and the data sequence number. The data sequence number is unnecessary, given that Wireguard uses the same anti-replay algorithm, and thus replayed packets would have been caught entering the secure network. Further, the message authentication code is unnecessary, as the authenticity of packets is now guaranteed by Wireguard.
|
Packet structures for proxied packets in each of these cases are given in Appendix \ref{appendix:layered-security}, as Figure \ref{fig:whole-network-vpn-behind} and Figure \ref{fig:whole-network-vpn-infront} for the VPN Wireguard \citep{donenfeld_wireguard_2017}. In Figure \ref{fig:whole-network-vpn-infront}, the portals are only accessible via the VPN protected network. It can be seen that the packet in Figure \ref{fig:whole-network-vpn-infront} is shorter, given the removal of the message authentication code and the data sequence number. The data sequence number is unnecessary, given that Wireguard uses the same anti-replay algorithm, and thus replayed packets would have been caught entering the secure network. Further, the message authentication code is unnecessary, as the authenticity of packets is now guaranteed by Wireguard.
|
||||||
|
|
||||||
\begin{figure}
|
|
||||||
\begin{leftfullpage}
|
|
||||||
\centering
|
|
||||||
\begin{bytefield}[bitwidth=0.6em]{32}
|
|
||||||
\bitheader{0-31} \\
|
|
||||||
\wordbox[tlr]{1}{IPv4 Header} \\
|
|
||||||
\wordbox[blr]{1}{$\cdots$} \\
|
|
||||||
\begin{rightwordgroup}{UDP\\Header}
|
|
||||||
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
|
|
||||||
\bitbox{16}{Length} & \bitbox{16}{Checksum}
|
|
||||||
\end{rightwordgroup} \\
|
|
||||||
\begin{rightwordgroup}{CC\\Header}
|
|
||||||
\bitbox{32}{Acknowledgement number} \\
|
|
||||||
\bitbox{32}{Negative acknowledgement number} \\
|
|
||||||
\bitbox{32}{Sequence number}
|
|
||||||
\end{rightwordgroup} \\
|
|
||||||
\begin{rightwordgroup}{Proxied\\Wireguard\\Packet}
|
|
||||||
\wordbox[tlr]{1}{IPv4 Header} \\
|
|
||||||
\wordbox[blr]{1}{$\cdots$} \\
|
|
||||||
\begin{leftwordgroup}{UDP Header}
|
|
||||||
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
|
|
||||||
\bitbox{16}{Length} & \bitbox{16}{Checksum}
|
|
||||||
\end{leftwordgroup} \\
|
|
||||||
\begin{leftwordgroup}{Wireguard\\Header}
|
|
||||||
\bitbox{8}{type} & \bitbox{24}{reserved} \\
|
|
||||||
\wordbox{1}{receiver} \\
|
|
||||||
\wordbox{2}{counter}
|
|
||||||
\end{leftwordgroup} \\
|
|
||||||
\wordbox[tlr]{1}{Proxied IP packet} \\
|
|
||||||
\skippedwords\\
|
|
||||||
\wordbox[blr]{1}{}
|
|
||||||
\end{rightwordgroup} \\
|
|
||||||
\begin{rightwordgroup}{Security\\Footer}
|
|
||||||
\bitbox{32}{Data sequence number} \\
|
|
||||||
\wordbox[tlr]{1}{Message authentication code} \\
|
|
||||||
\wordbox[blr]{1}{$\cdots$}
|
|
||||||
\end{rightwordgroup}
|
|
||||||
\end{bytefield}
|
|
||||||
|
|
||||||
\caption{Packet structure for a configuration with a Wireguard client behind my multipath proxy.}
|
|
||||||
\label{fig:whole-network-vpn-behind}
|
|
||||||
\end{leftfullpage}
|
|
||||||
\end{figure}
|
|
||||||
|
|
||||||
\begin{figure}
|
|
||||||
\begin{fullpage}
|
|
||||||
\centering
|
|
||||||
\begin{bytefield}[bitwidth=0.6em]{32}
|
|
||||||
\bitheader{0-31} \\
|
|
||||||
\wordbox[tlr]{1}{IPv4 Header} \\
|
|
||||||
\wordbox[blr]{1}{$\cdots$}\\
|
|
||||||
\begin{rightwordgroup}{UDP\\Header}
|
|
||||||
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
|
|
||||||
\bitbox{16}{Length} & \bitbox{16}{Checksum}
|
|
||||||
\end{rightwordgroup} \\
|
|
||||||
\begin{rightwordgroup}{Wireguard\\Header}
|
|
||||||
\bitbox{8}{type} & \bitbox{24}{reserved} \\
|
|
||||||
\wordbox{1}{receiver} \\
|
|
||||||
\wordbox{2}{counter}
|
|
||||||
\end{rightwordgroup} \\
|
|
||||||
\begin{rightwordgroup}{Tunnelled\\Proxy\\Packet}
|
|
||||||
\wordbox[tlr]{1}{IPv4 Header} \\
|
|
||||||
\wordbox[blr]{1}{$\cdots$}\\
|
|
||||||
\begin{leftwordgroup}{UDP Header}
|
|
||||||
\bitbox{16}{Source port} & \bitbox{16}{Destination port} \\
|
|
||||||
\bitbox{16}{Length} & \bitbox{16}{Checksum}
|
|
||||||
\end{leftwordgroup} \\
|
|
||||||
\begin{leftwordgroup}{CC\\Header}
|
|
||||||
\bitbox{32}{Acknowledgement number} \\
|
|
||||||
\bitbox{32}{Negative acknowledgement number} \\
|
|
||||||
\bitbox{32}{Sequence number}
|
|
||||||
\end{leftwordgroup} \\
|
|
||||||
\wordbox[tlr]{1}{Proxied IP packet} \\
|
|
||||||
\skippedwords\\
|
|
||||||
\wordbox[blr]{1}{}
|
|
||||||
\end{rightwordgroup}
|
|
||||||
\end{bytefield}
|
|
||||||
|
|
||||||
\caption{Packet structure for a configuration with a Wireguard client in front of my multipath proxy.}
|
|
||||||
\label{fig:whole-network-vpn-infront}
|
|
||||||
\end{fullpage}
|
|
||||||
\end{figure}
|
|
||||||
|
|
||||||
Supporting and encouraging this layering of protocols provides a second benefit: if the security in my solution degrades with time, there are two options to repair it. One can either fix the open source application, or compose it with a security solution that is not broken, but perhaps provides redundant security guarantees, translating to additional overhead. To this end, the security features mentioned are all configurable. This allows for flexibility in implementation.
|
Supporting and encouraging this layering of protocols provides a second benefit: if the security in my solution degrades with time, there are two options to repair it. One can either fix the open source application, or compose it with a security solution that is not broken, but perhaps provides redundant security guarantees, translating to additional overhead. To this end, the security features mentioned are all configurable. This allows for flexibility in implementation.
|
||||||
|
|
||||||
|
@ -176,6 +176,7 @@
|
|||||||
\begin{appendices} % Using appendices environment for more functunality
|
\begin{appendices} % Using appendices environment for more functunality
|
||||||
|
|
||||||
\include{A1_LanguageSamples/languagesamples}
|
\include{A1_LanguageSamples/languagesamples}
|
||||||
|
\include{A2_LayeredSecurity/layeredsecurity}
|
||||||
\include{A3_OutboundGraphs/outboundgraphs}
|
\include{A3_OutboundGraphs/outboundgraphs}
|
||||||
\include{A4_ProjectProposal/projectproposal}
|
\include{A4_ProjectProposal/projectproposal}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user