diff options
author | t3sserakt <t3ss@posteo.de> | 2023-05-05 20:51:08 +0200 |
---|---|---|
committer | t3sserakt <t3ss@posteo.de> | 2023-05-05 20:51:08 +0200 |
commit | a30aa177f83b28cdc819a7ee7eaf90afdcef03ee (patch) | |
tree | 460a60f79bce3d6f5358bbe529596e9792e30f29 | |
parent | eb88cb2be93e901ba2db0b980a3ffbe960b2e929 (diff) | |
download | www-a30aa177f83b28cdc819a7ee7eaf90afdcef03ee.tar.gz www-a30aa177f83b28cdc819a7ee7eaf90afdcef03ee.zip |
Added info about finished final milestone to L2O page, added project page for new nlnet project, changed dev page
-rw-r--r-- | template/dev_pages/t3sserakt.html.j2 | 53 | ||||
-rw-r--r-- | template/l2o/index.html.j2 | 2 | ||||
-rw-r--r-- | template/probnat/index.html.j2 | 213 |
3 files changed, 225 insertions, 43 deletions
diff --git a/template/dev_pages/t3sserakt.html.j2 b/template/dev_pages/t3sserakt.html.j2 index 93e9c39f..3a4116a3 100644 --- a/template/dev_pages/t3sserakt.html.j2 +++ b/template/dev_pages/t3sserakt.html.j2 | |||
@@ -24,8 +24,11 @@ | |||
24 | <h2>{{ _("Current Work") }}</h2> | 24 | <h2>{{ _("Current Work") }}</h2> |
25 | <p> | 25 | <p> |
26 | {% trans %} | 26 | {% trans %} |
27 | At the moment I am working on Transport Next Generation (TNG). The current GNUnet TRANSPORT architecture with its pluggable transport mechanism (TCP, UDP, HTTP(S) and other protocols) together with the ATS subsystem for bandwidth allocation and choosing plugins has several issues with its design. With the Layer-2-Overlay project we like to implement the design goals of the future GNUnet TRANSPORT Next Generation (TNG) subsystem. For details have a look on the <a href="https://www.gnunet.org/en/l2o/">project page</a>. | 27 | Today consumer devices are behind a NAT quite often, restricting internet connectivity. There are several methods to reach peers being |
28 | {% endtrans %} | 28 | behind a NAT, but there are as many reasons those existing methods might fail. We will implement a new way of NAT traversal that we |
29 | think of being independent from the existing network configuration, and does not require a third party which is not natted helping two | ||
30 | peers to connect to each other. For details have a look on the <a href="../probnat/">project page</a> | ||
31 | {% endtrans %} | ||
29 | </p> | 32 | </p> |
30 | </section> | 33 | </section> |
31 | </div> | 34 | </div> |
@@ -38,48 +41,14 @@ | |||
38 | <div class="col-lg-2"></div> | 41 | <div class="col-lg-2"></div> |
39 | <div class="col-lg-6"> | 42 | <div class="col-lg-6"> |
40 | <section> | 43 | <section> |
41 | <h2>{{ _("Future Work") }}</h2> | 44 | <h2>{{ _("Past Project") }}</h2> |
42 | <p> | 45 | |
43 | {% trans %} | 46 | <h3>{{ _("Transport Next Generation") }}</h3> |
44 | The next project I will work on is named "Probabilistic NAT Traversal". | ||
45 | {% endtrans %} | ||
46 | </p> | ||
47 | <p> | 47 | <p> |
48 | {% trans %} | 48 | {% trans %} |
49 | Today consumer devices are behind a NAT quite often, restricting internet connectivity. There are several methods to reach peers being | 49 | The current GNUnet TRANSPORT architecture with its pluggable transport mechanism (TCP, UDP, HTTP(S) and other protocols) together with the ATS subsystem for bandwidth allocation and choosing plugins has several issues with its design. With the Layer-2-Overlay project we like to implement the design goals of the future GNUnet TRANSPORT Next Generation (TNG) subsystem. For details have a look on the <a href="../l2o/">project page</a>. |
50 | behind a NAT, but there are as many reasons those existing methods might fail. We will implement a new way of NAT traversal that we | 50 | {% endtrans %} |
51 | think of being independent from the existing network configuration, and does not require a third party which is not natted helping two | ||
52 | peers to connect to each other. Two peers trying to connect to each other will send out a burst of connection attempts to the other peer on | ||
53 | different ports. The sheer vast amount of connections attempts from both side will lead to a high probability that two connection attempts | ||
54 | from both peers onto the same port will be at the same time leading to a successful connection between those peers. | ||
55 | {% endtrans %} | ||
56 | </p> | 51 | </p> |
57 | <p> | ||
58 | {% trans %} | ||
59 | There are two problems a NAT traversal method has to solve. First there needs to be a method to know the global IP address of a peer A | ||
60 | another peer B wants to connect to. Second – because inbound connections from the outside are blocked by the NAT firewall of peer A, | ||
61 | peer A needs to be informed of a connection attempt by peer B. The most common solution for both problems is to have a third party C | ||
62 | which is not behind a NAT. This third party C obviously knows the global IP address of natted peers, after peer A is trying to connect to | ||
63 | C. Peer B tells C it likes to connect to peer A, and C informs A about it. Using this method for a privacy preserving network like GNUnet, | ||
64 | this could facilitate eclipse attacks (isolating a peer) which then can be used for deanonymization attacks and cencorship. Also any | ||
65 | additional infrastructure needed to provide some kind of functionality has to be maintained by someone, becoming a target and/or point of | ||
66 | failure. Therefore this method is not suitable. More sophisticated methods like "Autonomous NAT Traversal (pwnat)" using ICMP fake | ||
67 | message, which do not need a third party for the initiation of the connection, are not successful in all circumstances, because this method | ||
68 | depend on the behavior of the NAT firewall. | ||
69 | {% endtrans %} | ||
70 | </p> | ||
71 | <p> | ||
72 | {% trans %} | ||
73 | If two natted peers are using the method to start a burst of connection attempts, this method still needs the global IP of the other peer and a “start signal” to coordinate. In the NGI Assure project L2O we are establishing a backchannel with neighbourhood routing over an ad- | ||
74 | hoc distance vector protocol to solve the problem of not directly connected peers. The peers serving as hops to a distant peer which are a | ||
75 | direct neighbour of the start or end peer on that path do know the global IP address of the start or end peer. If those two peers like to use | ||
76 | the burst method for hole punching the global IP address is known. Via the distance vector protocol we are also able to communicate the | ||
77 | "start signal". Also in the L2O project we introduced a new test framework for GNUnet to test network setups with peers having | ||
78 | restricted connectivity. This test framework will be used to create test setups suitable to test possible NAT configurations. A challenge for | ||
79 | this NAT traversal method will be how to handle the burst in terms of network load, thus we need to experiment with different | ||
80 | frequencies and the amount of connection attempts. | ||
81 | {% endtrans %} | ||
82 | </p> | ||
83 | </section> | 52 | </section> |
84 | </div> | 53 | </div> |
85 | </div> | 54 | </div> |
@@ -91,7 +60,7 @@ frequencies and the amount of connection attempts. | |||
91 | <div class="col-lg-2"></div> | 60 | <div class="col-lg-2"></div> |
92 | <div class="col-lg-6"> | 61 | <div class="col-lg-6"> |
93 | <section> | 62 | <section> |
94 | <h2>{{ _("Past Work") }}</h2> | 63 | <h2>{{ _("Voluntary Work") }}</h2> |
95 | <p> | 64 | <p> |
96 | {% trans %} | 65 | {% trans %} |
97 | In the past I have tried to help making the vision of the <a href="http://secushare.org">secushare</a> project a reality. To achieve this the GNUnet framework was the perfect match for a solution to fullfill the privacy preserving part of that vision, and we could concentrate to build a tool for social communication that deserves its name. While trying to use GNUnet, we found and fixed bugs. For example there was one <a href="https://bugs.gnunet.org/view.php?id=5822">bug</a> in CADET which prevented the re-establishment of a connection after a communication partner suddenly stopped communicating. From our perspective there is no alternativ to GNUnet, which led us to first bring the parts of GNUnet needed by secushare to a state that they can be used prouctively. | 66 | In the past I have tried to help making the vision of the <a href="http://secushare.org">secushare</a> project a reality. To achieve this the GNUnet framework was the perfect match for a solution to fullfill the privacy preserving part of that vision, and we could concentrate to build a tool for social communication that deserves its name. While trying to use GNUnet, we found and fixed bugs. For example there was one <a href="https://bugs.gnunet.org/view.php?id=5822">bug</a> in CADET which prevented the re-establishment of a connection after a communication partner suddenly stopped communicating. From our perspective there is no alternativ to GNUnet, which led us to first bring the parts of GNUnet needed by secushare to a state that they can be used prouctively. |
diff --git a/template/l2o/index.html.j2 b/template/l2o/index.html.j2 index bfc37f50..17644fde 100644 --- a/template/l2o/index.html.j2 +++ b/template/l2o/index.html.j2 | |||
@@ -74,7 +74,7 @@ | |||
74 | 74 | ||
75 | <h2><a name="milestones" class="subnav-anchor"></a>{{ _("Milestones") }}</h2></br> | 75 | <h2><a name="milestones" class="subnav-anchor"></a>{{ _("Milestones") }}</h2></br> |
76 | 76 | ||
77 | <p>The next milestone to be reached is milestone 5.</p></br> | 77 | <p>All milestones are finished.</p></br> |
78 | 78 | ||
79 | <h3><a name="milestone1" class="subnav-anchor"></a>{{ _("Milestone 1 Test Infrastructure and minimal Test Case") }}</h3></br> | 79 | <h3><a name="milestone1" class="subnav-anchor"></a>{{ _("Milestone 1 Test Infrastructure and minimal Test Case") }}</h3></br> |
80 | <section> | 80 | <section> |
diff --git a/template/probnat/index.html.j2 b/template/probnat/index.html.j2 new file mode 100644 index 00000000..077543e3 --- /dev/null +++ b/template/probnat/index.html.j2 | |||
@@ -0,0 +1,213 @@ | |||
1 | {% extends "common/base.j2" %} | ||
2 | {% block body_content %} | ||
3 | <main id="maincontent"> | ||
4 | <article class="container"> | ||
5 | |||
6 | <header> | ||
7 | <h1>{{ _("NGI Assure project: Probabilistic NAT Traversal") }}</h1> | ||
8 | </header> | ||
9 | |||
10 | <div class="row"> | ||
11 | <div class="col-2 d-none d-lg-block"><!-- for large viewports show menu for better orientation --> | ||
12 | <nav class="nav subnav position-fixed flex-column border-right" style="position:fixed"> | ||
13 | <a class="nav-link" href="#idea">{{ _("Project motivation") }}</a> | ||
14 | <a class="nav-link" href="#milestones">{{ _("Milestones") }}</a> | ||
15 | <a class="nav-link" href="#milestone1">{{ _("Milestone 1") }}</a> | ||
16 | <a class="nav-link" href="#milestone2">{{ _("Milestone 2") }}</a> | ||
17 | <a class="nav-link" href="#milestone3">{{ _("Milestone 3") }}</a> | ||
18 | <a class="nav-link" href="#milestone4">{{ _("Milestone 4") }}</a> | ||
19 | <a class="nav-link" href="#milestone5">{{ _("Milestone 5") }}</a> | ||
20 | <a class="nav-link" href="#milestone6">{{ _("Milestone 6") }}</a> | ||
21 | <a class="nav-link" href="#milestone6">{{ _("Milestone 7") }}</a> | ||
22 | </nav> | ||
23 | </div> | ||
24 | <div class="col"> | ||
25 | |||
26 | <section> | ||
27 | <p> | ||
28 | {% trans %} | ||
29 | This project was funded through the NGI Assure Fund, a fund established by <a href="https://nlnet.nl/project/ProbabilisticNAT">NLnet</a>.</br> | ||
30 | {% endtrans %} | ||
31 | </p> | ||
32 | </section> | ||
33 | |||
34 | |||
35 | <h2><a name="idea" class="subnav-anchor"></a>{{ _("Project motivation") }}</h2></br> | ||
36 | |||
37 | <section> | ||
38 | <h4>The Problem</h4></br> | ||
39 | <p> | ||
40 | {% trans %} | ||
41 | For establishing a peer to peer (p2p) network among regular internet users, unhindered connectivity is anything but self-evident. Today consumer devices are often not directly reachable via the internet but quite often are behind a so called NAT delivering only indirect internet connectivity. | ||
42 | {% endtrans %} | ||
43 | </p></br> | ||
44 | </section> | ||
45 | |||
46 | <section> | ||
47 | <h4>NAT Traversal Methods</h4></br> | ||
48 | <p> | ||
49 | {% trans %} | ||
50 | There are several methods to reach peers who are behind a NAT, but there are as many reasons those existing methods might fail. Manual configuration for example, as it is possible for example with home routers, often does not work for mobile devices like mobile phones. A further category of methods is subsumed under the term NAT hole punching. This exploits a behavior of the gateway that keeps the port of an outgoing packet open for a potential response. To make this port known to another peer a third peer is needed who is not behind a NAT. Using this method for a privacy preserving network like GNUnet, this could facilitate eclipse attacks (isolating a peer) which then can be used for deanonymization attacks and cencorship. Also any additional infrastructure needed to provide some kind of functionality has to be maintained by someone, becoming a target and/or point of failure. Therefore this method is not suitable. More sophisticated methods like "Autonomous NAT Traversal (pwnat)" using ICMP fake message, which do not need a third party for the initiation of the connection, are not successful in all circumstances, because this method depend on the behavior of the NAT firewall. All methods have in common that the external IP address of the peer behind the NAT must be known. | ||
51 | {% endtrans %} | ||
52 | </p></br> | ||
53 | </section> | ||
54 | |||
55 | <section> | ||
56 | <h4>Alternative Solution</h4></br> | ||
57 | <p> | ||
58 | {% trans %} | ||
59 | Two peers trying to connect to each other will send out a burst of connection attempts to the other peer on different ports. The sheer vast amount of connections attempts from both side will lead to a high probability that two connection attempts from both peers onto the same port will be at the same time leading to a successful connection between those peers. If two natted peers are using the method to start a burst of connection attempts, this method still needs the global IP of the other peer and a “start signal” to coordinate. In the NGI Assure project <a href="../l2o">L2O</a> we are establishing a backchannel with neighbourhood routing over an ad-hoc distance vector protocol to solve the problem of not directly connected peers. The peers serving as hops to a distant peer which are a direct neighbour of the start or end peer on that path do know the global IP address of the start or end peer. If those two peers like to use the burst method for hole punching the global IP address is known. Via the distance vector protocol we are also able to communicate the "start signal". | ||
60 | {% endtrans %} | ||
61 | </p></br> | ||
62 | </section> | ||
63 | |||
64 | <h2><a name="milestones" class="subnav-anchor"></a>{{ _("Milestones") }}</h2></br> | ||
65 | |||
66 | <p>The next milestone to be reached is milestone 1.</p></br> | ||
67 | |||
68 | <h3><a name="milestone1" class="subnav-anchor"></a>{{ _("Milestone 1 Test Infrastructure") }}</h3></br> | ||
69 | <section> | ||
70 | <p> | ||
71 | {% trans %} | ||
72 | Extending the testing framework, which was already designed and implemented for the L2O | ||
73 | project. | ||
74 | |||
75 | <ul> | ||
76 | <li>Enhance the testing framework with a new kind of component (NAT component).</li> | ||
77 | <li>Implement logic to keep ports open used during network translation.</li> | ||
78 | <li>Extend the test framework configuration to configure the new components.</li> | ||
79 | </ul></br> | ||
80 | {% endtrans %} | ||
81 | </p> | ||
82 | <h4>Deliverable</h4></br> | ||
83 | <p> | ||
84 | {% trans %} | ||
85 | Test case which tests the new testing functionality. Adding documentation. | ||
86 | {% endtrans %} | ||
87 | </p></br> | ||
88 | </section> | ||
89 | |||
90 | <h3><a name="milestone2" class="subnav-anchor"></a>{{ _("Milestone 2 Synchronization") }}</h3></br> | ||
91 | <section> | ||
92 | <p> | ||
93 | {% trans %} | ||
94 | This task is to implement the protocol that is doing the signaling for synchronizing two peers | ||
95 | which do like to connect to each other. | ||
96 | <ul> | ||
97 | <li>Two peers which got connected via DV signaling each other being behind a NAT.</li> | ||
98 | <li>Learning the external IP address+port from already connected peers, exchange with the | ||
99 | peers that want to connect.</li> | ||
100 | <li>Set a common start time. One peer is selected to be leading (comparing peer ids like it is | ||
101 | done in CADET)</li> | ||
102 | </ul> | ||
103 | {% endtrans %} | ||
104 | </p></br> | ||
105 | <h4>Deliverable</h4></br> | ||
106 | <p> | ||
107 | {% trans %} | ||
108 | Deliverable of this milestone is integrating the protocol implementation into the GNUnet | ||
109 | stack, a test case which tests that two peers successfully exchange the messages of the | ||
110 | implemented protocol until the condition is reached that both nodes are ready for the burst | ||
111 | mode. Additionally there will be a protocol documentation. | ||
112 | {% endtrans %} | ||
113 | </p></br> | ||
114 | </section> | ||
115 | |||
116 | <h3><a name="milestone3" class="subnav-anchor"></a>{{ _("Milestone 3 Burst Protocol") }}</h3></br> | ||
117 | <section> | ||
118 | <p> | ||
119 | {% trans %} | ||
120 | Burst to establish connectivity (IP_RAW, SYN send for TCP; normal for UDP). A burst of | ||
121 | synchronized (same ports on each peer) connection attempts on all available ports will lead to a | ||
122 | high probability for a successful connection.The connection in the TCP case is not final, because | ||
123 | the TCP connection is only done in the user space. | ||
124 | {% endtrans %} | ||
125 | </p></br> | ||
126 | <h4>Deliverable</h4> | ||
127 | <p> | ||
128 | {% trans %} | ||
129 | The protocol implementation will be integrated into the GNUnet stack, one Test case will | ||
130 | test two peers are finaly connected (UDP case), another test case for TCP tests if both | ||
131 | peers end up at the same port and the protocol will be documented. | ||
132 | {% endtrans %} | ||
133 | </p></br> | ||
134 | </section> | ||
135 | |||
136 | <h3><a name="milestone4" class="subnav-anchor"></a>{{ _("Milestone 4 TCP Repair") }}</h3></br> | ||
137 | <section> | ||
138 | <p> | ||
139 | {% trans %} | ||
140 | For the TCP case the connection was established sending packages from user space using raw | ||
141 | sockets. To let the kernel know about the TCP connection we will use the “repair mode” of the | ||
142 | setsockopt() system call. | ||
143 | {% endtrans %} | ||
144 | </p></br> | ||
145 | <h4>Deliverable</h4></br> | ||
146 | <p> | ||
147 | {% trans %} | ||
148 | Integration into the GNUnet stack and a test case testing two peers are finaly (kernel TCP | ||
149 | socket) connected. | ||
150 | {% endtrans %} | ||
151 | </p></br> | ||
152 | </section> | ||
153 | |||
154 | <h3><a name="milestone5" class="subnav-anchor"></a>{{ _("Milestone 5 Privilege Minimization") }}</h3><br/> | ||
155 | <section> | ||
156 | <p> | ||
157 | {% trans %} | ||
158 | Privilege minimization, using SUID/SGID helpers with required capabilities. We need privileged | ||
159 | access to system resources for some parts of the protocol, e.g. the TCP repair mode. This task | ||
160 | will implement helper executables which are doing this privileged access, to be used by other | ||
161 | components not having special privileges. (see § 2.2.1 Access Control, The GNUnet System, | ||
162 | https://grothoff.org/christian/habil.pdf) | ||
163 | {% endtrans %} | ||
164 | </p><br/> | ||
165 | <h4>Deliverable</h4><br/> | ||
166 | <p> | ||
167 | {% trans %} | ||
168 | Helper executables and cli applications using the helpers. Integration into the GNUnet | ||
169 | stack. Man pages for the cli applications. First release of all the implementation. | ||
170 | {% endtrans %} | ||
171 | </p><br/> | ||
172 | </section> | ||
173 | |||
174 | <h3><a name="milestone6" class="subnav-anchor"></a>{{ _("Milestone 6 Port Range Optimization") }}</h3><br/> | ||
175 | <section> | ||
176 | <p> | ||
177 | {% trans %} | ||
178 | Detect likely port ranges (peers exchanging lists of 'working' IP+Port combinations). | ||
179 | {% endtrans %} | ||
180 | </p><br/> | ||
181 | <h4>Deliverable</h4><br/> | ||
182 | <p> | ||
183 | {% trans %} | ||
184 | Test case with setup using specific port ranges testing use of port subset. First | ||
185 | optimization release. | ||
186 | {% endtrans %} | ||
187 | </p><br/> | ||
188 | </section> | ||
189 | |||
190 | <h3><a name="milestone6" class="subnav-anchor"></a>{{ _("Milestone 7 Optimization") }}</h3><br/> | ||
191 | <section> | ||
192 | <p> | ||
193 | {% trans %} | ||
194 | Prioritize likely working IP addresses (no point in trying to go from 10.x to 192.168.x). There might | ||
195 | be optimization we do not know anything about yet. | ||
196 | {% endtrans %} | ||
197 | </p><br/> | ||
198 | <h4>Deliverable</h4><br/> | ||
199 | <p> | ||
200 | {% trans %} | ||
201 | Test case with setup using specific IP addresses testing if not all available IP addresses | ||
202 | are used. Test cases testing general optimization. Second optimization release. | ||
203 | {% endtrans %} | ||
204 | </p><br/> | ||
205 | </section> | ||
206 | |||
207 | |||
208 | |||
209 | </div> | ||
210 | </div> | ||
211 | |||
212 | </article> | ||
213 | {% endblock body_content %} | ||