IPOP - IP over P2P

I want to share and discuss the possibilities of using IP through P2P networks using the example of IPOP.

Briefly:
')
IPOP (IP-over-P2P) is a software-supported virtual network that can be used as the basis for creating virtual private networks on top of multiple providers and administrative domains. IPOP is built as a peering peer-to-peer network for tunneling and routing encapsulated IP packets that are transmitted through virtual network interfaces (v-NICs). An IPOP network consists of peer-to-peer routers on endpoints that connect to virtual networks (for example, between virtual machines that are located in networks of different providers).



This quick guide will allow you to deploy an IP-over-P2P virtual network between virtual machines located in different commercial and private networks as if they were located in an accessible network environment.

The first step is to deploy at least two virtual machines that will be connected by an IPOP virtual network. IPOP rises within the virtual machine - the main condition is the availability of an Internet connection. No matter how, with a white IP address or behind NAT. For example, you can run one virtual machine on your computer and install another in the cloud.

Currently, the IPOP package exists for Debian / Ubuntu, so the machine will have to be deployed on these distributions (translator's note: I’ll omit ways to install distributions on various cloud services and virtual machines. I basically managed to connect two machines from VirtualBox and “real "DigitalCloud's car doesn't matter).

Step two is to establish a connection between two virtual machines.
We have two virtual machines connected to the Internet. At this stage, we will install and configure an IPOP network between them.

To begin with, in order to simplify the configuration, we use configuration files with predefined values. Further we will call our virtual machines Alice and Bob. The Alice machine will have an IP address on the IPOP network 192.168.10.10, and a Bob machine will have 192.168.10.20.

We go to the Alice machine as root.

wget http://www.acis.ufl.edu/~renato/ipopdemo/ipop_demo_prepare_debian.zip apt-get install unzip unzip ipop_demo_prepare_debian.zip 

Configure the virtual network point. To do this, we need the following data: a unique string indicating your virtual network in P2P space and a virtual IP address. Below is a script to help customize these settings. Replace CHANGE_THIS with your line uniquely pointing to your virtual network. For example: ipop_tutorial_05_21_2013_your_name . The second parameter is the last byte of the virtual IP address. We will have it “10” for Alice. Accordingly, the address will eventually be 192.168.10.10.

Run the autotune script:

 ./ipop_demo_prepare.sh CHANGE_THIS 10 

After the script finishes, we can see that the virtual “tapipop” interface has appeared with the IP address 192.168.10.10 (note: we assume that the virtual subnet 192.168.10.0/255.255.255.0 will not conflict with the address space of the network to which you virtual machine. If this is not the case, you can correct the values ​​for the virtual network in ipop_demo_prepare.sh).

Check the network interface:

 ifconfig tapipop 

See something like this:

 tapipop Link encap:Ethernet HWaddr 96:44:a8:53:67:2a inet addr:192.168.10.10 Bcast:192.168.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1200 Metric:1 RX packets:525 errors:0 dropped:0 overruns:0 frame:0 TX packets:277 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:56314 (56.3 KB) TX bytes:32314 (32.3 KB) 

Now configure the Bob machine. You need to repeat all the same operations (as root):

 wget http://www.acis.ufl.edu/~renato/ipopdemo/ipop_demo_prepare_debian.zip apt-get install unzip unzip ipop_demo_prepare_debian.zip 

In order to enter our virtual network, we have to specify the same unique string as on the Alice - CHANGE_THIS machine and replace it with ipop_tutorial_05_21_2013_your_name in our case.

 ./ipop_demo_prepare.sh CHANGE_THIS 20 

We check and make sure that we have a tapipop interface with the IP address 192.168.10.20.

We will use the Ping utility to test the communication between Alice and Bob machines through a virtual network. Having made sure that ICMP packets are free, we will be able to send any TCP / IP traffic through our network.

From the Alice machine, ping the Bob machine:

 ping 192.168.10.20 

(or vice versa, from Bob to Alice: ping 192.168.10.10)

In the usual case, assuming that the machine is not behind NAT, we will observe the following picture: the first ICMP packets will be reset, then several delays around 1000 ms, then responses with a normal delay. The following example shows the output as if your machines were in the same data center. Delays can be more or less depending on network conditions, the presence of NAT or firewall.

 PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data. From 192.168.10.10 icmp_seq=1 Destination Host Unreachable From 192.168.10.10 icmp_seq=2 Destination Host Unreachable From 192.168.10.10 icmp_seq=3 Destination Host Unreachable From 192.168.10.10 icmp_seq=4 Destination Host Unreachable From 192.168.10.10 icmp_seq=5 Destination Host Unreachable 64 bytes from 192.168.10.20: icmp_req=6 ttl=64 time=1008 ms 64 bytes from 192.168.10.20: icmp_req=7 ttl=64 time=8.46 ms 64 bytes from 192.168.10.20: icmp_req=8 ttl=64 time=1.87 ms 64 bytes from 192.168.10.20: icmp_req=9 ttl=64 time=1.87 ms 64 bytes from 192.168.10.20: icmp_req=10 ttl=64 time=1.64 ms 

What happens in this example? Your virtual machines are connected over a large peer-to-peer network with nodes around the world. We use the PlanetLab system to host an IPOP network.

Before Alice and Bob contact each other, they must find each other's identifiers in the peer-to-peer network. The first few seconds, Alice and Bob are part of the P2P network, but since they have not been linked before, it is required to match the names in the IPOP space: IP addresses of points with unique identifiers. The search is performed using DHT requests to the peer-to-peer network. Until the request is completed, the packets will be discarded (packets 1 through 5 in the example above).

As soon as an IP-P2P match is found, packets start walking between Alice and Bob. However, some more time should be spent on laying a path in a peer-to-peer network. A process occurs when Alice and Bob simultaneously try to make a direct path to each other through several P2P points. As soon as they get it, the delay is significantly reduced (packets 7-10).

Security connection between Alice and Bob.

In this step, we have two virtual machines connected through an IPOP virtual network. But at the moment the connection between them is not secure. We will now configure IPsec to provide security on the IP layer.

There are many options for configuring IPsec, but it is important to note that IPsec runs on top of IPOP, and because of this layering, neither the IPsec software (in the Linux kernel) nor the IPOP needs to be changed.

In this step, we will also use pre-configured configuration files to minimize our efforts. We will use Racoon to raise IPsec and a configuration based on X.509 certificates.

In this example, Alice and Bob use certificates signed by one certificate authority (CA). Run the following commands on the Alice machine:

 wget http://www.acis.ufl.edu/~renato/ipopdemo/ipop_ipsec_demo_prepare_debian.zip unzip ipop_ipsec_demo_prepare_debian.zip ./ipop_ipsec_demo_prepare.sh 

The script will do the following:

1. Create a CA certificate (cacert.pem), a certificate (host-cert.pem) and a private key for each point (host-key.pem) in the / etc / racoon / certs folder.
2. Create a configuration file /etc/racoon/racoon.conf - describes what x.509 certificates will be used for and configures other security settings.
3. Creates the file /etc/ipsec-tools.conf - indicates that all communications in the IPOP virtual network should be protected by IPsec.

The same steps must be repeated on the Bob machine.

After that, start the ping from the Alice machine to the Bob machine:

 ping 192.168.10.20 

You will see the same behavior as in the previous step - the first packets will be dropped, then the connection is established. Alice and Bob can also ping each other. The only difference is that the connection between them is now authenticated and encrypted. Now, if Alice stops using IPsec or uses an incorrectly signed certificate, it will not be able to connect to Bob (or vice versa).

You can test IPsec using tcpdump, with IPsec enabled on both machines and without it.

If you find problems with the connection, you can restart the process:

 /etc/init.d/groupvpn.sh stop /etc/init.d/groupvpn.sh start 

or stop IPsec:

 setkey -F setkey -FP /etc/init.d/racoon stop 

Source: Futuregrid There are also contacts of the IPOP development team.
Official IPOP Project Page

IPOP is an active open source project involved in other services.

I would like to discuss the future of such an interesting project, its pros and cons.

In my opinion, there is a lack of full out-of-box encryption and greater decentralization. For example, as in the Bitcoin network. Although the official page contains references to projects that use IPOP as the basis, which provide encryption.

You can consider IPOP as a basis for other services and as a prototype of systems of similar function.