Archive for the ‘Networking & Security’ Category

When hosting multiple sites on a single IP, HTTP1.1 has the necessary items on board to route the request to the correct site. This works because an HTTP 1.1 request includes a Host: header, which indicates to the server which site the client wishes to access.

When using SSL-secured connections, this doesn’t work anymore. The problem is similar to the situation in HTTP1.0: The server needs to know to which SSL-host the connection is addressed. SNI introduces a similar solution: It specifies an extension to the SSL negotiation to indicate which server the client wishes to access.

Continue reading ‘SSL vhosts with Apache’ »

In Belgium, there are 2 major ISPs: Telenet and Belgacom (Skynet). None of them allows you to run servers on your home DSL connection, but only Telenet enforced this by simply blocking all incoming TCP requests on the low ports.

I regularly connect to my home server over SSH from all over the world to access my files, mail, photos, …. Since not every network I encounter allows outgoing 22/TCP connections, I also listen on 80/TCP and 443/TCP for SSH connections. This setting allowed me to connect home from pretty much every network.

However, since somewhere this weekend, Belgacom started to filter incomming connections. My last successful attempt was around 2009-10-31T00:10+0100. When trying this again today around 16:00+0100, the connection was filtered. Contrary to Telenet, Belgacom has the decency to reply with an “ICMP Administratively Prohibited” message. A quick port-scan showed that the following ports are being filtered:

  • 23/tcp (telnet)
  • 80/tcp (http)
  • 443/tcp (https)
  • 992/tcp (telnets)
  • 8023/tcp (unknown)
  • 8085/tcp (unknown)
  • 8443/tcp (https-alt)

Connecting to home has just become more difficult… Guess I’ll start using IP over DNS

Update 2009-11-03

Found another blog describing this issue (in Dutch). Rumor has it that Belgacom will offer an opt-out of this filtering.

Update 2009-11-11

The filtering of port 23, 80 and 443 can be disabled by surfing to the Belgacom e-service site and opting for “Basic Security” under “mijn internet – mijn opties”.

Usually you don’t want to slow down your network connection deliberately. When testing networking applications, it might come in handy to simulate a worse network than you are actually on. This way you can simulate a 3G connection while actually running over WiFi.

Up until now, I used a Linux-box with netem and/or htb in the Queueing schedulers. Turns out that MacOSX can do most of this as well, using FreeBSD‘s ipfw pipes. Throtteling a single task only takes 2 commands:

$ sudo ipfw pipe 1 config bw 256kbit/s
$ sudo ipfw add pipe 1 dst-ip 192.0.2.1 dst-port 80
33400 pipe 1 ip from any to any dst-ip 192.0.2.1 dst-port 80

$ sudo ipfw list
00100 pipe 1 ip from any to dst-ip 192.0.2.1 dst-port 80
65535 allow ip from any to any
$ sudo ipfw pipe list
00001:   256 kbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
 mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp

$ # do whatever you want

$ sudo ipfw del 00100
$ sudo ipfw pipe del 00001

I tried to set up a very simple MPLS-cloud with Cisco routers (actually dynamips emulated routers), just as an exercise. For those interested, here is the ZIP-file with the dynagen-net file with router configurations. It includes overlapping IP-space, multiple routing protocols and redistribution.

ssh-to-puttyssh-to-puttyIn Windows you can register “url handlers”. These are programs that are run when you try to open a URL (via Start->Run for example). “http://” for example is registered to Internet Explorer by default. “telnet://” also works. This is especially useful in combination with the URL-field of KeePass. Double-clicking on this field tries to “open” the specified URL.

However, “ssh://” is not a standard registered protocol. I’d like Putty to handle this. Also, “telnet://” gets you the standard windows telnet client instead of putty. Putty can be called with command line arguments. Supplying the “telnet://” url as a parameter works, but “ssh://” does not.

Hence, I wrote a very small wrapper program to accept “ssh://” URL’s and convert them to Putty command line arguments:

  • Source code in C: ssh-to-putty.c
  • Compiled Windows executable: ssh-to-putty.exe (some virus-scanners seem to think this is a virus, exe is no longer available, please compile it yourself)
  • Registry commands to set putty as telnet-handler: putty telnet url handler.reg
  • Registry commands to set the wrapper as ssh-handler: putty ssh url handler.reg

Some notes:

  • The registry commands assume Putty and the wrapper are installed in C:\Progs\SSH. If this is not the case, you need to change the .reg-files accordingly
  • The wrapper-program assumes putty.exe to be in the same directory as itself

rsync is a very nice tool to synchronize two directories, especially if they are on different machines. If you require confidentiality of the transferred data, rsync works great over ssh.

Besides the standard password authentication, ssh also supports public key authentication. This key-based authentication has the added bonus of having per-key options:

  • you can restrict the source IP from which this key may be used
  • you can force a command to be executed instead of allowing the connecting side to specify one

Continue reading ‘Restricted rsync over ssh’ »

In 10BASE-T, the Manchester-encoding guaranteed that the line would stay “active” with transitions. 100BASE-TX uses a different approach. This is done by translating every nibble (4bit) block into a 5bit block (4B5B coding). These 5bit blocks are specially designed to have the necessary transitions build in, while only adding 20% overhead, compared to 100% in the Manchester case. The official code-table can be found on page 144 of section 2 of the 802.3 standard [local copy].

100BASE-TX requires UTP cables of Cat5 or higher and utilizes 1 pair for Tx and 1 pair for Rx.

Continue reading ‘Ethernet – 100base-TX’ »

It is perfectly possible to configure a linux server (or workstation if you wish) to talk IPsec. The Linux Advanced Routing & Traffic Control site has a page describing it. Since IPsec is a standard protocol, I wanted to get a tunnel up and running between a linux host and a Cisco router: with success! Here are the config files that I used in this test:

Continue reading ‘IPsec under Linux’ »

IPsec is becomming the Internet standard for securing IP packets. Instead of manually configuring all the encryption parameters, the keys are usually negatiated between the peers using an ISAKMP (Internet Security Association and Key Management Protocol)/Oakley protocol: IKE (Internet Key Exchange). This post goes into its details.

Continue reading ‘IPsec/ISAKMP negotiation opened up’ »

10base-T is the oldest Ethernet standard that runs over regular twisted pair cable. 10base-T requires UTP cables of Cat3 or higher, with a total length of maximum 100m. I wanted to figure out if you can generate “hard” packets for Ethernet; packets that somehow may expose problems in the hardware: signals with DC offsets, high frequency signals, low frequency signals, signals where the clock might be hard to track, … This post describes the journey of an ethernet frame from memory to wire.

Continue reading ‘Ethernet – 10base-T’ »