incentivize decentralized wifi roaming through vpn on
play

Incentivize decentralized WiFi roaming through VPN on home routers - PowerPoint PPT Presentation

Oct 03, 2022 •183 likes •576 views

Incentivize decentralized WiFi roaming through VPN on home routers RP2 rp-id 25, Security and Network Engineering, UvA Sander.Lentink@os3.nl Peter.Boers@surfnet.nl 2019-11-13 1 / 38 Introduction We desire Wi-Fi Wi-Fi being the best

  1. Incentivize decentralized WiFi roaming through VPN on home routers RP2 rp-id 25, Security and Network Engineering, UvA Sander.Lentink@os3.nl Peter.Boers@surfnet.nl 2019-11-13 1 / 38

  2. Introduction We desire Wi-Fi ◮ Wi-Fi being “the best technology for Mobile Data Offloading (MDO)” (Gupta and Rohil 2012) Enabling Wi-Fi problematic ◮ concerns around security, violating terms / illegal content (Schneier 2008) ◮ laws prevent municipality provided “free WiFi” (Chamberlain 2019) ◮ telecommunications lobby against new projects (Gurley and O’Shaughnessy 2019) When we access Wi-Fi ◮ users unaware of privacy risks (Consolvo et al. 2010) ◮ Free WiFi: captive portal 2 / 38

  3. Intro: Overcome mutual trust issue Client tunnels via home router (Sastry, Crowcroft, and Sollins 2007) ________ ___________ |Client | |foreign| |internet| |Client's | | ______| | AP | | (WAN) | |home AP | | |VPN | |_______| |________| |__________ | | |Client|------------------------>|VPN server|| |_|______| |¯¯¯¯¯¯¯| |¯¯¯¯¯¯¯¯| |__________|| ◮ Client has no privacy leaks ◮ Wi-Fi AP 1 provider has no liability worries 1 Access Point 3 / 38

  4. Intro: example setup Figure 1: “Client connects to VPN endpoint via foreign AP” 4 / 38

  5. Intro: Research Question Can we design a protocol — using existing protocols available on COTS (commercially off the shelf) clients — that eliminates the need for trust between client and Wi-Fi provider, using a VPN tunnel? 5 / 38

  6. Intro: Sub Questions ◮ Enforce network policies? ◮ Validate if VPN server listens on endpoint? ◮ Client communicate VPN endpoint to AP? ◮ Modify authentication (802.1x) server to enable this protocol? ◮ Verify protocol: Proof of Concept (PoC)? 6 / 38

  7. Intro: Questions TL;DR ◮ Design Protocol ◮ Test with PoC 7 / 38

  8. Intro: Related solutions Closed options ◮ Ad based: World Wi-Fi ◮ Education Roaming: Eduroam ◮ Government Roaming: Govroam ◮ Share WiFi, earn points/data/credits: Karma ◮ Home router managed by provider: KPN’s Fon ◮ Paid / broker based: Tmobile/Vodafone hotspots Open solutions ◮ Open Wireless Movement, backed by Electronic Frontier Foundation 8 / 38

  9. Methodology ◮ Example flow: overview of concept ◮ 802.1x EAP identity ◮ Protocol in authentication server Figure 2: Extensible Authentication Protocol 9 / 38

  10. Method: example flow 1/3 AP (SoC) <-----L2----> router _____________|_____________ _____|____ client |hostapd auth pre filter| |DHCP WAN| VPN | | | | | | | | a | | | | | | | #---b---># | | | | | | # #--c--># | | | | | # # #--d--># | | | | # # # #--e-----------------------># # # # f | | | | # # # #--g--># | | | # # #<--h--# | | | | # #<--i--# | | | | | #<---j---# | | | | | | #---k-------------------------=-----># | | #<--------------------------------l--# | | #---m-------------------------=-------------------># 10 / 38

  11. Method: example flow 2/3 AP (SoC) <-----L2----> router _____________|_____________ _____|____ client |hostapd auth pre filter| |DHCP WAN| VPN | | | | | | | | a | | | | | | | #---b---># | | | | | | # #--c--># | | | | | # # #--d--># | | | | # # # #--e-----------------------># a. client (supplicant) scans for AP, finds foreign AP with SSID of protocol b. supplicant => authenticator ( hostapd ), VPN endpoint location in 802.1x identity c. authenticator => authentication server d. authentication server => custom pre -authorize script e. provided info points to a VPN server? 11 / 38

  12. Method: example flow 3/3 client |hostapd auth pre filter| |DHCP WAN| VPN # # # f--g--># | | | # # #<--h--# | | | | # #<--i--# | | | | | #<---j---# | | | | | | #---k-------------------------=-----># | | #<--------------------------------l--# | | #---m-------------------------=-------------------># f. if VPN: continue else return 802.1x rejected g. allow (whitelist) egress for provided VPN details h. OK i. OK j. 802.1x client accepted ( wlan bridged (L2) with eth0 ) k. client requests DHCP lease (IP address) l. router provides IP to client (thus NAT* in router) m. client => VPN server * Network Address Translation 12 / 38

  13. Method: example flow TL;DR ◮ SoC connected to router = ◮ VPN server ◮ Wi-Fi AP ◮ Authentication server ◮ When your phone finds foreign AP ◮ AP whitelists VPN server ◮ phone uses VPN 13 / 38

  14. Method: Client; VPN server ◮ Out of scope Figure 3: VPN client on Android 14 / 38

  15. Method: Client; 802.1x supplicant 15 / 38

  16. Method: 802.1x identities VPN ports + flags + delimiter ( @ ) + realm (hostname or IP) 32_33_2f_06443_11443 a @ 10.10.10.10 Anonymous id ( anonid ) Proxying server Regular id ( innerid ) Inside TLS tunnel ( Protected -EAP) 16 / 38

  17. Method: IP Protocols IP protocol + additional value (port) 32_33_2f_06443_11443a@10.10.10.10 IP protocol ID TCP (Transmission Control) 0x06 UDP (User Datagram) 0x11 GRE (Generic Routing Encapsulation) 0x2F ESP (Encap Security Payload) 0x32 AH (Authentication Header) 0x33 17 / 38

  18. Method: pre-authorize $ validate_anonid.py 11443_06443_00testA@tunroam.lent.ink WARNING the additional value is not a port number INFO suggesting whitelist rules { 'iptables-nft -A OUTPUT -j ACCEPT -d tunroam.lent.ink \ --protocol 17 --dport 443', 'iptables-nft -A OUTPUT -j ACCEPT -d tunroam.lent.ink \ --protocol 6 --dport 443' } INFO Welcome aboard 11443_06443_00testA@localhost ◮ VPN endpoint validation ◮ Network policies 18 / 38

  19. Method: Network requirements TUN works with IP frames. TAP works with Ethernet frames. 2 Shared SSID Like Eduroam / Govroam: TUNroam; tunroam.org 19 ◮ Version number indicates client requirements (20 19 ) 2 https://www.kernel.org/doc/Documentation/networking/tuntap.txt 19 / 38

  20. Method: Additional network traffic? Local scope ◮ Network management (e.g. ARP 3 ) Leaking to Internet Service Provider (ISP) ◮ DNS Figure 5: VPN endpoint discovery by client 3 Address Resolution Protocol 20 / 38

  21. Method: DNS AP provider doesn’t want DNS logged by ISP Required: specific subdomain iptables-nft -I OUTPUT -j ALLOW --algo bm \ -p udp --dport 53 \ --match string --hex-string "|07|tunroam|" 21 / 38

  22. Method: System on Chip SoC Test setup RPi ◮ Raspbian cat /proc/cpuinfo|grep Model Model : Raspberry Pi 3 Model B Rev 1.2 Entry level setup ◮ Armbian ◮ Orange Pi Zero Plus (1000M Ethernet, 512MB RAM, onboard WiFi) ◮ OPi + MicroSD + USB cable & power = 20EU 4 4 excl. shipping 22 / 38

  23. Results ◮ Protocol defined ◮ Protocol (partially) implemented ◮ PoC doing NAT ◮ Identity validation ◮ VPN endpoint validation 23 / 38

  24. Discussion TUNroam Pro ◮ client: ◮ privacy through VPN on any network ◮ More free Wi-Fi locations ◮ No captive portal ◮ AP: ◮ Open source ◮ Liability ◮ Decentralized: nobody controls it Con ◮ Decentralized: no financial incentive to join/promote ◮ Provider routers != Open(Wrt) ◮ VPN ◮ Latency ◮ Bandwidth 24 / 38

  25. Discuss: Potential APs: ◮ shared office space/housing ◮ home router ◮ current open Wi-Fi 25 / 38

  26. Discuss: Future work Missing in PoC ◮ Proxying RADIUS request Suggestions ◮ Bandwidth management ◮ Enforce network policies ◮ IPv6 ◮ Home != fixed IP: Dynamic DNS 26 / 38

  27. Demo PEAP, MS-CHAPv2, "password" Please connect to SSID “tunroam.org 19” # OpenVPN, TCP/UDP 443 06443_11443_00testA@tunroam.lent.ink Questions? ◮ Get involved at github.com/tunroam ◮ Reach me at linkedin.com/in/svlentink 27 / 38

  28. Appendix: bonus slides Slides to help answer possible questions. And things that didn’t fit due to time constraints. 28 / 38

  29. Appendix: tests using fast.com Figure 6: Eduroam network Surfnet office 29 / 38

  30. Appendix: tests using fast.com Figure 7: OrangePi doing NAT 30 / 38

  31. Appendix: Covert channel? Abuse? Using VPN is easier due to: ◮ Limited DNS requests ◮ Only one IP address ◮ Limited ports 31 / 38

  32. Appendix: Bridge vs. NAT Bridge ◮ Sequence diagram = bridged (home setup) ◮ Avoid double NAT ◮ Avoid NAT in software Network Address Translation ◮ NAT works everywhere ◮ PoC/Demo = NAT Multiple APs (Campus / Airport) ◮ Authentication server separate ◮ Network policies 32 / 38

  33. Appendix: RADIUS proxying $ ls /etc/freeradius/*/sites-enabled default inner-tunnel $ ss -4lpun|grep -E "(1812|Port)" State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 0.0.0.0:1812 0.0.0.0:* UNCONN 0 0 127.0.0.1:18120 0.0.0.0:* ◮ Inner does CHAP 33 / 38

  34. Appendix: Challenge-Handshake Authentication Protocol Microsoft CHAP v2 Authentication server: proxy-server if valid_vpn_endpoint and valid_anonid: # anonymous identity Authentication server: inner-tunnel return RLM_MODULE_OK, (), \ ( ('Cleartext-Password', 'password'), ) 34 / 38

  35. Appendix: VPN protocols Initial ◮ Which VPN protocol(s) fit in the protocol? ◮ What attributes do we need to validate to determine if a VPN server is listening on an endpoint? Different approach ◮ Stealth VPN servers ◮ IP protocols ◮ Check socket ◮ Allow evolution 35 / 38

Recommend

Cityroam, Providing Secure Public Wireless LAN Services with International Roaming Hideaki Goto

Cityroam, Providing Secure Public Wireless LAN Services with International Roaming Hideaki Goto

Nov. 1516, 2018 RTUWO18, Riga, Latvia Cityroam, Providing Secure Public Wireless LAN Services with International Roaming Hideaki Goto Tohoku University, Japan 1 Security threats in the current Public WiFi No doubt, open Wi-Fi is

337 views • 15 slides
WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi

WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi

Advanced Network Security WiFi security Harald Vranken 1 Agenda WiFi security WEP WPA(2) WPA3 2 WiFi IEEE 802.11 standard Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications original

721 views • 48 slides
WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home

WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home

Advanced Network Security (2019-2020) WiFi security Harald Vranken 1 Agenda Introduction to WiFi Open WiFi networks Home WiFi network IEEE 802.11 WEP WPA/WPA2/WPA3 Personal/Enterprise Eduroam Attacks 2

674 views • 45 slides
Telco-driven Decentralized Identity Network Kang-Won Lee, Ph.D. Head of Cloud Labs Too

Telco-driven Decentralized Identity Network Kang-Won Lee, Ph.D. Head of Cloud Labs Too

Telco-driven Decentralized Identity Network Kang-Won Lee, Ph.D. Head of Cloud Labs Too expensive! I prefer free WiFi 44M people in 2018* * Korea Tourism Organization 2 3 67% of global population** MNOs have a right to authenticate

358 views • 22 slides
International Roaming for GSM 1 Outlines Introduction International GSM Call Setup

International Roaming for GSM 1 Outlines Introduction International GSM Call Setup

International Roaming for GSM 1 Outlines Introduction International GSM Call Setup Reducing the International Call Delivery Cost Summary 2 Introduction GSM supports roaming services that allow a subscriber in a GSM network

679 views • 37 slides
Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi

Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi

11/20/2019 Overview Basic WiFi concepts Some deployment issues WiFi versions 15-441/641: WiFi Networks 15-441 Fall 2019 Profs Peter Steenkiste &amp; Justine Sherry Fall 2019 https://computer-networks.github.io/fa19/ 2

717 views • 10 slides
SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If you already provide free wifi in your establishment then Zyppee would definitely be of interest, considering the high footfall your business enjoy 's

228 views • 10 slides
WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise

Advanced Network Security WiFi security Joeri de Ruiter Agenda WiFi security WPA(2) Personal Enterprise WPA3 Key reinstallaton aaacas 2 WiFi IEEE 802.11 standard Some terminology: Staton (STA) is a

479 views • 46 slides
Caribbean EVDO &amp; CDMA Roaming Market: Potential Revenue: 2005 2010 Jose F. Otero S

Caribbean EVDO &amp; CDMA Roaming Market: Potential Revenue: 2005 2010 Jose F. Otero S

Caribbean EVDO &amp; CDMA Roaming Market: Potential Revenue: 2005 2010 Jose F. Otero S ignals Telecom Consulting CDMA Roaming Forum Rio de Janeiro, Brazil April 18, 2005 Prepared for: About Signals Founded in August 2004

435 views • 22 slides
A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized and Distributed Systems Laboratory Andy Caforio Responsible: Prof. Bryan Ford Supervision: Linus Gasser, Philipp Jovanovic 1 Way back when

445 views • 20 slides
Medicaid Payments to Incentivize Delivery System Reform Webinar Dec. 17, 2013 2:00 3:00 pm

Medicaid Payments to Incentivize Delivery System Reform Webinar Dec. 17, 2013 2:00 3:00 pm

Medicaid Payments to Incentivize Delivery System Reform Webinar Dec. 17, 2013 2:00 3:00 pm ET TODAYS SPEAKERS: Beth h Feldpus ush, h, DrP rPH Senior Vice President for Policy and Advocacy, Americas Essential Hospitals Ba

461 views • 31 slides
SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If

SOCIAL WIFI PROPOSAL Thank you for your interest in our social wifi re-marketing platform. If you already provide free wifi at your branches then Magico would definitely be of interest, considering the high footfall your branches enjoy.

590 views • 9 slides
JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16

JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16

Connect. Communicate. Collaborate JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16 17 October 2006 Introduction Connect. Communicate. Collaborate JRA5 will build a European Roaming

368 views • 14 slides
WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The

WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The

WiFi On Boats By Digital Yacht Presented by: Nick Heyes CEO Digital Yacht WiFi On Boats The Possibilities WiFi Brand name for wireless networking under IEEE standard 802.11 _________________ Wireless access to the internet Distribute

258 views • 12 slides
Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized trust layer Steven van der Vegt Open standard to enable safe and correct exchange of healthcare data. Goal Create a (inter)national network of

708 views • 35 slides
on Na4onal Roaming Stakeholder Workshop Presented by: Steve

on Na4onal Roaming Stakeholder Workshop Presented by: Steve

Regulatory Impact Assessment on Na4onal Roaming Stakeholder Workshop Presented by: Steve Esselaar &amp; Andrew Dymond with Kenneth Molosi Session 2

766 views • 52 slides
WELCOME TO THE ECO GOAT PROGRAM c Goats have been multiplying and roaming unchecked on

WELCOME TO THE ECO GOAT PROGRAM c Goats have been multiplying and roaming unchecked on

o t G WELCOME TO THE ECO GOAT PROGRAM c Goats have been multiplying and roaming unchecked on many remote E Greek islands, resulting in the desertifjcation of landscapes and the loss of crucial biodiversity. Now, a new

331 views • 4 slides
NVK WiFi Hotspot Solution 2015 Managed, Legally, Future Proof WiFi Hotspot Networks Agenda

NVK WiFi Hotspot Solution 2015 Managed, Legally, Future Proof WiFi Hotspot Networks Agenda

NVK WiFi Hotspot Solution 2015 Managed, Legally, Future Proof WiFi Hotspot Networks Agenda Basic WiFi Architecture Monetized WiFi Architecture NVKs Solution providing EnGenius Professional AP EnGenius EWS SOLUTION NVK

642 views • 47 slides
WIFI Code: WIFI Guest - welcome2 Welcome IMPORTANT - Housekeeping Notice: 1) Fire Alarms

WIFI Code: WIFI Guest - welcome2 Welcome IMPORTANT - Housekeeping Notice: 1) Fire Alarms

WIFI Code: WIFI Guest - welcome2 Welcome IMPORTANT - Housekeeping Notice: 1) Fire Alarms / Fire Exit 2) Toilets 3) Please turn Mobile Phones to SILENT Session slides will be circulated on email to ALL attendees. Annual

906 views • 74 slides
WiFi Basics &amp; Security Matthias Vallentin vallentin@net.in.tum.de Vorlesung

WiFi Basics &amp; Security Matthias Vallentin vallentin@net.in.tum.de Vorlesung

WiFi Basics &amp; Security Matthias Vallentin vallentin@net.in.tum.de Vorlesung Internetprotokolle SS06 Prof. Anja Feldmann, Ph.D. Outline 802.11 (WiFi) Basics Standards: 802.11{a,b,g,h,i} CSMA/CA WiFi Security

998 views • 42 slides
Decentralized Trust Management for Decentralized Trust Management for Ad-Hoc Peer-to-Peer

Decentralized Trust Management for Decentralized Trust Management for Ad-Hoc Peer-to-Peer

Decentralized Trust Management for Decentralized Trust Management for Ad-Hoc Peer-to-Peer Networks Ad-Hoc Peer-to-Peer Networks Thomas Repantis Vana Kalogeraki Department of Computer Science &amp; Engineering University of California,

1.41k views • 29 slides
Decentralized Clinical Trials In 2020: A Global Survey Decentralized and Hybrid Trials 2020

Decentralized Clinical Trials In 2020: A Global Survey Decentralized and Hybrid Trials 2020

Decentralized Clinical Trials In 2020: A Global Survey Decentralized and Hybrid Trials 2020 Global research study into adoption and technologies 21 July 2020 Presenters Pharma Intelligence and Informa Connect Daniel Chancellor Director,

796 views • 27 slides
Leeds 7 June 2017 @GlobalCompactUK #GlobalGoalsUK @PRME_UKI @centre_glgr WIFI: Visitor WiFi

Leeds 7 June 2017 @GlobalCompactUK #GlobalGoalsUK @PRME_UKI @centre_glgr WIFI: Visitor WiFi

Leeds 7 June 2017 @GlobalCompactUK #GlobalGoalsUK @PRME_UKI @centre_glgr WIFI: Visitor WiFi https://www.youtube.com/playlist?list=PLkDIhymNyNmawvPzi W3jz95LRNr8piTh9 Videos courtesy of Project Everyone http://www.project-everyone.org/

297 views • 25 slides
Decentralized Consensus Proto cols 1 Goals of the lecture Decentralized Consensus

Decentralized Consensus Proto cols 1 Goals of the lecture Decentralized Consensus

Decentralized Consensus Proto cols 1 Goals of the lecture Decentralized Consensus Proto cols V erication of Synchronous Proto cols Algo rithms fo r computing functions of global state. Bermond, Konig,

263 views • 13 slides

More recommend