|
|
Notice: If you prefer the old Vyatta mailing list style you can subscribe to these forums and post/reply via e-mail.
Just click on "Forum Subscriptions" above, select the forums that you'd like to participate in and click "Subscribe" |
|
| View previous topic :: View next topic |
| Author |
Message |
adriand
Forum Veteran
Joined: 14 Mar 2008
Posts: 119
|
 Posted: Wed May 14, 2008 12:57 pm Post subject: L2TP Daemon + Firewall |
 |
|
Just curious: how do you prevent from the CLI with firewall rules users from establishing L2TP tunnels in clear ?
If I set up a local firewall instance of the WAN interface and I do not allow UDP port 1701, just UDP ports 500 and 4500, the L2TP tunnel cannot be initiated(IKE MM and QM are OK).
If I allow UDP port 1701 too, I can easily establish in clear (without ipsec protection) an L2TP tunnel.
Thanks,
Adrian |
|
| Back to top |
|
 |
ancheng
Vyatta Employee
Joined: 21 Feb 2008
Posts: 309
|
| Posted: Thu May 15, 2008 8:13 am Post subject: L2TP Daemon + Firewall |
|
|
adriand wrote:
| Quote: | Just curious: how do you prevent from the CLI with firewall rules users
from establishing L2TP tunnels in clear ?
If I set up a local firewall instance of the WAN interface and I do not
allow UDP port 1701, just UDP ports 500 and 4500, the L2TP tunnel cannot
be initiated(IKE MM and QM are OK).
If I allow UDP port 1701 too, I can easily establish in clear (without
ipsec protection) an L2TP tunnel.
|
I tested this scenario some months ago, and if I recall correctly, you should be able to achieve the filtering you want by using the iptables "policy" match extension module. For example,
-p udp --dport 1701 -m policy --dir in --pol ipsec
matches inbound IPsec packets with UDP port 1701. However, note that the "policy" module is not currently exposed through the Vyatta CLI, so you would have to do this outside the CLI at the moment. Hope this helps. |
|
| Back to top |
|
|
adriand
Forum Veteran
Joined: 14 Mar 2008
Posts: 119
|
| Posted: Thu May 15, 2008 9:06 am Post subject: |
|
|
hmmmm...
maybe.
But my question was: from the CLI.
So the answer is: you cannot.
This is a security issue.
Knock, knock, this *should* not happen by default...
Where is written in the config guide that this happens ?
To make people aware of this fact.
And post the workaround.
If someone enables the L2TP/IPsec VPN remote access server on Vyatta and if he/she goes and configures the firewall rules from the CLI, is exposed by default to a security issue which is not advertised anywhere in your configuration guide (correct me if I'm wrong).
Maybe this was acknowledged on Jacco's site, but not in your config docs, where people would look, because that's the goal, to configure things from the CLI.
Besides, not all the people are familiar with what's under the hood, Openswan and how to fix something that they are not aware of through iptables ...
They would say, L2TP/IPsec uses this and this, thus I will allow all these in my local firewall instance ...
And then, hey dude I got p0wned! 
Adrian |
|
| Back to top |
|
|
ancheng
Vyatta Employee
Joined: 21 Feb 2008
Posts: 309
|
| Posted: Thu May 15, 2008 9:27 am Post subject: L2TP Daemon + Firewall |
|
|
You are right that this is a security risk that should be documented so that a user can make an informed decision as to what solution is best for his/her environment. Similarly, the risks of using "pre-shared-key", using "local" authentication, or using PPTP should also be documented. However, currently for Glendale we only have the command reference documentation, which only discusses the basic command usage. We'll make sure these are covered in the configuration guide when we publish it.
Also, in the next release, we plan to extend the firewall capability so that a user can define such a firewall rule to minimize this particular risk. Or better yet, we could automatically add such a rule when L2TP is configured. So please stay tuned!  |
|
| Back to top |
|
|
adriand
Forum Veteran
Joined: 14 Mar 2008
Posts: 119
|
| Posted: Thu May 15, 2008 10:43 am Post subject: |
|
|
I will stay tuned.
Coming back to the command reference: the truth is that when you use the "vpn l2tp" command to create the configuration node for "Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN) functionality.", in fact you configure L2TP/IPsec(=VPN) and also you will end up with naked L2TP(=VN).
Thus two things are obtain: VPN remote access functionality and VN remote access functionality.
And this can be a bigger security issue than using pre-shared keys or PPTP.
As Paul Hoffman himself said in the past:
http://www.networkworld.com/archive/1999/1122works.html
| Quote: | | There are also many ways not to put together a VPN. Some vendors promote tunneling protocols such as Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) as VPN protocols, but they don't provide any real privacy without an additional layer of encryption underneath them. Of these, only PPTP has a commonly agreed-to encryption technology. If you're running L2F or L2TP without encryption, you have a "VN", but not a "VPN" and any attacker with any sense at all can read your traffic. |
| Quote: | | A virtual network (the "V" and the "N") is one that is not a typical, closely controlled network, but is made up of other networks and links between them. A private network (the "P" and the "N") is a network whose traffic is not visible to an outsider. Put the three letters together, and you get a network that can be an amalgam of other networks, glued together in a way that makes the network look whole. |
So until you guys fix this issue by default (or automatically or how would you call it), the "vpn l2tp" command does not truly enable VPN functionality.
Adrian |
|
| Back to top |
|
|
ancheng
Vyatta Employee
Joined: 21 Feb 2008
Posts: 309
|
| Posted: Thu May 15, 2008 10:50 am Post subject: L2TP Daemon + Firewall |
|
|
adriand wrote:
| Quote: | So until you guys fix this issue by default (or automatically or how
would you call it), the "vpn l2tp" command does not truly enable VPN
functionality.
|
Of course, and some people will say that PPTP does not truly enable VPN functionality (rightly so given their concerns). And yet other people will say "I don't want any of these, just give me ssh tunnels!", which is also entirely valid if that's best for their environments. As I said earlier, we will provide the information so that users will be able to make informed decisions as to what the best solution is for their particular environments. |
|
| Back to top |
|
|
adriand
Forum Veteran
Joined: 14 Mar 2008
Posts: 119
|
| Posted: Thu May 15, 2008 12:50 pm Post subject: |
|
|
I do understand what you are saying, but what I am saying it's not quit the same thing.
What I'm saying is: what's happening when an attacker manages to "interconnect" the VPN with the VN ?
If I play a little game: connect with L2TP/IPsec from one host, and then create a naked L2TP tunnel from the "same" host (spoofed), my clear data packets are replied with ESP packets. The control channel of the naked L2TP tunnel is in clear. If I terminate the naked L2TP tunnel this does not affect the L2TP/IPsec connection.
Now what's happening if I inject an L2TP packet in clear with the "correct" tunnel and session ids ?
http://www.ietf.org/rfc/rfc3193.txt
| Quote: | 2.1. L2TP Security Protocol
The L2TP security protocol MUST provide authentication, integrity and
replay protection for control packets. In addition, it SHOULD
protect confidentiality of control packets. It MUST provide
integrity and replay protection of data packets, and MAY protect
confidentiality of data packets. An L2TP security protocol MUST also
provide a scalable approach to key management. |
| Quote: | 3.3. Per-packet security checks
When a packet arrives from a tunnel which requires security, L2TP
MUST:
[1] Check to ensure that the packet was decrypted and/or
authenticated by IPsec. Since IPsec already verifies that the
packet arrived in the correct SA, L2TP can be assured that the
packet was indeed sent by a trusted peer and that it did not
arrive in the clear.
[2] Verify that the IP addresses and UDP port values in the packet
match the socket information which was used to setup the L2TP
tunnel. This step prevents malicious peers from spoofing packets
into other tunnels. |
Now, why does Vyatta responds with ESP packets to my clear data packets for a L2TP tunnel that does not require security ?
| Quote: | If a phase 2 SA bundle is not already present to protect the SCCRQ,
the sending of a SCCRQ by the initiator SHOULD cause IKE to setup the
necessary SAs to protect this packet. Alternatively, L2TP may also
request IKE to setup the SA bundle. If the SA cannot be setup for
some reason, the packet MUST be dropped. |
So why am I able to establish a naked L2TP tunnel without ESP protection ?
| Quote: | To meet the above requirements, all L2TP security compliant
implementations MUST implement IPsec ESP for securing both L2TP
control and data packets. Transport mode MUST be supported; tunnel
mode MAY be supported. All the IPsec-mandated ciphersuites
(described in RFC 2406 [4] and RFC 2402 [3]), including NULL
encryption MUST be supported. Note that although an implementation
MUST support all IPsec ciphersuites, it is an operator choice which
ones will be used. If confidentiality is not required (e.g., L2TP
data traffic), ESP with NULL encryption may be used. The
implementations MUST implement replay protection mechanisms of IPsec. |
Again:
| Quote: | The L2TP security protocol MUST provide authentication, integrity and
replay protection for control packets. In addition, it SHOULD
protect confidentiality of control packets. It MUST provide
integrity and replay protection of data packets, and MAY protect
confidentiality of data packets. |
To rephrase: If I enable L2TP/IPsec VPN remote functionality, am I RFC compliant, because I have the "feeling" that I want to enable only L2TP/IPsec and not L2TP?
My "feeling" is coming also from the command lines I enter.
My "feeling" tells me that I'm securing L2TP with IPsec, thus L2TP should be under IPsec.
To rephrase again (to keep you happy  ): the "vpn l2tp" command is used to create the configuration node for Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN) functionality and also to create the configuration node for L2TP/IPsec VPN functionality.
Yep, maybe some people may want just L2TP as remote access. And they may call it VPN.
It's a free, flexible and open world. 
I'm not arguing with you at this point.
Adrian |
|
| Back to top |
|
|
ancheng
Vyatta Employee
Joined: 21 Feb 2008
Posts: 309
|
| Posted: Thu May 15, 2008 12:52 pm Post subject: L2TP Daemon + Firewall |
|
|
adriand wrote:
| Quote: | Yep, maybe some people may want just L2TP as remote access. And they may
call it VPN.
It's a free, flexible and open world. Wink
I'm not arguing with you at this point.
|
Yes, exactly! And some people may want PPTP, others may want L2TP/IPsec with the iptables workaround, some may want pre-shared-key, others may want X.509 certificates, etc. etc. And each solution will have its risks and costs. As I said earlier, we will provide the information so that users will be able to make informed decisions as to what the best solution is for their particular environments. |
|
| Back to top |
|
|
Talkincat
Active Member
Joined: 24 Mar 2009
Posts: 40
|
| Posted: Fri Apr 17, 2009 10:11 am Post subject: |
|
|
For anyone who stumbles upon this from google as I did, there is a documented solution for this issue in VC5. In the VPN reference (http://www.vyatta.com/downloads/documentation/VC5.0.2/Vyatta_VPNRef_VC5_v03.pdf) on pages 7 and 8 (pdf pages 24-25) there is a detailed explanation of the issue as well as a firewall statement example.
rule 10 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
} |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group |
Forum Subscriptions
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
