Tunneling with TCP Header

1
Tunneling withTCP Header

• Motoyuki OHMORI
• ltohmori_at_chikushi-u.ac.jpgt
• Chikushi Jogakuen University

2
Background

• No direct access from outside to your
  organization network
• Firewall/NAT seems to be widely used
• Firewall/NAT might block your access

The Intenet
Firewallblocks traffic
X
Your Organization Network
Forign Netowrk
3
Current Solution

• VPN required to access to your network
• IPsec tunneling?L2TP?PPtP
• UDP/TCP tunneling

The Intenet
VPN Server
Your Organization Network
Forign Netowrk
4
IPsec/L2TP/PPtP

• IPsec/L2TP/PPtP might be unavailable
• Firewall configuration
• Some firewall cannot handle these packets
• These protocols are newly deployed

The Intenet
Firewall/NATcannnot handle IPsec
X
Your Organization Network
Forign Netowrk
5
UDP/TCP tunneling

• UDP/TCP tunneling
• SSH tunneling
• Vtun tunneling
• SSL tunneling
• Problem
• UDP might be blocked?
• TCP over those tunneling might be slow
• TCP over TCP
• Duplicated TCP flow control

I want to have another tunneling mechanism
6
Tunneling with TCP header

• Most of NAT/firewall boxes pass TCP packets
• Use just TCP header
• No congestion control
• No retransmission
• No ordering
• TCP 3-way handshake fake
• NAT can handle the flow

7
Establish Tunnel from Client
Our VPN server
Client
Firewall
Syn (src port12345 dst port80)
Syn-ack (dst port12345 src port80)
Ack (dst port80 src port12345)
8
Further Alternative

• Use ICMP header
• Many firewall/NAT boxes do not block ICMP