New VPN Blocking Technology in China?

Tags

astrill, china, comms, communication, network, prc, private, provider, secure, telecom, virtual, vpn

Yesterday’s Guardian Technology reported the PRC has deployed VPN-blocking technology as part of its Great Firewall. Apart from an alleged email from VPN firm Astrill, there’s no evidence of this, but something is happening. Initially it was those using corporate networks that reported the problem back in May 2011, while the home users were largely unaffected. This could well have been a strategy to compile a list of non-corporate VPN users.

I believe the PRC has merely applied their existing IP address blacklist to known VPN providers, rather than using a protocol-based filter, and that a given VPN service will remain reachable until it’s discovered. In other words, someone at the border gateway is searching for VPN providers and manually blocking them. The real test of this is whether VPN gateways within China, where TCP scanning is distributed across regional data centres, are reachable.

IPv6 Secure Project – Development Stage

Tags

comms, comsec, development, ipv6, p2p, project, routing, secure

Cross-posted from the IPv6 Secure blog.

It’s been a while since I last posted an update, largely because the project’s been on hold for the last six weeks. Basically the second year of the course was mainly about theoretical stuff, like policies, compliance, management, legislation, etc., and the third year got very technical (and practical) from day one. And it’s not a bad thing either, as I expect any infosec professional to have at least some experience and a decent understanding of enterprise network and server configuration. So, that’s my excuse.

Roughly a month ago I had the basic secure messaging client application working, and hopefully I can get that communicating with the network. Later it can be modified for audio and video comms, and perhaps even a social network could be built around it someday.

Getting hold of the equipment for the development stage won’t be a problem, as I initially expected. I now have a carrier grade routing system at my disposal, which means the countermeasures can be tested with a collection of Cisco 2800 routers, an Adtran Atlas 550 Integrated Access Device (IAD), and TCP and IP filtering layers. The Adtran is what’s going to simulate the ISP and Internet.

Routing system, minus the cabling

By the end of January 2013, the whole thing should simulate multiple clients communicating between networks, tunneling their comms through whatever interception and filtering exists between them. It’ll be a form of P2P communication, but there’ll be nothing to mark it out to ISPs as such.

Before that happens, I’ll need to somehow configure the routing system, which must be done via serial ports and Telnet sessions, which is apparently quite easy.

Opera Unite and its Relevance to Secure Comms

Tags

browser, censorship, comms, communications, distributed, extension, free, ipv6, opera, server, unite

Back in 2009, Opera had announced an innovative service called Unite, which enables anyone to host stuff from their own computers using a browser extension that creates links to the local file system. I’ve played around with it, and at the time thought it was a pretty cool feature.
Looking at my old blog entries three years later, I’ve just realised the concept is loosely related to something I’ve been working on for several months, and it’s also a taste of how social networks might look when IPv6 becomes the Internet’s default address system (IPv6 multicasting and all that).

Opera claims that Unite turns devices into servers, but strictly speaking it doesn’t. Unite is actually a little more innovative than that. It uses the Command and Control server model I’ve recently posted about, in which two clients communicate across the Internet by establishing connections to something with a fixed address, or where a proxy relays traffic between remote access malware and the attacker. In the case of Opera Unite, the users technically have full control over what they share, subject to a shitload of Terms and Conditions related to content.

The way it works (I think) is like this:
1. User starts the Opera browser and activates the Unite extension.
2. The extension checks which services and local file system paths were defined by the user.
3. Unite extension establishes a connection with Opera’s server in Norway, and tells it which services it’s running.
4. Links to the extension and running services are listed on the User’s MyOpera page. The address http://<device name>.<user name>.operaunite.com is mapped to the relevant IP address and port on the local machine.
5. Others click on whatever links, and Opera relays traffic between them and the local services provided by the extension.

Why is all this important for secure comms? The Internet should enable anyone to freely communicate and share files, but we’re in danger of losing that through a torrent of ‘intellectual property’ legislation, censorship and surveillance, and the trend towards that over the past year has been worrying. Part of the problem is the Internet’s too centralised. We rely heavily on servers even for basic communications, and their IP addresses are easily blocked. One solution would involve discarding static IP addressing in favour of distributed gateways updated by servers that regularly change their own addresses. Unite has demonstrated it could be done with a simple browser extension accessible and transparent to the average person.

IPv6 and Secure Comms

Tags

address, blocking, censorship, comms, communications, countermeasure, filtering, interception, ip, ipv6, multicast, proxy, security, server, tcp, tor

It’s only recently I’ve given IPv6 any serious thought, and I’m still going through a mass of literature on the subject and related technologies. As I’ve already pointed out, it’s still TCP/IP, which encapsulates data and routes it exactly as with IPv4, but the colossal address range makes numerous other things possible. Without giving too much away, this is one component of a system I believe will defeat traffic filtering and interception, hence my interest.

Multicast Groups
Without Network Address Translation, hosts located anywhere can form a group sharing a multicast address – one host sends data to that address, and it would be broadcast to the entire group.

IPv6 multicast addresses begin with ff:, so there are 2e+112 possible addresses a group can use, disregarding a handful of reserved addresses. The other bits in the first segment determine the type of multicasting.
A third party trying to intercept the broadcasts for a given group must therefore potentially scan through 2e+112 addresses to determine the correct one. We could say this is comparable to cracking 112-bit encryption. However, there are a couple of problems: the group must be able to select a random multicast address, and that address must somehow be communicated securely. It leaves us with the old key distribution problem, but that might be solveable with some implementation of RSA.

Proxy Servers
Also in my previous post, I pointed out that it’s possible to allocate roughly 6.67e+25 addresses to each square centimetre of the Earth’s surface, assuming my maths is correct. The point here is there’s no practical limit to the number of addresses a proxy server could use and discard, which makes the task of blacklisting them extremely difficult. This could even negate the current need to use proxies to defeat IP-based filtering systems.

IPsec
A few readers might wonder why I haven’t mentioned IPsec yet. IPsec is natively supported by IPv6, and functions at the TCP/IP layer instead of the application layer. This enables secure tunnels to be established between two points, and unlike SSL provides security for both routing and payload. It’s not commonly used at the moment as Network Address Translation re-encapsulates data, making it difficult to preserve the integrity of TCP/IP packets.

Where I’m Going with All This
Recent events proved the concepts of copyright and ‘intellectual property’ have been taken way out of proportion. Increasingly web sites are being arbitrarily blocked and removed without due process, ‘checks and balances’ provide no real protection, and we came dangerously close to allowing the US government to degrade the DNS in the name of copyright. As some of us feared, the United States is following China’s lead in blocking traffic exchanged between the US and other countries.
All this directly contradicts what ‘Cyber Security Strategies’ are supposed to achieve, and in the long run it will ultimately degrade the security of the Internet while aiding criminals. In my view, this is an engineering problem in need of a solution.

Looking at this objectively, the IPv6 Internet should route traffic without interference and regardless of content, especially when it develops into an ‘Internet of things’ that connects all manner of electrical and electronic device. To preserve the reliability and security of the Internet, a new system – perhaps a successor to the Tor network that takes advantage of IPv6 – is needed to render useless whatever methods are used for blocking traffic.