Spanning Tree – PVST / PVST+/ MST – Bridge ID and Root Selection

Spanning Tree Protocol: Bridge ID, Priority, System ID Extension & Root Bridge Election Process

Written by Arani Mukherjee. Posted in Spanning Tree Protocol (STP)

In this article we will examine the Spanning Tree Bridge ID structure, explain why it has increments of 4096, how VLAN information is embedded (for Per-VLAN Spanning Tree & multiple STP instances) via the System ID Extension and finally explain how the Spanning Tree Protocol Root Bridge Election occurs.

Understanding Bridge ID, Bridge Priority & System ID Extension

In our earlier article we discussed about the Spanning Tree Protocol, Rapid STP port costs and port states. Before STP decides which path is the best to the Root Bridge, it needs to first decide which switch has to be elected as the Root Bridge, which is where the Bridge ID comes into play. Readers interested can also read our STP Principles, Redundant Network Links & Broadcast Storms article.

Every switch has an identity when they are part of a network. This identity is called the Bridge ID or BID. It is an 8 byte field which is divided into two parts. The first part is a 2-byte Bridge Priority field (which can be configured) while the second part is the 6-byte MAC address of the switch. While the Bridge Priority is configurable, the MAC address is unique amongst all switches and the sum of these two ensures a unique Bridge ID.

The above Bridge ID assumes there is one Spanning Tree instance for the entire network. This is also called Common Spanning-Tree (CST).

As networks begun to grow and become more complex, VLANs were introduced, allowing the creation of multiple logical and physical networks. It was then necessary to run multiple instances of STP in order to accommodate each network - VLAN. These multiple instances are called Multiple Spanning Tree (MST), Per-VLAN Spanning Tree (PVST) and Per-VLAN Spanning Tree Plus (PVST+).

In order to accommodate the additional VLAN information, the Extended System ID field was introduced, borrowing 12 bits from the original Bridge Priority:

The Bridge Priority value and the Extended System ID extension together make up a 16 bit (2-byte) value. The Bridge Priority making up the left most bits, is a value of 0 to 61440. The Extended System ID is a value of 1 to 4095 corresponding to the respective VLAN participating in STP. The Bridge Priority increments in blocks of 4096 to allow the System ID Extension to squeeze in between each increment. This is clearly shown in the below analysis: We should note that the Bridge Priority Field can only be set in increments of 4096. This means that possible values are: 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768 etc. By default, Cisco’s Per-VLAN Spanning-Tree Plus (PVST+) adds this System ID Extension (sys-id-ext) to the Bridge Priority.

The two values (Bridge Priority + System ID Extension) together make up the Bridge ID used to elect the Root Bridge.

The Root Bridge Election Process

The election process uses several STP messages sent between switches which help each switch to decide, who is the Root Bridge. These messages are called Hello BPDU where BPDU stands for Bridge Protocol Data Unit. It is important to understand the information these BPDUs carry as it will help understand the election process itself.

Each BPDU carries several fields in it. The following table defines each field:

Field	Description
Root Bridge ID or Root BID	BID of the switch that the sender of this BPDU believes to be the root switch
Sender’s Bridge ID	BID of the switch sending this Hello BPDU
Cost to the Root Bridge	The STP cost between this switch and the current root
Timer values on Root Bridge	Hello Timer, Max Age Timer, Forward Delay Timer

For the purpose of this exercise, we will only concentrate on the first three fields.

Now, the election process itself is very simple. The switch with the lowest BID becomes the Root Bridge. Since the BID starts with the Bridge Priority field, essentially, the switch with the lowest Bridge Priority field becomes the Root Bridge. If there is a tie between two switches having the same priority value, then the switch with the lowest MAC address becomes the Root Bridge.

The STP Root Bridge election process starts with each switch advertising themselves as the Root Bridge and constructing the Hello BPDU accordingly. So each switch lists its own BID as the Root BID. The Sender Bridge ID is ofcourse the same as the Root BID, as it is again its own BID. With in BPDU, the Cost field is listed with a value of 0, because there is no cost between itself. The switches send out the Hello BPDU constructed as above, onto the network. They will keep on maintaining their status as Root Bridge by default, until they receive a Hello BPDU which carries a lower BID. This Hello BPDU then becomes a superior BPDU. Now the switch receiving this superior BPDU makes changes to the Hello BPDU it has been sending out. It changes the value of the Root BID to reflect the Root BID from the superior Hello BPDU. This process continues till every switch agrees on which switch has the lower BID, and hence deserves to be the Root Bridge.

Root Bridge Election Example

Let's look at this process using a three switch combination within a network. For the sake of simplicity, the MAC address of each switch has been changed to a simple value:

· Switch 1 (SW1). Has a priority of 32768 and MAC address of 1111.1111.1111. So its BID becomes 32768.1111.1111.1111. When SW1 creates its own BPDU, it sets both BID and Root BID to 32768.1111.1111.1111.

· Switch 2 (SW2). Has a priority of 32768 and MAC address of 2222.2222.2222. So its BID becomes 32768.2222.2222.2222. When SW2 creates its own BPDU, it sets both BID and Root BID to 32768.2222.2222.2222.

· Switch 3 (SW3). Has a priority of 32768 and MAC address of 3333.3333.3333. So its BID becomes 32768.3333.3333.3333. When SW3 creates its own BPDU, it sets both BID and Root BID to 32768.3333.3333.3333.

Now, the election process commences with the advertisement of the individual Hello BPDU's from each switch, as indicated by the arrows in our diagram. These BPDUs originate from each switch and end up at the other switches. Let's take up one switch at a time to see how it reacts to the BPDUs it receives from the other switches.

Switch 1 (SW1): It had sent out its own Hello BPDU with both BID and Root BID set to 32768.1111.1111.1111. When it receives the Hello BPDU from SW2, it checks for the Root BID value which is 32768.2222.2222.2222. SW1 discards the BPDU sent by SW2, as it still is the switch with the lowest BID. Same situation happens when it receives the Hello BPDU from SW3. SW1 is still the switch with the lowest BID. So it discards the Hello BPDU received from SW3 and keeps on advertising itself as the Root Bridge.

Switch 2 (SW2): Just like SW1, SW2 generates and sends its own Hello BPDU with both BID and Root BID set to 32768.2222.2222.2222. When it receives the Hello BPDU from SW1, it checks for the Root BID value which SW1 has set to 32768.1111.1111.1111. This being lower than SW2's own BID, makes the Hello BPDU received from SW1, a superior BPDU. So in its own BPDU, SW2 changes the value of the Root BID from 32768.2222.2222.2222, to 32768.1111.1111.1111, and starts advertising this revised Hello BPDU. SW2 now considers SW1 as the Root Bridge. Now, when it receives the Hello BPDU from SW3, it will obviously discard the BPDU as it is not superior in Root BID value. So for SW2, SW1 remains as Root Bridge, even after receiving the Hello BPDU from SW3.

Switch 3 (SW3): SW3 will send out its own Hello BPDU with both BID and Root BID set to 32768.3333.3333.3333. Depending on which Hello BPDU it receives first i.e. from SW1 or SW2, it will end up changing the Root BID value in its Hello BPDU because both SW1 & SW2 have lower MAC addresses. So if it received the Hello BPDU from SW2 first, then it will change the Root BID from 32768.3333.3333.3333 to 32768.2222.2222.2222 and consider SW2 as new Root Bridge. Once it receives the Hello BPDU from SW1, this BPDU supersedes the BPDU sent by SW2. So SW3 changes the Root BID from 32768.2222.2222.2222 to 32768.1111.1111.1111 and now considers SW1 as new Root Bridge.

At this point, all switches have received each other's BPDU and have agreed that SW1 has the lowerst BID address and is therefore the rightful Root Bridge of the network. Both SW2, and SW3 now agree that SW1 is Root Bridge, and start organizing their respective links into Root Ports and Designated Ports.

What if we wanted Switch 3 to be the Root Bridge?

In most real-life cases, we need to configure the Root Bridge to ensure that no matter the switch that joins the network, our initial Root Bridge will remain. To achieve this, we simply configure the Bridge Priority so that it is always smaller than the default value of 32768.

In our example, if we wanted Switch 3 to become the new Root Bridge, we would set its Bridge Priority to 4096. By doing so, we change its BID to 4096.3333.3333.3333 making it the lowest amongst our network switches.

Configuring a new BID in a production network is not recommended unless every caution has been taken to ensure network downtime is eliminated. When the BID of a switch changes to make it a Root Bridge, the whole network (switches) will react upon this and begin recomputing the new information. Depending on where the new Root Bridge is located, switch uplinks and redundant links might be blocked.

This article analysed the Spanning Tree Protocol Bridge ID structure and its importance. We saw how the Bridge Priority and System ID Extension fields play a primary role in the Root Bridge election within a network.

Taken From: http://www.firewall.cx/networking-topics/protocols/spanning-tree-protocol/1054-spanning-tree-protocol-root-bridge-election.html

Spanning Tree – STP / RSTP - Port Costs and States

Spanning Tree Protocol, Rapid STP Port Costs - Port States

Written by Arani Mukherjee. Posted in Spanning Tree Protocol (STP)

Spanning Tree Protocol, Rapid STP port costs and port states are an essential part of the STP algorithm that affect how STP decides to forward or block a port leading to the Root Bridge.

In our previous article that covers Understand STP Principles, Redundant Network Links & Broadcast Storms we encountered some key issues related to switching that causes degradation in network performance.

Those issues were broadly categorised as follows:

· Broadcast storm

· Unstable MAC Table in switches

· Multiple duplicate frames arriving at hosts

In order to avoid the above situations, Spanning Tree Protocol or STP is implemented. The aim of this protocol and its deployment is to provide a single path of communication between each Ethernet segment (e.g a link between two switches). Since the issues discussed in our previous article, and STP itself only relates to switching, our discussion will only refer to switches. It is worth noting that both bridges and switches make use of the STP protocol.

To create a single path between each Ethernet segment, for to and fro communication, STP decides on the state of each Ethernet interface. An interface can only be in two states, Forwarding state or Blocking state. STP employs its algorithm and puts certain interfaces in a Forwarding state. All other interfaces not put in a forwarding state are placed in a Blocking state.

Now before we start looking into what criteria STP uses to put a port in Forwarding or Blocking state, let’s understand certain terminologies using the network diagram below:

Root Bridge: A switch with all its ports placed in Forwarding state is a root bridge. The Root Bridge is often called Root Switch.

Another way to think of the Root Bridge is as the Master Switch (for loop avoidance matters), for which only one active path must exist from all other switches, effectively avoiding any possible network loops.

Root Port: For a non–root switch, the port that connects this switch to the root switch, with the least cost, is called the root port.

Designated Port: A non – root port, which is forwarding away from the root switch, and has the lowest cost in that Ethernet segment, is called the designated port.

Cost: A port cost is defined by the speed at which the port operates. The cost of a port is inversely related to the associated bandwidth and therefore a port with a low cost value (greater bandwidth-speed) is more preferable than a port with high cost value (lower bandwidth-speed).

Note: The process of the Root Bridge election, Designated and Root Ports is covered in great detail in our Spanning Tree Protocol: Bridge ID, Priority, System ID Extension & Root Bridge Election Process articles.

The table below was published by the IEEE group in 1998 and represented the cost against bandwidth:

The original STP Cost-Bandwidth table - Year 1998

The cost value (column marked “Range”) supported a 16-bit value (1 – 65535) while the root path cost was assigned a 32bit value embedded within the Bridge Protocol Data Unit (BPDU) field. BPDU's are special STP packets that contain all necessary information about the network's Spanning Tree topology.

In 2004, the revised 802.1D had its 16- bit path cost increased to a 32-bit value, providing more granularity:

STP uses the following criteria to decide whether to place a port in a Forwarding state or Blocking state

1. STP elects a Root Bridge, and then puts all its working interfaces in a Forwarding state

2. All other switches are now non–root switches. STP now looks at all the Root Ports from these switches, and finds the one with the Least Cost. Once this is found, STP places that interface in a Forwarding state.

3. Now STP finds all the Designated ports on the non–root switches, and places them in a Forwarding state.

4. Then STP places all other ports in a Blocking state.

It is absolutely essential to understand that the process of the Root Bridge and non-root switches election along with the port selection is performed only on working interfaces. Any failed/down interface i.e. no cables connected, or an interface which has been shutdown administratively, is parked into an STP Disabled state. Such ports are not considered during STP algorithm deployment.

Now let’s summarise what has been established previously:

Port Description	STP State	Important Observation
All ports on root switch	Forwarding	Root switch is always the designation switch on all Ethernet segment
Root ports on non – root switches	Forwarding	These are the ports that non – root switches use to reach the root switch
Every LAN’s designation port	Forwarding	The non – root port, that forwards away from the root switch, with lowest cost
All other working ports	Blocking	These ports are not used for forwarding, and any frames received on these interfaces are not forwarded as well.

The following table shows the available Port states for the original STP (802.1D) and newer Rapid STP (802.1w) designed to provide faster convergenceto topology changes. We should note that the three states Disabled, Blocking & Listening from STP (802.1D) have merged into one state, Discarding, for Rapid STP (802.1w):

STP (802.1D) Port State	RSTP (802.1w) Port State	Is Port Included in Active Topology?	Is Port Learning MAC Addresses?
Disabled	Discarding	No	No
Blocking	Discarding	No	No
Listening	Discarding	Yes	No
Learning	Learning	Yes	Yes
Forwarding	Forwarding	Yes	Yes

Support of Rapid STP (RSTP) in Cisco Catalyst Switches

This table shows the support of RSTP in Cisco Catalyst switches, and the minimum software required for that support. As a general rule of thumb, all newer Catalyst switches provide support for RTSP.

Catalyst Platform	MST w/ RSTP	RPVST+ (also known as PVRST+)
Catalyst 2900 XL / 3500 XL	Not available.	Not available.
Catalyst 2940	12.1(20)EA2	12.1(20)EA2
Catalyst 2950/2955/3550	12.1(9)EA1	12.1(13)EA1
Catalyst 2970/3750	12.1(14)EA1	12.1(14)EA1
Catalyst 3560	12.1(19)EA1	12.1(19)EA1
Catalyst 3750 Metro	12.1(14)AX	12.1(14)AX
Catalyst 2948G-L3/4908G-L3	Not available.	Not available.
Catalyst 4000/2948G/2980G (CatOS)	7.1	7.5
Catalyst 4000/4500 (IOS)	12.1(12c)EW	12.1(19)EW
Catalyst 5000/5500	Not available.	Not available.
Catalyst 6000/6500	7.1	7.5
Catalyst 6000/6500 (IOS)	12.1(11b)EX, 12.1(13)E, 12.2(14)SX	12.1(13)E
Catalyst 8500	Not available.	Not available.

In this article we covered Spanning Tree Protocol, Rapid STP port costs and port states. In our next article, we will start looking at how STP deploys the criteria. So, we will understand how STP decides which switch will be the Root Bridge , how it elects the Root Ports and Designated Ports. We will also investigate how STP reacts to any changes to the network topology and incorporates the changes in its algorithm.

Back to Spanning Tree Protocol Section

Taken From: http://www.firewall.cx/networking-topics/protocols/spanning-tree-protocol/1045-spanning-tree-protocol-port-costs-states.html

Spanning Tree – Principles

Spanning Tree Protocol – Understand STP Principles, Redundant Network Links & Broadcast Storms

Written by Arani Mukherjee. Posted in Spanning Tree Protocol (STP)

One of the most used terms in network is LAN (Local Area Network). It’s a form of network that we encounter in our daily lives, at home, at work, study, and in various other areas of life. Unless working specially in the field of Wide Area Networks (WAN), you will come across a LAN pretty much everyday. A key protocol used to maintain efficiency within a LAN is the Spanning Tree Protocol (STP), which is standardized as IEEE 802.1D. Without this protocol our LANs would rapidly become congested, with frames looping throughout the network infinitely, making network devices unstable. This protocol is implemented on switches, as switches deal with network data at the frame level. But before going ahead with a full blown explanation of what STP is, it is important to understand the ‘problem’ that STP prevents and how it improves a LAN’s performance. Let’s go through some salient features of a LAN first.

One of the most important devices within a LAN is a switch. All standard switches are Layer 2 devices i.e. they work at the level of frames. A frame is the unit of transmission in a link layer protocol and consists of a link-layer header followed by a packet. Without going into too much detail, a switch communicates in terms of frames. Users interested learning more about frames, can visit our Ethernet Frame Formats section where they'll find plenty of useful information and 3D representations of the various Ethernet frames. Apart from the higher layer data encapsulated by the frame, it carries two other important pieces of information, the Source MAC Address and the Destination MAC Address. It’s important to make a note of this as it becomes vital in our understanding of how a switch works and for STP itself.

How Does a Switch Work?

It must be noted that, before starting on this tutorial, it is best to have an understanding of how a switch works. If not then all is not lost. Users can always look up existing switch principles covered under the Switches & Bridges article.

Understanding of the following topics is essential for STP:

· How a switch finds MAC Addresses of new hosts

· How a switch populates its MAC Address tables

· How a switch deals with an incoming frame when it doesn’t know which outgoing interface to switch it to (due to no entry for a destination MAC Address in the switching table)

If the above fundamental principles are clear, learning about STP becomes simple.

Within permissible limits it might be said that STP is introduced within the LAN to prevent complications and network related problems caused by the way a switch functions. The flaw does not lie with how a switch works, it lies with the repercussions and manifestations of traffic because of it. Now let us run through some of the major issues encountered within a LAN.

Problems with Switches & Redundant Links

Just like our lives, LANs becomes big and complicated and cater to a huge number of devices. To provide interconnectivity and redundancy, sometimes switches are connected between themselves to ensure data streams are always maintained between network hosts. In an ideal world, a simple network would only have a router, a switch, and ‘n’ number of hosts connected to that switch, depending on how big the switch is. But just like Utopia, this ideal world doesn’t exist and networks have multiple switches, and sometimes these switches have interconnections. It’s done to provide redundant paths to various parts of the network to which these switches provide connectivity.

But by virtue of how a switch functions, there can be a few rather alarming issues cropping up very quickly when switches have more than one way of connecting various parts of the network. To visualise this concept, here’s a setup that has two hosts connected via two switches. For the sake of simplicity the router has been left out of this equation. Since STP is all about effective switching, let’s not involve ourselves in routing. The switching layout is, then, as follows:

To simplify this layout, please consider the following

· There are two switches, SW1 and SW2

· There are two hosts, PC1 and PC2, connected to SW1 and SW2 respectively

· MAC Address of PC1 is PC1-MAC1 and that of PC2 is PC2-MAC2

· SW1 and SW2 are connected to each other via 2 links, LINK 1 and LINK 2. These are redundant links

· For LINK1, the interface used on SW1 is SW1-MAC1, and the interface used on SW2 is SW2-MAC1

· For LINK2, the interface used on SW1 is SW1-MAC2, and the interface used on SW2 is SW2-MAC2

Now let’s look at a condition where both switches have an empty MAC address table. PC1 sends out a frame whose destination is PC2. This frame reaches SW1. Right now SW1 does not know which interface to use to forward this frame to PC2, so it does a broadcast. By virtue of frame forwarding, the source address of this frame now changes. Since this broadcast will go out through both LINK 1 and 2, the outgoing broadcast frames will have different source addresses.

Let us consider the frame from SW1 going out on LINK 1. Its destination address still reads PC2-MAC2. But its source address now reads SW1-MAC1. When this frame reaches SW2, SW2 does not know which interface to use to forward this frame to PC2-MAC2, so it does a broadcast. By virtue of a broadcast from a switch, this frame will not go out on LINK 1 again. This broadcasted frame goes out to PC2 and also goes out on LINK 2. Once PC2 receives this broadcast, it acknowledges receipt and SW2 learns the interface to use to forward a frame whose destination MAC Address says PC2-MAC2. But what about the broadcast frame that went out on LINK 2? This now reaches SW1, and its destination MAC Address still reads PC2-MAC2. SW1, for the second time, does not know which interface to use to forward this frame. So guess what it does? It does a broadcast again, causing PC1 to receive a frame it sent out in the first case.

So you see, an innocent frame that was destined for just one host on the other end of this simplified network, ended up with the host that sent it out in the first place. This is what is known as a broadcast storm. Now this process will keep on going till the network becomes congested with multiple duplicate frames, thus reducing its performance.

This is not the only issue on this LAN. What happens in the background is that the MAC table within both switches becomes extremely unstable. This is caused by the effect of the frame with the same destination MAC Address approaching the two switches with different source MAC Address. Hence the MAC table on each switch keeps getting updated without achieving any stable state. Not to mention the fact that due to this broadcast storm the hosts keep receiving multiple duplicate frames.

So to sum up, the issues encountered in the above situation are now made clear:

· Broadcast storm

· Unstable MAC Table in switches

· Multiple duplicate frames arriving at hosts

STP is aimed at resolving all the above issues. This is discussed in the next tutorial, Spanning Tree Protocol, Rapid STP Port Costs - Port States, where we will start discovering the working principle of this protocol, along with some key features and associated terms.

Back To Spanning Tree Protocol Section

Taken From: http://www.firewall.cx/networking-topics/protocols/spanning-tree-protocol/1042-spanning-tree-protocol-fundamentals.html

Creating VPNs - IPSEC and OpenVPN (SSL/TLS)

Creating VPNs with IPsec and SSL/TLS

VPN (Virtual Private Network) is a technology that provides secure communication through an insecure and untrusted network (like the Internet). Usually, it achieves this by authentication, encryption, compression and tunneling. Tunneling is a technique that encapsulates the packet header and data of one protocol inside the payload field of another protocol. This way, an encapsulated packet can traverse through networks it otherwise would not be capable of traversing.

Figure 1. A Basic VPN Tunnel

Currently, the two most common techniques for creating VPNs are IPsec and SSL/TLS. In this article, I describe the features and characteristics of these two techniques and present two short examples of how to create IPsec and SSL/TLS tunnels in Linux and verify that the tunnels started correctly. I also provide a short comparison of these two techniques.

IPsec and Openswan

IPsec (IP security) provides encryption, authentication and compression at the network level. IPsec is actually a suite of protocols, developed by the IETF (Internet Engineering Task Force), which have existed for a long time. The first IPsec protocols were defined in 1995 (RFCs 1825–1829). Later, in 1998, these RFCs were depreciated by RFCs 2401–2412. IPsec implementation in the 2.6 Linux kernel was written by Dave Miller and Alexey Kuznetsov. It handles both IPv4 and IPv6. IPsec operates at layer 3, the network layer, in the OSI seven-layer networking model. IPsec is mandatory in IPv6 and optional in IPv4. To implement IPsec, two new protocols were added: Authentication Header (AH) and Encapsulating Security Payload (ESP). Handshaking and exchanging session keys are done with the Internet Key Exchange (IKE) protocol.

The AH protocol (RFC 2404) has protocol number 51, and it authenticates both the header and payload. The AH protocol does not use encryption, so it is almost never used.

ESP has protocol number 50. It enables us to add a security policy to the packet and encrypt it, though encryption is not mandatory. Encryption is done by the kernel, using the kernel CryptoAPI. When two machines are connected using the ESP protocol, a unique number identifies this connection; this number is called SPI (Security Parameter Index). Each packet that flows between these machines has a Sequence Number (SN), starting with 0. This SN is increased by one for each sent packet. Each packet also has a checksum, which is called the ICV (integrity check value) of the packet. This checksum is calculated using a secret key, which is known only to these two machines.

IPsec has two modes: transport mode and tunnel mode. When creating a VPN, we use tunnel mode. This means each IP packet is fully encapsulated in a newly created IPsec packet. The payload of this newly created IPsec packet is the original IP packet.

Figure 2. An IPsec Tunnel ESP Packet

Figure 2 shows that a new IP header was added at the right, as a result of working with a tunnel, and that an ESP header also was added.

There is a problem when the endpoints (which are sometimes called peers) of the tunnel are behind a NAT (Network Address Translation) device. Using NAT is a method of connecting multiple machines that have an “internal address”, which are not accessible directly to the outside world. These machines access the outside world through a machine that does have an Internet address; the NAT is performed on this machine—usually a gateway.

When the endpoints of the tunnel are behind a NAT, the NAT modifies the contents of the IP packet. As a result, this packet will be rejected by the peer because the signature is wrong. Thus, the IETF issued some RFCs that try to find a solution for this problem. This solution commonly is known as NAT-T or NAT Traversal. NAT-T works by encapsulating IPsec packets in UDP packets, so that these packets will be able to pass through NAT routers without being dropped. RFC 3948, UDP Encapsulation of IPsec ESP Packets, deals with NAT-T (see Resources).

Openswan is an open-source project that provides an implementation of user tools for Linux IPsec. You can create a VPN using Openswan tools (shown in the short example below). The Openswan Project was started in 2003 by former FreeS/WAN developers. FreeS/WAN is the predecessor of Openswan. S/WAN stands for Secure Wide Area Network, which is actually a trademark of RSA. Openswan runs on many different platforms, including x86, x86_64, ia64, MIPS and ARM. It supports kernels 2.0, 2.2, 2.4 and 2.6.

Two IPsec kernel stacks are currently available: KLIPS and NETKEY. The Linux kernel NETKEY code is a rewrite from scratch of the KAME IPsec code. The KAME Project was a group effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementation for variants of the BSD UNIX computer operating system.

KLIPS is not a part of the Linux kernel. When using KLIPS, you must apply a patch to the kernel to support NAT-T. When using NETKEY, NAT-T support is already inside the kernel, and there is no need to patch the kernel.

When you apply firewall (iptables) rules, KLIPS is the easier case, because with KLIPS, you can identify IPsec traffic, as this traffic goes through ipsecX interfaces. You apply iptables rules to these interfaces in the same way you apply rules to other network interfaces (such as eth0).

When using NETKEY, applying firewall (iptables) rules is much more complex, as the traffic does not flow through ipsecX interfaces; one solution can be marking the packets in the Linux kernel with iptables (with a setmark iptables rule). This mark is a member of the kernel socket buffer structure (struct sk_buff, from the Linux kernel networking code); decryption of the packet does not modify that mark.

Openswan supports Opportunistic Encryption (OE), which enables the creation of IPsec-based VPNs by advertising and fetching public keys from a DNS server.

OpenVPN

OpenVPN is an open-source project founded by James Yonan. It provides a VPN solution based on SSL/TLS. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications data transfer on the Internet. SSL has been in existence since the early '90s.

The OpenVPN networking model is based on TUN/TAP virtual devices; TUN/TAP is part of the Linux kernel. The first TUN driver in Linux was developed by Maxim Krasnyansky.

OpenVPN installation and configuration is simpler in comparison with IPsec. OpenVPN supports RSA authentication, Diffie-Hellman key agreement, HMAC-SHA1 integrity checks and more. When running in server mode, it supports multiple clients (up tp 128) to connect to a VPN server over the same port. You can set up your own Certificate Authority (CA) and generate certificates and keys for an OpenVPN server and multiple clients.

OpenVPN operates in user-space mode; this makes it easy to port OpenVPN to other operating systems.

Example: Setting Up a VPN Tunnel with IPsec and Openswan

First, download and install the ipsec-tools package and the Openswan package (most distros have these packages).

The VPN tunnel has two participants on its ends, called left and right, and which participant is considered left or right is arbitrary. You have to configure various parameters for these two ends in /etc/ipsec.conf (see man 5 ipsec.conf). The /etc/ipsec.conf file is divided into sections. The conn section contains a connection specification, defining a network connection to be made using IPsec.

An example of a conn section in /etc/ipsec.conf, which defines a tunnel between two nodes on the same LAN, with the left one as 192.168.0.89 and the right one as 192.168.0.92, is as follows:

...
conn linux-to-linux
#
# Simply use raw RSA keys
# After starting openswan, run:
# ipsec showhostkey --left (or --right)
# and fill in the connection similarly
# to the example below.
left=192.168.0.89
leftrsasigkey=0sAQPP...
# The remote user.
#
right=192.168.0.92
rightrsasigkey=0sAQON...
type=tunnel
auto=start
...
You can generate the leftrsasigkey and rightrsasigkey on both participants by running:

ipsec rsasigkey --verbose 2048 > rsa.key
Then, copy and paste the contents of rsa.key into /etc/ipsec.secrets.

In some cases, IPsec clients are roaming clients (with a random IP address). This happens typically when the client is a laptop used from remote locations (such clients are called Roadwarriors). In this case, use the following in ipsec.conf:

right=%any
instead of:

right=ipAddress
The %any keyword is used to specify an unknown IP address.

The type parameter of the connection in this example is tunnel (which is the default). Other types can be transport, signifying host-to-host transport mode; passthrough, signifying that no IPsec processing should be done at all; drop, signifying that packets should be discarded; and reject, signifying that packets should be discarded and a diagnostic ICMP should be returned.

The auto parameter of the connection tells which operation should be done automatically at IPsec startup. For example, auto=start tells it to load and initiate the connection; whereas auto=ignore (which is the default) signifies no automatic startup operation. Other values for the auto parameter can be add, manual or route.

After configuring /etc/ipsec.conf, start the service with:

service ipsec start
You can perform a series of checks to get info about IPsec on your machine by typing ipsec verify. And, output of ipsec verify might look like this:

Checking your system to see if IPsec has installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.21-rc7 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
You can get information about the tunnel you created by running:

ipsec auto --status
You also can view various low-level IPSec messages in the kernel syslog.

You can test and verify that the packets flowing between the two participants are indeed esp frames by opening an FTP connection (for example), between the two participants and running:

tcpdump -f esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
You should see something like this:

IP 192.168.0.92 > 192.168.0.89: ESP(spi=0xd514eed9,seq=0x7)
IP 192.168.0.89 > 192.168.0.92: ESP(spi=0x3a1563b9,seq=0x6)
IP 192.168.0.89 > 192.168.0.92: ESP(spi=0x3a1563b9,seq=0x7)
IP 192.168.0.92 > 192.168.0.89: ESP(spi=0xd514eed9,seq=0x8)
Note that the spi (Security Parameter Index) header is the same for all packets; this is an identifier of the connection.

If you need to support NAT traversal, add nat_traversal=yes in ipsec.conf; nat_traversal=no is the default.

The Linux IPsec stack can work with pluto from Openswan, racoon from the KAME Project (which is included in ipsec-tools) or isakmpd from OpenBSD.

Example: Setting Up a VPN Tunnel with OpenVPN

First, download and install the OpenVPN package (most distros have this package).

Then, create a shared key by doing the following:

openvpn --genkey --secret static.key

You can create this key on the server side or the client side, but you should copy this key to the other side in a secured channel (like SSH, for example). This key is exchanged between client and server when the tunnel is created.

This type of shared key is the simplest key; you also can use CA-based keys. The CA can be on a different machine from the OpenVPN server. The OpenVPN HOWTO provides more details on this (see Resources).

Then, create a server configuration file named server.conf:

dev tun
ifconfig 10.0.0.1 10.0.0.2
secret static.key
comp-lzo
On the client side, create the following configuration file named client.conf:

remote serverIpAddressOrHostName
dev tun
ifconfig 10.0.0.2 10.0.0.1
secret static.key
comp-lzo
Note that the order of IP addresses has changed in the client.conf configuration file.

The comp-lzo directive enables compression on the VPN link.

You can set the mtu of the tunnel by adding the tun-mtu directive. When using Ethernet bridging, you should use dev tap instead of dev tun.

The default port for the tunnel is UDP port 1194 (you can verify this by typing netstat -nl | grep 1194 after starting the tunnel).

Before you start the VPN, make sure that the TUN interface (or TAP interface, in case you use Ethernet bridging) is not firewalled.

Start the vpn on the server by running openvpn server.conf and running openvpn client.conf on the client.

You will get an output like this on the client:

OpenVPN 2.1_rc2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on
Mar 3 2007
IMPORTANT: OpenVPN's default port number is now 1194, based on an official
port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000
as
the default port.
LZO compression initialized
TUN/TAP device tun0 opened
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.0.0.2 peer 10.0.0.1
UDPv4 link local (bound): [undef]:1194
UDPv4 link remote: 192.168.0.89:1194
Peer Connection Initiated with 192.168.0.89:1194
Initialization Sequence Completed
You can verify that the tunnel is up by pinging the server from the client (ping 10.0.0.1 from the client).

The TUN interface emulates a PPP (Point-to-Point) network device and the TAP emulates an Ethernet device. A user-space program can open a TUN device and can read or write to it. You can apply iptables rules to a TUN/TAP virtual device in the same way you would do it to an Ethernet device (such as eth0).

IPsec and OpenVPN—a Short Comparison
IPsec is considered the standard for VPN; many vendors (including Cisco, Nortel, CheckPoint and many more) manufacture devices with built-in IPsec functionalities, which enable them to connect to other IPsec clients.

However, we should be a bit cautious here: different manufacturers may implement IPsec in a noncompatible manner on their devices, which can pose a problem.

OpenVPN is not supported currently by most vendors.

IPsec is much more complex than OpenVPN and involves kernel code; this makes porting IPsec to other operating systems a much heavier task. It is much easier to port OpenVPN to other operating systems than IPsec, because OpenVPN runs entirely in user space and is not involved with kernel code.

Both IPsec and OpenVPN use HMAC (Hash Message Authentication Code) to authenticate packets.

OpenVPN is based on using the OpenSSL library; it can run over UDP (which is the default and preferred protocol) or TCP. As opposed to IPsec, which runs in kernel, it runs in user space, so it is heavier than IPsec in terms of performance.

Configuring and applying firewall (iptables) rules in OpenVPN is usually easier than configuring such rules with Openswan in an IPsec-based tunnel.

Acknowledgement
Thanks to Mr Ken Bantoft for his comments.

Resources

OpenVPN: openvpn.net

OpenVPN 2.0 HOWTO: openvpn.net/howto.html

RFC 3948, UDP Encapsulation of IPsec ESP Packets: tools.ietf.org/html/rfc3948

Openswan: www.openswan.org

The KAME Project: www.kame.net

Rami Rosen is a computer science graduate of Technion, the Israel Institute of Technology, located in Haifa. He works as a Linux and Open Solaris kernel programmer for a networking startup, and he can be reached at ramirose@gmail.com. In his spare time, he likes running, solving cryptic puzzles and helping everyone he knows move to this wonderful operating system, Linux.

Taken From: http://www.linuxjournal.com/article/9916