1User PPP Packet Aliasing 2 3 4 50. Contents 6 1. Background 7 2. Setup 8 3. New commands in ppp 9 4. Future Work 10 5. Authors / Acknowledgements 11 6. Revision History for Aliasing Code 12 13 14 151. Background 16 17User mode ppp has embedded packet aliasing (IP masquerading) code. 18Enabling this, either by the "-alias" command line option or the 19"alias enable yes" command in a ppp.conf file, makes the ppp host 20automatically alias IP packets forwarded from a local network, making 21them appear to come from the ppp host machine. Incoming packets 22from the outside world are then appropriately de-aliased. 23 24The process of aliasing involves both the IP address and the TCP or UDP 25port numbers. ICMP echo and timestamp packets are aliased by their id 26numbers. ICMP error messages can be properly directed by examining the 27fragment of the offending packet which is contained in the body of the 28message. 29 30This software was specifically meant to support users who have 31unregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x 32addresses). The ppp host can act as a gateway for these networks, and 33computers on the local area net will have some degree of Internet access 34without the need for a registered IP address. Additionally, there will 35be no need for an Internet service provider to maintain routing tables 36for the local area network. 37 38A disadvantage of packet aliasing is that machines on the local network, 39behind the ppp host, are not visible from the outside world. They can 40establish TCP connections and make UDP inquiries (such as domain name 41service requests) but the connections seem to come from the ppp host 42itself. There is, in effect, a partial firewall. Of course, if this is 43what you want, the disadvantage becomes an advantage. 44 45A second disadvantage is that "IP encoding" protocols, which send IP 46address or port information within the data stream, are not supported 47for the cases where exception code exists. This implementation has 48workarounds for FTP and IRC DCC, the most well known of the IP encoding 49protocols. This frees users from depending on using the ftp passive 50mode and avoiding IRC DCC sends, as is sometimes the case with other 51masquerading solutions. 52 53The implementation supports all standard, non-encoding TCP and UDP protocols. 54Examples of these protocols are http, gopher and telnet. The standard UDP 55mode of Real-Audio is not presently supported, but the TCP mode does work 56correctly. 57 58The packet aliasing code also handle many ICMP messages. In particular, 59ping and traceroute are supported. 60 61 62 632. Packet Aliasing Setup 64 65It is recommended that users first verify correct ppp operation without 66packet aliasing enabled. This will confirm that the ppp.conf file is 67properly set up and that there are no ppp problems. Then start ppp with 68the "-alias" option on the command line. The user should verify that 69the ppp host can correctly connect to the Internet in packet aliasing 70mode. Finally, check that machines on the private network can access 71the Internet. 72 73The masquerading software aliases all packets, whether they come from 74the host or another computer on the local area network. Thus, a correctly 75operating ppp host indicates that the software should work properly for 76other computers on the private network. 77 78If the ppp host can access the Internet, but other computers on the local 79network cannot, check that IP forwarding is enabled on the ppp host. Also, 80verify that the other computers use this machine as a gateway. Of course, 81you should also verify that machines within the local area network 82communicate properly. A common error is inconsistent subnet addresses 83and masks. 84 85 86 873. New commands in ppp 88 89In order to control aliasing behaviour in a simple manner (no need for 90recompilation), a new command has been added to ppp: alias. This 91is in addition to the -alias command line option. System managers and 92more experienced users may prefer to use the ppp command syntax 93within the ppp.conf file. The alias command also allows packet aliasing 94behaviour to be more precisely specified. 95 96The decision to add a command instead of extending 'set' or 'option' was 97to make obvious that these options only work when aliasing is enabled. 98 99The syntax for 'alias' is 100 101 ppp> alias option [yes|no] 102 103where option is given by one of the following templates. 104 105 106 - alias enable [yes|no] (default no) 107 108Enable packet aliasing functionality. If disabled, no other alias 109options will have any effect. You should usually enable aliasing 110before routing any packets over the link; good points are in the 111initial script or right before adding a route. If you do not always 112want aliasing, consider using the -alias option to ppp instead of this 113command. 114 115 116 - alias deny_incoming [yes|no] (default yes) 117 118Set to "yes" to disable all incoming connections. This just drops 119connections to, for example, ftp, telnet or web servers. The aliasing 120mechanism prevents these connections. Technically, this option denies 121all incoming TCP and UDP requests, making the aliasing software a 122fairly efficient one-way firewall. The default is no, which will allow 123all incoming connections to telnetd, ftpd, etc. 124 125 126 - alias log [yes|no] 127 128Controls logging of alias link creation to "/var/log/alias.log" - this 129is usually only useful if debugging a setup, to see if the bug is in 130the PPP aliasing. The debugging information is fairly limited, listing 131the number of aliasing links open for different protocols. 132 133 134 - alias same_ports [yes|no] (default yes) 135 136When a connection is being established going through the aliasing 137routines, it will normally have its port number changed to allow the 138aliasing code to track it. If same_ports is enabled, the alias 139software attempts to keep the connection's source port unchanged. 140This will allow rsh, RPC and other specialised protocols to work 141_most of the time_, at least on the host machine. Please, do not 142report this being unstable as a bug - it is a result of the way 143aliasing has to work. TCP/IP was intended to have one IP address 144per machine. 145 146 147 - alias use_sockets [yes|no] (default yes) 148 149This is a fairly obscure option. For the most part, the packet aliasing 150software does not have to allocate system sockets when it chooses an 151aliasing port number. Under very specific circumstances, FTP data 152connections (which don't know the remote port number, though it is 153usually 20) and IRC DCC send (which doesn't know either the address or 154the port from which the connection will come), there can potentially be 155some interference with an open server socket having the same port number 156on the ppp host machine. This possibility for interference only exists 157until the TCP connection has been acknowledged on both sides. The safe 158option is yes, though fewer system resources are consumed by specifying 159no. 160 161 162 - alias unregistered_only [yes|no] (default no) 163 164Packet aliasing normally remaps all packets coming from the local area 165network to the ppp host machine address. Set this option to only map 166addresses from the following standard ranges for private, unregistered 167addresses: 168 169 10.0.0.0 -> 10.255.255.255 170 172.16.0.0 -> 172.31.255.255 171 192.168.0.0 -> 192.168.255.255 */ 172 173In the instance that there is a subnet of public addresses and another 174subnet of private addresses being routed by the ppp host, then only the 175packets on the private subnet will be aliased. 176 177 178- alias port <proto> <local addr>:<port> <alias port> 179 180This command allows incoming traffic to <alias port> on the host 181machine to be redirected to a specific machine and port on the 182local area network. One example of this would be: 183 184 alias port tcp 192.168.0.4:telnet 8066 185 186All traffic to port 8066 of the ppp host would then be sent to 187the telnet port (23) of machine 192.168.0.4. Port numbers 188can either be designated numerically or by symbolic names 189listed in /etc/services. Similarly, addresses can be either 190in dotted quad notation or in /etc/hosts. 191 192 193- alias addr <local addr> <public addr> 194 195This command allows traffic for a public IP address to be 196redirected to a machine on the local network. This function 197is known as "static NAT". An address assignment of 0 refers 198to the default address of the ppp host. Normally static 199NAT is useful if your ISP has allocated a small block of 200IP addresses to the user, but it can even be used in the 201case of a single, dynamically allocated IP address: 202 203 alias addr 10.0.0.8 0 204 205The above command would redirect all incoming traffic to 206machine 10.0.0.8. 207 208If several address aliases specify the same public address 209as follows 210 211 alias addr 192.168.0.2 public_addr 212 alias addr 192.168.0.3 public_addr 213 alias addr 192.168.0.4 public_addr 214 215then incoming traffic will be directed to the last 216translated local address (192.168.0.4), but outgoing 217traffic to the first two addresses will still be aliased 218to the specified public address. 219 220 221 2224. Future Work 223 224What is called packet aliasing here has been variously called masquerading, 225network address translation (NAT) and transparent proxying by others. It 226is an extremely useful function to many users, but it is also necessarily 227imperfect. The occasional IP-encoding protocols always need workarounds 228(hacks). Users who are interested in supporting new IP-encoding protocols 229can follow the examples of alias_ftp.c and alias_irc.c. 230 231ICMP error messages are currently handled only in the incoming direction. 232A handler needs to be added to correctly alias outgoing error messages. 233 234IRC and FTP exception handling make reasonable, though not strictly correct 235assumptions, about how IP encoded messages will appear in the control 236stream. Programmers may wish to consider how to make this process more 237robust. 238 239The packet aliasing engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c 240and alias_util.c) runs in user space, and is intended to be both portable 241and reusable for interfaces other than ppp. To access the basic engine 242only requires four simple function calls (initialisation, communication of 243host address, outgoing aliasing and incoming de-aliasing). 244 245 246 2475. Authors / Acknowledgements 248 249Charles Mott (cmott@srv.net) <versions 1.0 - 1.8, 2.0, 2.1> 250Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands> 251 252Listed below, in chronological order, are individuals who have provided 253valuable comments and/or debugging assistance. 254 255 Gary Roberts 256 Tom Torrance 257 Reto Burkhalter 258 Martin Renters 259 Brian Somers 260 Paul Traina 261 Ari Suutari 262 J. Fortes 263 Andrzej Bialeki 264 265 266 2676. Revision History for Aliasing Code 268 269Version 1.0: August 11, 1996 (cjm) 270 271Version 1.1: August 20, 1996 (cjm) 272 PPP host accepts incoming connections for ports 0 to 1023. 273 274Version 1.2: September 7, 1996 (cjm) 275 Fragment handling error in alias_db.c corrected. 276 277Version 1.3: September 15, 1996 (cjm) 278 - Generalised mechanism for handling incoming connections 279 (no more 0 to 1023 restriction). 280 - Increased ICMP support (will handle traceroute now). 281 - Improved TCP close connection logic. 282 283Version 1.4: September 16, 1996 284 Can't remember (this version only lasted a day -- cjm). 285 286Version 1.5: September 17, 1996 (cjm) 287 Corrected error in handling incoming UDP packets 288 with zero checksum. 289 290Version 1.6: September 18, 1996 291 Simplified ICMP data storage. Will now handle 292 tracert from Win95 as well as FreeBSD traceroute. 293 294Version 1.7: January 9, 1997 (cjm) 295 - Reduced malloc() activity for ICMP echo and 296 timestamp requests. 297 - Added handling for out-of-order IP fragments. 298 - Switched to differential checksum computation 299 for IP headers (TCP, UDP and ICMP checksums 300 were already differential). 301 - Accepts FTP data connections from other than 302 port 20. This allows one ftp connections 303 from two hosts which are both running packet 304 aliasing. 305 306Version 1.8: January 14, 1997 (cjm) 307 - Fixed data type error in function StartPoint() 308 in alias_db.c (this bug did not exist before v1.7) 309 310Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>) 311 - Upgraded base PPP version to be the source code from 312 FreeBSD 2.1.6, with additional security patches. This 313 version should still be possible to run on 2.1.5, though - 314 I've run it with a 2.1.5 kernel without problems. 315 (Update done with the permission of cjm) 316 317Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>) 318 - Added support for IRC DCC (ee) 319 - Changed the aliasing routines to use ANSI style throughout - 320 minor API changes for integration with other programs than PPP (ee) 321 - Changed the build process, making all options switchable 322 from the Makefile (ee) 323 - Fixed minor security hole in alias_ftp.c for other applications 324 of the aliasing software. Hole could _not_ manifest in 325 PPP+pktAlias, but could potentially manifest in other 326 applications of the aliasing. (ee) 327 - Connections initiated from packet aliasing host machine will 328 not have their port number aliased unless it conflicts with 329 an aliasing port already being used. (There is an option to 330 disable this for debugging) (cjm) 331 - Sockets will be allocated in cases where there might be 332 port interference with the host machine. This can be disabled 333 in cases where the ppp host will be acting purely as a 334 masquerading router and not generate any traffic of its own. 335 (cjm) 336 337Version 2.0: March, 1997 (cjm) 338 - Incoming packets which are not recognised by the packet 339 aliasing engine are now completely dropped in ip.c. 340 - Aliasing links are cleared when a host interface address 341 changes (due to re-dial and dynamic address allocation). 342 - PacketAliasPermanentLink() API added. 343 - Option for only aliasing private, unregistered IP addresses 344 added. 345 - Substantial rework to the aliasing lookup engine. 346 347Version 2.1: May, 1997 (cjm) 348 - Continuing rework to the aliasing lookup engine to support 349 multiple incoming addresses and static NAT. 350 - Now supports outgoing as well as incoming ICMP error messages/ 351 - PPP commands to support address and port redirection. 352 353