mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-20 11:11:24 +00:00
a9f484e520
(otherwise ppp's behavior remains unchanged) and documented by myself, Steve Sims, Nate Williams, Martin Renters and god-only-knows who else. :-) Submitted by: nate Obtained from: Charles Mott <cmott@srv.net>
113 lines
4.5 KiB
Plaintext
113 lines
4.5 KiB
Plaintext
User PPP Packet Aliasing
|
|
|
|
0. Contents
|
|
1. Background
|
|
2. Setup
|
|
3. Future Development
|
|
|
|
|
|
1. Background
|
|
|
|
User ppp has embedded packet aliasing (IP masquerading) code.
|
|
When this capability is enabled by the "-alias" command line
|
|
option, the ppp host will automatically alias IP packets forwarded
|
|
from a local network so that they appear to come from the ppp
|
|
host machine. Incoming packets from the outside world are then
|
|
appropriately de-aliased.
|
|
|
|
The process of aliasing involves both the IP address as well as
|
|
TCP and UDP port numbers. ICMP packets can be aliased by either
|
|
their id or sequence numbers.
|
|
|
|
This software was specifically meant to support users who have
|
|
unregistered, private address IP networks (e.g. 192.168.0.x or
|
|
10.0.0.x addresses). The ppp host can act as a gateway for these
|
|
networks, and computers on the local area net will have some
|
|
degree of internet access without the need for a registered IP
|
|
address. Additionally, there will be no need for an internet
|
|
service provider to maintain routing tables for the local area
|
|
network.
|
|
|
|
A disadvantage of packet aliasing is that machines on the local
|
|
network, behind the ppp host, can establish tcp connections and
|
|
make udp inqiries (such as domain name service requests), but these
|
|
machines, other than the ppp host itself, are not visible from
|
|
the outside world. There is, in effect, a partial firewall.
|
|
|
|
A second disadvantage is that "IP encoding" protocols, which send
|
|
IP address or port information within the data stream, are not
|
|
supported unless exception code has been put in place. A workaround
|
|
for ftp, which is the most well known of the IP encoding protocols,
|
|
has been developed in this implementation, so users do not have
|
|
to depend on using the ftp passive mode, as is sometimes the case
|
|
with other masquerading solutions.
|
|
|
|
All standard, non-encoding TCP and UDP protocals are supported,
|
|
Examples of these protocols are http, gopher and telnet. The
|
|
standard UDP mode of RealAudio is not presently supported,
|
|
but the TCP mode does work correctly. IRC is reported by users
|
|
to work in some, but not all, modes.
|
|
|
|
The packet aliasing code also handle many ICMP messages. In
|
|
particular, ping and traceroute are supported.
|
|
|
|
|
|
|
|
2. Packet Aliasing Setup
|
|
|
|
It is recommended that correct ppp operation first be verified
|
|
without packet aliasing enabled. Then ppp can be started with
|
|
the "-alias" option in the command line. Correct network operation
|
|
of the ppp host in packet aliasing mode should then be verified.
|
|
Finally, machines on the private network should be checked to see
|
|
whether they can access the internet.
|
|
|
|
Since the masquerading software aliases all packets, whether
|
|
they come from the host or another computer on the local area
|
|
network, a correctly operating ppp host will indicate that the
|
|
software should work properly for other computers on the private
|
|
network.
|
|
|
|
If the ppp host can access the internet, but other computers on
|
|
the local network cannot do this, then it should be checked that
|
|
IP forwarding is enabled on the ppp host and that the other
|
|
computers use this machine as a gateway. Of course, proper
|
|
communications between machines within the local area network
|
|
should also be verified (do they use consistent subnet addresses
|
|
and masks?).
|
|
|
|
|
|
|
|
3. Future Development
|
|
|
|
What is called packet aliasing here has been variously called
|
|
masquerading, network address translation (NAT) and transparent
|
|
proxying by others. It is an extremely useful function to
|
|
many users, but it is also necessarily imperfect. Workarounds
|
|
(hacks) are always needed for the occasional IP-encoding
|
|
protocols.
|
|
|
|
The specific solution implemented here does not block off or
|
|
reserve any segment of TCP or UDP ports on the ppp host for use
|
|
by the masquerading function. No communication to the kernel
|
|
is needed in this matter. All packets are aliased, whether
|
|
they originate from the ppp host or other computers on the
|
|
local network. This is a central issue, and some programmers
|
|
may wish to handle this differently.
|
|
|
|
The packet aliasing engine (alias.c, alias_db.c, alias_ftp.c
|
|
and alias_util.c) runs in user space, and is intended to be
|
|
both portable and reusable for interfaces other than ppp. The
|
|
basic engine is accessed by four simple function calls
|
|
(initialization, communication of host address, outgoing
|
|
aliasing and incoming de-aliasing).
|
|
|
|
Limited IP fragment handling exists. Once the packet aliasing
|
|
software sees the header fragment of a packet, all other fragments
|
|
will be correctly forwarded. However, if the header fragment
|
|
does not come first, then some fragments will be lost.
|
|
|
|
Charles Mott (cmott@srv.net)
|
|
December 4, 1996
|
|
|