Le tunnel GRE
09/02/2005
 Christian CALECA 
Liste des cours

Limites

Accueil ] [ Le principe ] [ Tunnel GRE ] [ Le protocole ] [ Utilisation ] [ Limites ]

Juste un exemple pour montrer au moins qu'un tel tunnel GRE n'offre pas de confidentialité. Nous allons, par l'intermédiaire du "voisinage réseau", utiliser le tunnel pour copier un fichier local sur un hôte distant, à l'autre bout du tunnel.

Ce fichier texte, tout simple, contient le texte : "transfert d'un document par un tunnel GRE".

Le sniffer, mis en service sur l'un des bouts du tunnel, observe ce qu'il passe sur l'interface ppp0. Je ne vous laisse que la trame importante et vous constaterez que les données sont parfaitement lisibles...

Frame 48 (175 bytes on wire, 175 bytes captured)
    Arrival Time: May 13, 2004 10:51:47.184526000
    Time delta from previous packet: 0.000812000 seconds
    Time since reference or first frame: 11.459164000 seconds
    Frame Number: 48
    Packet Length: 175 bytes
    Capture Length: 175 bytes
Raw packet data
    No link information available
Internet Protocol, Src Addr: 80.8.147.132 (80.8.147.132), Dst Addr: 81.248.152.18 (81.248.152.18)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 175
    Identification: 0x0000 (0)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: GRE (0x2f)
    Header checksum: 0xa5dd (correct)
    Source: 80.8.147.132 (80.8.147.132)
    Destination: 81.248.152.18 (81.248.152.18)
Generic Routing Encapsulation (IP)
    Flags and version: 0000
        0... .... .... .... = No checksum
        .0.. .... .... .... = No routing
        ..0. .... .... .... = No key
        ...0 .... .... .... = No sequence number
        .... 0... .... .... = No strict source route
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags: 0
        .... .... .... .000 = Version: 0
    Protocol Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.10 (192.168.0.10), Dst Addr: 172.16.254.6 (172.16.254.6)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 151
    Identification: 0xc0db (49371)
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0xcfbb (correct)
    Source: 192.168.0.10 (192.168.0.10)
    Destination: 172.16.254.6 (172.16.254.6)
Transmission Control Protocol, Src Port: 1450 (1450), Dst Port: microsoft-ds (445), Seq: 525021426, Ack: 4108893321, Len: 111
    Source port: 1450 (1450)
    Destination port: microsoft-ds (445)
    Sequence number: 525021426
    Next sequence number: 525021537
    Acknowledgement number: 4108893321
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 17304
    Checksum: 0xf21a (correct)
NetBIOS Session Service
    Message Type: Session message
    Length: 107
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response in: 50
        SMB Command: Write AndX (0x2f)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x18
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc807
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .1.. = Security Signatures: Security signatures are supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: EDB2A6ED4322F3CD
        Reserved: 0000
        Tree ID: 32777
        Process ID: 65279
        User ID: 6146
        Multiplex ID: 12417
    Write AndX Request (0x2f)
        Word Count (WCT): 14
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 57054
        FID: 0x0041
        Offset: 0
        Reserved: FFFFFFFF
        Write Mode: 0x0000
            .... .... .... 0... = Message Start: This is NOT the start of a message (pipe)
            .... .... .... .0.. = Write Raw: DON'T use WriteRawNamedPipe (pipe)
            .... .... .... ..0. = Return Remaining: DON'T return remaining (pipe/dev)
            .... .... .... ...0 = Write Through: Write through not requested
        Remaining: 0
        Data Length High (multiply with 64K): 0
        Data Length Low: 43
        Data Offset: 64
        High Offset: 0
        Byte Count (BCC): 44
        Padding: EE
        File Data: 7472616E7366657274206427756E2064...

0000  45 00 00 af 00 00 40 00 ff 2f a5 dd 50 08 96 3f   E.....@../..P..?
0010  51 f8 9d 02 00 00 08 00 45 00 00 97 c0 db 40 00   Q.......E.....@.
0020  7f 06 cf bb c0 a8 00 0a ac 10 fe 06 05 aa 01 bd   ................
0030  1f 4b 30 f2 f4 e8 bc 89 50 18 43 98 f2 1a 00 00   .K0.....P.C.....
0040  00 00 00 6b ff 53 4d 42 2f 00 00 00 00 18 07 c8   ...k.SMB/.......
0050  00 00 ed b2 a6 ed 43 22 f3 cd 00 00 09 80 ff fe   ......C"........
0060  02 18 81 30 0e ff 00 de de 41 00 00 00 00 00 ff   ...0.....A......
0070  ff ff ff 00 00 00 00 00 00 2b 00 40 00 00 00 00   .........+.@....
0080  00 2c 00 ee 74 72 61 6e 73 66 65 72 74 20 64 27   .,..transfert d'
0090  75 6e 20 64 6f 63 75 6d 65 6e 74 20 70 61 72 20   un document par 
00a0  75 6e 20 74 75 6e 6e 65 6c 20 47 52 45 0d 0a      un tunnel GRE..

Au minimum, il faudra donc chiffrer au préalable ses données avant de les faire transiter dans ce tunnel, si l'on ne veut pas qu'un indiscret puisse les lire au passage.

Conclusion

GRE, techniquement est un excellent tunnel, il est possible d'ouvrir depuis un hôte donné autant de tunnels que l'on désire, vers différents réseaux distants. C'est une solution fort souple, malheureusement trop peu sécurisée pour être utilisés sans risques.

IPSec propose d'autres solutions, plus sécurisées, mais difficiles à mettre en oeuvre sur des noyaux Linux 2.4. Ce sera probablement plus simple avec la diffusion des noyaux 2.6, qui intègrent IPSec nativement.

Précédente ] [ Accueil ]