Objetivo
- Implementar un servidor PPTP y un cliente PPTP en diferentes contenedores docker en interfaces virtuales (veth), simulando así una conexión PPTP real en el mismo host. El diagrama de conexión se presenta en la figura 1.
- Implemente una conexión en las interfaces físicas de la tarjeta probada. El diagrama de conexión se muestra en la Figura 2.
- Obtenga PCAP para cada método de conexión y compare los resultados.
Realización
Figura 1. Esquema de prueba en interfaces virtuales.
Figura 2. Esquema de prueba en interfaces físicas.
Resultados
1. PCAP del lado del cliente en el esquema con interfaces virtuales (pptp_w_veth.pcap):
"No.","Time","Source","Destination","Protocol","Length","Info" "1","0.000000","172.50.0.2","172.40.0.2","TCP","74","51246 > 1723 [SYN] "2","0.000028","172.40.0.2","172.50.0.2","TCP","74","1723 > 51246 [SYN, ACK] "3","0.000040","172.50.0.2","172.40.0.2","TCP","66","51246 > 1723 [ACK] "4","0.000205","172.50.0.2","172.40.0.2","PPTP","222","Start-Control-Connection-Request" "5","0.000214","172.40.0.2","172.50.0.2","TCP","66","1723 > 51246 [ACK] "6","0.000911","172.40.0.2","172.50.0.2","PPTP","222","Start-Control-Connection-Reply" "7","0.000915","172.50.0.2","172.40.0.2","TCP","66","51246 > 1723 [ACK] "8","1.000442","172.50.0.2","172.40.0.2","PPTP","234","Outgoing-Call-Request" "9","1.000970","172.40.0.2","172.50.0.2","PPTP","98","Outgoing-Call-Reply" "10","1.000979","172.50.0.2","172.40.0.2","TCP","66","51246 > 1723 [ACK] "11","1.001157","172.50.0.2","172.40.0.2","PPP LCP","70","Configuration Request" "12","1.004528","172.40.0.2","172.50.0.2","PPP LCP","70","Configuration Request" "13","1.004620","172.40.0.2","172.50.0.2","PPP LCP","74","Configuration Ack" "14","1.004667","172.50.0.2","172.40.0.2","PPP LCP","74","Configuration Ack" "15","1.004724","172.50.0.2","172.40.0.2","PPP IPCP","64","Configuration Request" "16","1.004832","172.40.0.2","172.50.0.2","PPP CCP","64","Configuration Request" "17","1.004838","172.40.0.2","172.50.0.2","PPP IPCP","58","Configuration Request" "18","1.004864","172.40.0.2","172.50.0.2","PPP IPCP","58","Configuration Reject" "19","1.004908","172.50.0.2","172.40.0.2","PPP CCP","56","Configuration Request" "20","1.004920","172.50.0.2","172.40.0.2","PPP CCP","60","Configuration Reject" "21","1.004939","172.50.0.2","172.40.0.2","PPP IPCP","58","Configuration Ack" "22","1.004971","172.50.0.2","172.40.0.2","PPP IPCP","58","Configuration Request" "23","1.005033","172.40.0.2","172.50.0.2","PPP CCP","56","Configuration Ack" "24","1.005038","172.40.0.2","172.50.0.2","PPP CCP","56","Configuration Request" "25","1.005062","172.40.0.2","172.50.0.2","PPP IPCP","58","Configuration Nak" "26","1.005118","172.50.0.2","172.40.0.2","PPP CCP","56","Configuration Ack" "27","1.005148","172.50.0.2","172.40.0.2","PPP IPCP","58","Configuration Request" "28","1.005205","172.40.0.2","172.50.0.2","PPP IPCP","62","Configuration Ack" "29","1.505778","172.50.0.2","172.40.0.2","GRE","46","Encapsulated PPP"
2.1 PCAP del lado del cliente en el esquema con interfaces físicas (pptp_w_810_client.pcap):
"No.","Time","Source","Destination","Protocol","Length","Info" "1","0.000000","172.30.0.2","172.10.0.2","TCP","74","33730 > 1723 [SYN] "2","0.000067","172.10.0.2","172.30.0.2","TCP","74","1723 > 33730 [SYN, ACK] "3","0.000080","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK] "4","0.000299","172.30.0.2","172.10.0.2","PPTP","222","Start-Control-Connection-Request" "5","0.000324","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [ACK] "6","0.001052","172.10.0.2","172.30.0.2","PPTP","222","Start-Control-Connection-Reply" "7","0.001058","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK] "8","1.000567","172.30.0.2","172.10.0.2","PPTP","234","Outgoing-Call-Request" "9","1.001172","172.10.0.2","172.30.0.2","PPTP","98","Outgoing-Call-Reply" "10","1.001192","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK] "11","1.001354","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "12","3.997954","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "13","7.001009","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "14","10.004123","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "15","13.007221","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "16","16.010336","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "17","19.013400","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "18","22.016486","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "19","25.019571","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "20","28.022668","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request" "21","31.032879","172.30.0.2","172.10.0.2","PPTP","82","Call-Clear-Request" "22","31.032941","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [FIN, ACK] "23","31.032999","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [FIN, ACK] "24","31.033008","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
2.2 PCAP del lado del servidor en el esquema con interfaces físicas (pptp_w_810_server.pcap):
"No.","Time","Source","Destination","Protocol","Length","Info" "1","0.000000","172.30.0.2","172.10.0.2","TCP","74","33730 > 1723 [SYN] "2","0.000026","172.10.0.2","172.30.0.2","TCP","74","1723 > 33730 [SYN, ACK] "3","0.000069","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK] "4","0.000290","172.30.0.2","172.10.0.2","PPTP","222","Start-Control-Connection-Request" "5","0.000298","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [ACK] "6","0.001014","172.10.0.2","172.30.0.2","PPTP","222","Start-Control-Connection-Reply" "7","0.001047","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK] "8","1.000598","172.30.0.2","172.10.0.2","PPTP","234","Outgoing-Call-Request" "9","1.001134","172.10.0.2","172.30.0.2","PPTP","98","Outgoing-Call-Reply" "10","1.001189","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK] "11","1.004629","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "12","4.007764","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "13","7.010842","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "14","10.013949","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "15","13.017035","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "16","16.020115","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "17","19.023193","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "18","22.026271","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "19","25.029348","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "20","28.030753","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request" "21","31.032901","172.30.0.2","172.10.0.2","PPTP","82","Call-Clear-Request" "22","31.032938","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [FIN, ACK] "23","31.032972","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [FIN, ACK] "24","31.032996","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
Análisis
Desde el PCAP eliminado en el esquema con interfaces virtuales en el lado del cliente (pptp_w_veth.pcap), se puede ver que la conexión PPTP es exitosa.
En el esquema sobre interfaces físicas (pptp_w_810_server/client.pcap), ocurre un error durante el proceso de conexión al momento de la transmisión de paquetes LCP que son encapsulados por GRE. El cliente y el servidor envían un paquete LCP (Configure-Request) pero no los reciben.
Conclusiones
Las pruebas han demostrado que la tarjeta Intel Ethernet E810 de 100 GbE no descarta paquetes GRE al intentar una conexión PPTP.
Creemos que esta información será útil para la comunidad de ISP y lo ayudará a elegir el equipo de red adecuado. Esperamos que Intel preste atención a este problema, pueda solucionarlo y mejorar la calidad de los servicios.
Los autores:
Dmitry Moldavanov, CTO
Kirill Marchenko, Ingeniero de redes