Difference between revisions of "7lab"

From Tmplab
(tmp (France))
 
(18 intermediate revisions by the same user not shown)
Line 14: Line 14:
 
=== tmp (France) ===
 
=== tmp (France) ===
 
* 10.42.0-9.x
 
* 10.42.0-9.x
 +
  
 
* R1 dynamips Cisco ITP
 
* R1 dynamips Cisco ITP
Line 25: Line 26:
 
** PC: 4.2.2
 
** PC: 4.2.2
 
** x25: x25routerR2 150
 
** x25: x25routerR2 150
 +
  
* tee1 - Debian 5.02
+
* NET Intel SS7: 10.42.5.x
** 10.0.0.51
+
** tee1 - Debian 5.02
** 10.42.5.1
+
*** 10.0.0.51
* tee2 - Debian 5.02
+
*** 10.42.5.1
** 10.0.0.52
+
*** IP Router, add it:
** 10.42.5.2
+
<PRE>
 +
route add -net 10.42.5.0 10.0.0.51 255.255.0.0
 +
</PRE>
 +
** tee2 - Debian 5.02
 +
*** 10.0.0.52
 +
*** 10.42.5.2
 +
 +
 
 +
* NET Clients VPNSSL: 10.42.8.x
 +
** tee1 - Debian 5.02
 +
*** 10.42.8.1
  
 
=== bkk (Bangkok, Thailand) ===
 
=== bkk (Bangkok, Thailand) ===
Line 50: Line 62:
 
=== Commands ===
 
=== Commands ===
 
* Get your copy
 
* Get your copy
  git clone ssh://sevenbone@hera.dreamhost.com/~/git/7bone.git 7bone
+
  git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone
  
 
* Make some modification and compare
 
* Make some modification and compare
Line 194: Line 206:
  
 
== OpenVPN ==
 
== OpenVPN ==
(to be updated, testing now)
 
  
we will use tcp port 1337 (or should we use something more common like 80 or 53, 443?) for openvpn configuration. So your firewall should allow this port out.
+
=== Introduction ===
 +
Good tutorials can be found here:
 +
* http://www.nemako.net/dc2/?post/openvpn
 +
* http://openvpn.net/index.php/open-source/documentation/howto.html
 +
 
 +
we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.
  
 
=== OpenVPN Certificates ===
 
=== OpenVPN Certificates ===
  
coming
+
On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
  
 
=== OpenVPN Client configs ===
 
=== OpenVPN Client configs ===
  
<nowiki>
+
<pre>
 
client
 
client
dev tap
+
dev tun
 
proto tcp
 
proto tcp
 
remote lab.tstf.net 1337
 
remote lab.tstf.net 1337
Line 220: Line 236:
 
cert client.crt
 
cert client.crt
 
key client.key
 
key client.key
</nowiki>
+
</pre>
  
 
=== OpenVPN Server configs ===
 
=== OpenVPN Server configs ===
 +
 +
See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
 +
 +
# Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
 +
# edit vars
 +
# ./build-dh
 +
# ./pkitool --initca
 +
# Create server keys: ./pkitool --server myserver
 +
# Copy them to /etc/openvpn:
 +
# cp keys/ca.* /etc/openvpn/
 +
# cp keys/server1.* /etc/openvpn/
 +
# cp keys/dh1024.pem /etc/openvpn/
 +
# Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
 +
# edit /etc/openvpn/server.conf
 +
 +
 +
==== Example Configuration ====
 +
 
local [EXTERNALIP]
 
local [EXTERNALIP]
port 1337
+
port 8443
 
proto tcp
 
proto tcp
 
dev tap0
 
dev tap0
Line 247: Line 281:
 
verb 6
 
verb 6
  
 +
== Networking ==
 +
 +
/etc/init.d/net-addroute
 +
<PRE>
 +
#!/bin/sh
 +
### BEGIN INIT INFO
 +
# Provides:          net-addroute 
 +
# Required-Start:    $all
 +
# Required-Stop:   
 +
# Default-Start:    2 3 4 5
 +
# Default-Stop:      0 1 6
 +
# Short-Description: Adds 7Bone default routes at boot time
 +
# Description:      Enable service provided by daemon.
 +
### END INIT INFO
 +
#route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
 +
 +
case "$1" in
 +
start)
 +
        route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
 +
        ;;
 +
 +
stop)
 +
        route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
 +
        ;;
 +
 +
force-reload|restart)
 +
        echo "No reload possibility for this script"
 +
        ;;
 +
 +
*)
 +
        echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}"
 +
        exit 1
 +
        ;;
 +
esac
 +
 +
exit 0
 +
</PRE>
  
 
== Cisco ITP ==
 
== Cisco ITP ==
Line 271: Line 342:
 
== XOT ==
 
== XOT ==
 
* http://www.fyonne.net/
 
* http://www.fyonne.net/
 +
 +
= Links =
 +
* http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3Ahttp%3A%2F%2Fwww.eurescom.eu%2F~pub-deliverables%2F+security+ss7&aq=f&oq=&aqi=

Latest revision as of 23:26, 10 November 2009

Intro

Testing with:

  • Dynagen & Dynamips (GNS3 not yet working on my Mac)

Future:

  • Asterisk with chan-ss7
  • Intel SS7 stack
  • OpenSS7 new release
  • Kannel

Network

Addressing

tmp (France)

  • 10.42.0-9.x


  • R1 dynamips Cisco ITP
    • 10.0.0.150
    • 10.42.1.1
    • PC: 4.2.1
    • x25: x25routerR1 250
  • R2 dynamips Cisco ITP
    • 10.0.0.160
    • 10.42.2.1
    • PC: 4.2.2
    • x25: x25routerR2 150


  • NET Intel SS7: 10.42.5.x
    • tee1 - Debian 5.02
      • 10.0.0.51
      • 10.42.5.1
      • IP Router, add it:
route add -net 10.42.5.0 10.0.0.51 255.255.0.0
    • tee2 - Debian 5.02
      • 10.0.0.52
      • 10.42.5.2


  • NET Clients VPNSSL: 10.42.8.x
    • tee1 - Debian 5.02
      • 10.42.8.1

bkk (Bangkok, Thailand)

  • 10.42.32.x
  • kin 10.211.55.7, 10.42.32.102
  • mac (parallels 10.211.55.3) 10.42.32.2 VM: kin
  • kiwi 10.42.32.1 VM: 10.42.32.101

tw (Taiwan)

  • 10.42.50-59.x

Source Configuration

GIT

Commands

  • Get your copy
git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone
  • Make some modification and compare
git diff
  • Update your local copy with the master repository changes
git pull
  • Add some files to your GIT repository
git add File14 
git add Dir32
  • Commit these changes and new files to your local GIT repository
git commit -m "Comment message here"
  • Push your changes to the master repository
git push origin master

Installation

OpenSS7

On Ubuntu 8.04 (only this version, highly kernel version dependent)

apt-get install groff-base info bison flex
apt-get install linux-libc-dev libc6-dev libperl-dev
./configure --without-snmp
make
make install

M3UA

  • Check /home/user/openss7-0.9.2.G/sigtran-0.9.2.4/src/modules/m3ua_as.c

SCTPlib

kextload /System/Library/Extensions/SCTP.kext
  • In order to compile the examples programs (echo_tool etc...) with SCTPlib:
gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \ 
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \ 
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_server echo_server.c sctp_wrapper.c  -lsctplib

gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_tool echo_tool.c sctp_wrapper.c  -lsctplib
  • NKE and SCTPlib are mutually exclusive.

Intel / Dialogic SS7 stack

Configuration differences between two peers

  • Useful bits
    • For logging
FORK_PROCESS    ./s7_log -fms7.log -o0xff1f -pms7.pcap
  • Between two different configs
# diff upd/RUN/MTR/M2PA_CONFIG/config.txt upd/RUN/MTU/M2PA_CONFIG/config.txt
6c6,8
< CNSYS:IPADDR=192.168.0.2,PER=0;
---
> CNSYS:IPADDR=192.168.0.1,PER=0;
> *
> SNSLI:SNLINK=1,IPADDR=192.168.0.2,SNEND=C,SNTYPE=M2PA,M2PA=1,PPORT=3565;
8,9d9
< SNSLI:SNLINK=1,IPADDR=192.168.0.1,SNEND=S,SNTYPE=M2PA,M2PA=1,PPORT=3565;
< *
16,17c16,17
< * <ssf>
< MTP_LINKSET  0  1  1  0x0000 2 0x08
---
> *             <ssf>
> MTP_LINKSET  0  2  1  0x0000 1 0x08
26c26
< MTP_ROUTE  1  0  0x0008
---
> MTP_ROUTE  2  0  0x0008
31c31
< SCCP_CONFIG 2 0x8 0x0102
---
> SCCP_CONFIG 1 0x8 0x0102
39c39
< SCCP_SSR 1 RSP 1 0 0x0000
---
> SCCP_SSR 1 RSP 2 0 0x0000
47c47
< SCCP_SSR 3 RSS 1 0x08 0
---
> SCCP_SSR 3 RSS 2 0x08 0

Commands for MTU/MTR

  • Link activation
./mtpsl ACT 0 0
  • SS7 MSU Play
./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
  • Combined
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ;\
sleep 5; /mnt/remote/Documents/7bone/intel-stacks/upd/BIN/BACKUP_LNX/mtu -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
./gctload -x; sleep 3; (./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5;\
./s7_play -fintel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ; sleep 5; ./intel-dev-upd/BIN/BACKUP_LNX/mtu\
-m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"

Configurations

Hamachi

Quick Start

Run 'make install' and then 'tuncfg' from under the root account
Run 'hamachi-init -c /etc/hamachi' to generate crypto identity (any account).
Run 'hamachi start' to launch Hamachi daemon.
Run 'hamachi login' to put the daemon online and to create an account.
Run 'hamachi join <network>' to join the network.
Run 'hamachi go-online <network>' to go online in the network.
Run 'hamachi list' to list network members and their status.


OpenVPN

Introduction

Good tutorials can be found here:

we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.

OpenVPN Certificates

On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/

OpenVPN Client configs

client
dev tun
proto tcp
remote lab.tstf.net 1337
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ns-cert-type server
user nobody
group nogroup
ca ca.crt
cert client.crt
key client.key

OpenVPN Server configs

See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

  1. Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
  2. edit vars
  3. ./build-dh
  4. ./pkitool --initca
  5. Create server keys: ./pkitool --server myserver
  6. Copy them to /etc/openvpn:
  7. cp keys/ca.* /etc/openvpn/
  8. cp keys/server1.* /etc/openvpn/
  9. cp keys/dh1024.pem /etc/openvpn/
  10. Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
  11. edit /etc/openvpn/server.conf


Example Configuration

local [EXTERNALIP] port 8443 proto tcp dev tap0

  1. we'll add section how to manage certs later

ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem

  1. this will allow for people to get the same IP address after a reconnect

ifconfig-pool-persist /etc/openvpn/ipp.txt

keepalive 10 120 comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status /tmp/openvpn-status.log log-append /var/log/openvpn.log verb 6

Networking

/etc/init.d/net-addroute

#!/bin/sh
### BEGIN INIT INFO
# Provides:          net-addroute   
# Required-Start:    $all
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Adds 7Bone default routes at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
#route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51

case "$1" in
start)
        route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

stop)
        route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

force-reload|restart)
        echo "No reload possibility for this script"
        ;;

*)
        echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}"
        exit 1
        ;;
esac

exit 0

Cisco ITP

  1. cs7 variant itu
  2. cs7 point-code 1.2.3
  3. Maybe: cs7 capability-pc 1.2.3

Diagnostics

SIGTRAN sniffing

  • wireshark
  • Remove the HEARTBEAT and HEARTBEAT_ACKs with display filter:
sctp.chunk_type != 4 and sctp.chunk_type != 5
  • Check inits
sctp.chunk_type == 1

Testing

Security

XOT

Links