May 2010 Archives

Foray into OpenVPN

Diagram of a public key infrastructure

Image via Wikipedia

It has been awhile since I shared another segment in the Foray Series. For the newcomers, these excerpts are fairly detailed accounts of my experiences with various FOSS tools. Understand that these entries are not intended to be detailed How-Tos, I leave that to the curiosity of the readers. I would be remiss if I did not mention that I got inspired by Mick Bauer's recent Linux Journal series on the subject. So, nuff respect to Bauer and the LJ crew for being the longest running Linux technical periodical. If they could only reduce the advertising.. Heh, that's a rant for another time.

Actually, I was first introduced to the concept of virtual private network (VPN) in 2000. An associate of mine was administering a Free Swan installation. Honestly, I had no idea what he was talking about because knowledge of networking was rather weak. For instance, I didn't know the difference between IPSec or PPTP tunneling protocols. Suffice to say that there are several ways to implement a VPN strategy. It is also worth noting that some tunneling strategies are inherently more secure than others.

So I figured that I'd better learn about VPN tunneling protocols and also deploy a solution that is fairly idiot proof turn-key. As it turns out, the IPSec tunneling protocol has been around for quite awhile. It is fairly complicated to setup, but IPSec is an order of magnitude more robust when compared to Microsoft PPTP. The OpenSwan project (formerly FreeSwan) deploys the more robust IPSec tunneling protocol. The encryption algorithm strategy of PPTP is very inferior, in fact PPTP was designed on top of the very old PPP (Point-to-Point Protocol) from dialup modems. I mention PPTP here because it often is a readily available strategy on several modern commercial grade VPN routers. My Cisco RV082 VPN router provides PPTP out of the box as a VPN solution. This protocol is advertised as an easy means of creating a VPN tunnel between to M$ clients. I have often found that _easy_ is often quite dangerous too ;-) IPSec is also baked into the Linux kernel, so it can be deployed via iptables filtering at the kernel layer. In fairness to M$, it also deploys IPSec client on its more modern OSes; however, in true Redmond fashion they have "embraced and extended" IPSec in a way that puzzles most. Basically you have no idea what you're running, so is it really IPSec?

There is however a snag with the free IPsec clients from Microsoft. You can use IPsec only in combination with another protocol called L2TP. It is fairly difficult (2000/XP/Vista) or probably even impossible (MSL2TP, Pocket PC) to get rid of this L2TP requirement. One might say that Microsoft "embraced and extended" the IPsec standard, in true Microsoft fashion. To be fair though, L2TP is currently a 'Proposed Internet Standard' (RFC 2661 ) and so is 'L2TP over IPsec' (RFC 3193). PPTP, on the other hand, is another widely used VPN protocol but it is not an official standard.
The excerpt above came from this very good FreeSwan article

Perhaps it would be helpful to understand why I have begun to utilize a VPN. When I am traveling or working in Panera Bread or Barnes and Nobles, I like to take advantage of the public Wi-Fi. Typically what I do is fire up a terminal and ssh into my Linux box at home and port forward TOR and SOCKS5 to the local ports on my notebook computer. For the curious, check some of my earlier entries on that subject. This strategy works quite well, but when I ask staff members who are less computer savvy to open a terminal window and then run ssh.. Their eyes get glazed over and they begin to complain about it not being a "pretty" solution.

So a more elegant solution was required to provide wider adoption within our organization. Furthermore, you can't sell what you don't own. That is if you're going to propose an alternate solution for accessing data securely, you must be willing to use it yourself. Some people call it "dog fooding".. Besides, I'm always excited about learning something new.

As I stated earlier I looked at OpenSwan (FreeSwan fork) or more generally IPSec and it did look rather confusing to me. Moreover, I wasn't quite sure how active the developer community was around that project.

Let's take a quick look at what makes OpenVPN a quite viable VPN solution.

The PKI is the heart of OpenVPN, as it empowers the sysadmin to authenticate a host of clients through self-signed certificate/key pair which are generated on your own server. This approach is helpful, as it mitigates the need for a central signing authority. It works very much like creating SSL certificate for an apache webserver and associated client web browsers. Though OpenVPN is not overly complicated to setup, the PKI process is the area that will likely cause problems for many people. In fact, I scraped my knuckles during this process too. For instance, an incorrectly generated key may not show up until you try to authenticate a client. The error logs will reveal important messages, but are somewhat generic if not cryptic.

SSL/TLS are venerable and well understood IETF encryption standards that are deployed for many web and email servers. MD5 and SHA-1 are common place digest algorithms. No surprises here. Arguably TLS has its own faults and vulnerabilities, but because these are "standards" unlike L2TP the holes get discovered easily. Hence the community resolves problems fairly quickly.

All Linux distributions are equipped with Openssl and the means to generate certificate authorities. 'pkitool' is the front end for the openssl tool. pkitool does all of the certificates/key builds. You just have to remember to run "./clean-all" in the appropriate openvpn setup directory to wipe all previous keys otherwise your OpenVPN setup will fail silently but very consistently :-)

Regarding UDP... Many people prefer TCP over UDP, as the latter doesn't make any guarantees about the arrival of datagram packets. UDP is now exclusively used with openvpn, as UDP seems to play nicer with firewalls due in large part because packets are not resent upon failure.
The process of re-checking at the packet layer increases the overhead of TCP significantly. Hence the reason that UDP is preferred, as it is much faster albeit not as accurate. So you have a trade-off. My knowledge of packet inspection is limited, so if anyone has a better explanation, I'm very interested.

I'm running openvpn on a Debian/Stable box. It runs quite well. After I resolved my PKI issue, the only other gotchas occurred when I didn't explicitly set the packet routing for my server. More specifically, I had to echo 1 > /proc/sys/net/ipv4/ip_forward to enable packet routing on the server. Failing to do this will also break your openvpn setup.

Lastly, I had to pick the correct virtual IP address to push to both sides of the tunnel. In this case I was not able to ping either side of the tunnel. Using tcpdump I was able to ascertain that the packets arriving from the M$ windows clients were being dropped.. Once I enabled routing and changed the virtual IP addresses, the problem went away.
Originally, I had chosen 10.0.0/24 but realized that places like Panera Bread and others have the same IP addressing scheme, which played havoc resources located on the target server.

Lastly, the idea of pseudo two-factor authentication.. By definition, two-factor authentication is something you know (ie password) and something you have (ie secure token or passport). So openvpn PKI and a passphrase to verify ownership of the certificate authority and client key really isn't the same, but it sure feels very robust to me.

OpenVPN is a very robust solution for my needs. SSL/TLS is a fairly simple means of leveraging free software and well understood standards/protocols to securely encapsulate data packets on both sides of a VPN tunnel. However, I am not sure that enterprise networks would admire it the same. In fact, I know that my employer blocks the UDP ports which openvpn servers typically listen.

Hopefully, this sheds a bit of light on the various VPN strategies and also some of the virtues of OpenVPN.

Reblog this post [with Zemanta]

BTHS Silver Reunion Weekend - Revisited

My wife and I enjoyed a fabulous time at my 25yr BTHS Class of '85 Reunion. It was great seeing old friends and rekindling past acquaintances. As mentioned previously, I worked with a group of mostly diligent class representatives. Though we probably got on each others nerves (yes I was particularly gruff as the event drew near), our classmates really seemed to appreciate the effort. The reunion was successful. From a technical resource standpoint, I would probably not use PayPal in the capacity that we chose. Definitely my fault, I'll take the spear ;-)
PayPal cannot easily manage event horizon or time interval cost increases. The merchant scripts really should not be shared. In retrospect, sites like EventBrite would be better suited for this purpose. You live and learn - C'est la Vie :-) Hopefully, this tidbit will help the '86ers..

Though, I do not know the final headcount, I believe we had approximately 135 people in attendance. Not a bad showing during an economic downturn.
Technites traveled from as far away as British Columbia and Alaska. That is what I call dedication :-)

Although, I was not able to attend most of the school sponsored events, I was able to greet folks in the lunch room. The lunchroom was a spot where we used to bang out beats on the tables and cut classes on occasion. I still remember the popping and break dance competitions in the center section of the lunchroom.

Actually, I also wanted to speak with the BTHS principal, Randy Asher. Some of you may recall that I wrote an open letter to Randy some years back. The letter was a response to NY Times editorial that highlighted the decline of African-American students in NYC Specialized high schools. As I walked around the lunchroom, I wondered aloud if the Class '85 was indeed the last frontier for so-called minorities (African-American & Latino) at BTHS. Only time will tell, but I would rather be pro-active and offer some clues.

As I rode the Metro-North back to CT, I happened to be seated next to a woman whose son was a sophomore at Tech. In our candid conversation she suggested that entrance exam preparation was likely the cause of reduced numbers of African-Americans enrollment at BTHS. She told me that her son began prepping for the exam in the 7th grade, and that she made it a priority above all else.

While I agree with the premise that exam preparation is paramount to success and ultimately entrance to a specialized high school. I asserted that the problem is much deeper than she described. I have been thinking about this problem for at least 3yrs. Admittedly, the situation is as dire as it is perplexing. Below are some thought starters which I believe will help us gravitate to a possible solution to this dilemma.

Recognizing the Stakeholders

  • Parents
  • Local Communities
  • Industry
  • Junior High Schools
  • NSBE

I'm quite sure that Asher and his executive staff have already considered the appropriate stakeholders. Nonetheless, I would assert that these relationships have eroded over time.
For instance, I understand that B'klyn Polytechnic created a Junior NSBE chapter at BTHS. For those of you not familiar with the NSBE, it is one of the largest student run professional organizations dedicated to the following mission

"to increase the number of culturally responsible black engineers who excel academically, succeed professionally and positively impact the community."

Not sure if the NSBE Junior chapter or the alliance with B'klyn Polytechnic still exists today.

Obviously, parents and the local communities are perhaps the most influential stakeholders. Anyone who grew up in Fort Greene or any other section of B'klyn, understands very well that gentrification has drastically changed the landscape of the neighborhoods. Whether this change is good or bad is beyond the scope of this entry. I'll leave this point of pontification as an exercise for the reader. Suffice to say, the Dekalb Ave and the surrounding area near BTHS is far different than I remember.
In a recent conversation with a fellow classmate, he surmised that the huge influx of higher income families that are searching for affordable (ie zero cost) education for their children, BTHS becomes an obvious choice. I would take the point a step further, circa '85 charter schools didn't exist. Or at least there was not a huge discussion about vouchers. Perhaps the rise of the "charter school" mentality in the inner-city has created a scarcity for quality public schools seats that is far greater now than in the 80's?

Clearly I do not have all the answers; however, it will indeed take a village to correct the problem. Obviously, the first step is publicly acknowledging the problem and then aggressively recruiting caring individuals to help rectify the situation. I'm not sure Asher has done either. Nonetheless, I have already spoken to concerned classmates and I am confident that we can help stem the tide. IMHO, rebuilding the relationships with the key stakeholders should improve matters.

Lastly, it is worth noting that every person of color who attends BTHS is destined to become a mechanical engineer, chemist or actuary scientist. Geeks are a rare breed indeed! BTHS provides students with the appropriate work ethic to succeed in any endeavor. We just need to do a better job with improving the critical mass for African-Americans. A drop-off from 33% to 11% is quite shocking.

Randy, let's have that conversation sooner than later..

Reblog this post [with Zemanta]

Reduced comments and design changes

This icon, known as the "feed icon" ...

Image via Wikipedia

This entry was inspired by my buddy Ed Dunn. Thought it would be interesting to reflect on a recent post. It would appear that lurkers have not blessed him with courtesy of a comment as a method of showing appreciating for his work. He really has begun to share much more content over the past 2yrs. I had the pleasure of having him on my show on AG Speaks Episode 16. Heh, one day soon I'll add all of the social media links and also revise the RSS Feeds on my blog. Clearly, I have lost some of my readership due to my activity on other social media sites. Ironically, I had berated others for not understanding blogging or at least abandoning their blogs in favor of hosted social media sites.

Now, I would not advocate threatening your readers into de-cloaking or de-lurking as Dunn describes it. IMHO everyone has a right to peruse without feeling obligated to leave a comment. I believe that because people are trying to make money from blogging some tend to get offended by people not commenting. I suppose the effort and time it takes to publish a useful blog entry should be rewarded by a comment. I really don't worry about it very much.

When I published an average of 12-15 entries per month, I had a fairly good number of comments. I was also running a netcast, so there was a good number of visitors that simply wanted to listen to my show. Now that I'm down to 4-5 blog entries per month, I can understand the dearth of visitor comments.

As mentioned earlier, well positioned RSS feeds for all of my tertiary content will help readers re-connect.

Reblog this post [with Zemanta]

Seminar and testing was quite good, despite the fact that the number of attendees continues to dwindle due to a very difficult economy. In fact, we only rented half of the training hall for our activities. It was strange not having the entire room for the seminar. Subsequently, the workout was not as strenuous, as there was far less distance to cover. I seem to recall the blisters that grew on the balls of my feet from last seminar, as the carpet is not very forgiving. I came prepared with athletic tape, but after a few minutes into the seminar I ripped off the tape because it felt very uncomfortable and the tape was actually pinching me. In retrospect, I didn't actually need it as we were not traversing the entire training hall. So, my feet were pleased that we did not use the entire space.

I arrived about 11.30a, so that I could stretch and get warm. Seminar and testing is quite a long day. Kwan Jang Nim brought someone who I mistakenly thought to be his brother Nam (whom I have never met), but apparently it was another family member. Perhaps nephew or cousin. This gentleman did not stick around for seminar or testing, so I gather he may live in the area and was just dropping by to say hello.

Though we had a smaller group, it was good to see some of the old faces. The groups which come from Western MI and Dayton OH are becoming regulars. It is good to see the consistency in their participation. As I have stated previously, our federation will only get stronger by having new gups attend seminar so that we can continue to spread the word of Tang Soo Do!
We probably had roughly nineteen seminar participants and six people testing for Dan.

The seminar began with hand techniques Ha Dan (lower part), Choong Dan (middle part), and Sang Dan (Upper part) basics. Our federation President, Grandmaster Saul Kim stressed the importance of understanding the application of each. We lined up using the width or shortest distance of the dojang (East to West) to run some of our basics. I had to be careful not to end up in the spectators laps, as I do tend to take long strides. Spectators were lined the adjacent side of the dojang, so that we could add more seating.

Grandmaster Kim made it a point to thoroughly dissect Bassai, as it is one of our most complex forms. When it is executed correctly, it also one of our most beautiful. He specifically wanted everyone to understand that Bassai is one of our animal forms, it resembles to cobra snake. In fact, the double fisted strike imitates the fangs of the snake.
We also spent a fair amount of time with Naihanchi forms, as they are the third set of animal forms that are taught in our system. Naihanchi represents the horse, as the all three forms are done in horseback or keema jase. Emphasis was made on the fact that people will execute the forms differently, but the application is still the same. Perhaps a departure from years past? Basically most of the practitioners in our federation execute forms in a very similar manner, only with slight modifications. These days Grandmaster Kim seems open to subtle modifications.

There was some light sparring during the seminar, and we spent time on focus drills. That is, yup chakee or side kicks to an open area on your partner. Because we had such light attendance and dearth of higher ranking gups, I was paired with a very small student. My kicks would clear his head quite easily, so I was forced to modify the height of the techniques. Overall the seminar was enjoyable and quite useful. Good spirit all around.

The Dan testing ran a bit long, as I was one of last students testing. I was paired with a someone testing for 2nd Dan. We sat for awhile, so I did get a bit stiff. The hard floor isn't very forgiving. Once we were called to begin our exam, it did move rather swiftly.
I made one mistake, well maybe two. I'd forgotten the Korean term for "reverse", thus I did not execute some basics correctly. When I was asked to execute a flying side kick (Yi Dan Yup Cha Kee) I didn't break on the boards on first try. This has never happened in on any of my exams. Of course I did break both boards on the second try. I will post the breaks and some pics of the exam as an update to this entry.

I was quite happy to done with the exam, as the day is quite a long one. It is remarkable that I have been training for roughly 11yrs. 4th Dan is an achievement indeed. I will wear the next rank with honor and pride. I will continue to spread the word of Tang Soo Do where ever I train.

Tang Soo!!

Reblog this post [with Zemanta]

Monthly Archives


OpenID accepted here Learn more about OpenID
Powered by Movable Type 4.25

About this Archive

This page is an archive of entries from May 2010 listed from newest to oldest.

April 2010 is the previous archive.

June 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.