Performance analysis of two secure tunneling mechanisms: IPSec

Transcription

Performance analysis of two secure tunneling
mechanisms: IPSec VPN versus SSL VPN
Jérémie BOULANGER
Ensimag, Grenoble (France)
Bastien BAILLY
Ensimag, Grenoble (France)
June 17, 2009
Abstract
In this study, we are looking at performance of
several solutions for IP tunnels to connect different entities of a firm. Latency, bandwidth and
CPU load are aspects that we are focusing on. We
will show that the choice of a solution rather than
another depends mainly on the needed computing
ressources and on the ease of implementation.
1
Figure 1 - A tunnel through the Internet
Context
Each solution has its pros and cons,
choosing one of these solutions must be made on
Nowadays many companies have worldwide sites a case by case according to the needs. The goal of
as well as mobile workers. In order to ease ex- this work is to give you the necessary information
changes between these different entities, it is nec- to choose the solution which is adapted for you.
essary to connect their networks. However, for
economic reasons, each company can’t develop its
own physical network between each of its sites.
It’s necessary to use the network of a third party
which will route data through the Internet. It 2
Theory
is obvious that for a mobile client, the choice is
even more justified. Then it’s essential to have a
secured transmission to protect the confidential- In this section we present the theoretical aspects
ity of trade. To facilitate the interconnection of of the several methods that can be used to connetworks through the Internet, there are several nect two remote sites. To begin we will recall here
options available such as an IPSec VPN (Virtual the structure of layers used for communication
Private Network) or an SSL VPN, that both cre- over networks and more specifically the TCP/IP
protocols.
ate a tunnel between two machines.
1
2.1
Networking
layers
TCP/IP protocols
and
Communication between two computers is done
by adding information to the data helping them
to find their way through the network. This information is distributed by each layer that encapsulate the previous layers. Here is a presentation
of the different network layers used for TCP/IP
transmission.
Figure 3 - Overhead due to IPSec
There is an additional loss due to the addition of this header (20 bytes).
For example: Ethernet link at 100Mb/s
Dth =
2.3
1518−18−20−20−20
∗100
1518
= 94, 8M b/s
SSL VPN
We examine here the case of OpenVPN, an opensource software used to create SSL tunnels reencapsulating IP into UDP.
Figure 2 - Example of layers
The encapsulation of data creates a difference between the physical link and data rate
because of the size of the headers that are added.
For example: Ethernet link at 100Mb/s:
Dth =
1518−18−20−20
1518
Figure 4 - Overhead due to OpenVPN
Here we lose another 8 bytes due to UDP
∗ 100 = 96, 18M b/s
header.
For example: Ethernet link at 100Mb/s
Without encryption:
2.2
Dth
94, 33M b/s
IPSec VPN
=
1518−18−20−20−20−8
1518
∗ 100
=
With encryption:
IPSec is based on a reencapsulation at the IP
level. It adds to the original packet a IP header
corresponding to the public exit of the tunnel.
It’s possible to add encryption and authentication (AH) which are not included in this study.
Dth = 1518−18−20−20−20−8−41
∗ 100 =
1518
91, 63M b/s
We add in this case the authentication header of
41 bytes of OpenVPN
2
2.4
Experimentation rate
the Ethernet layer. The source code is available
in appendix. The software establishes a TCP connection between the server and the client. Then it
reads the current systemtime and sends a message
to the TCP socket. We then measure the arrival
time on the network adapter determined using the
library ”pcap” (which captures the packets on the
ethernet card) and the difference gives the protocol stack processing time. We have checked that
the measurement precision is sufficient (≈4us).
Experimentaly, we obtain a 94,1 Mb/s rate for a
direct TCP connection, a 92,9 Mb/s rate with
an IPSec tunnel and a 92 Mb/s rate using an
SSL VPN. This results show us the influence of
the length of the overhead added by each protocol.
3
Experimentation
3.2.3
3.1
The package ipmt contains utilities to evaluate
the performance of connection. We use here especially udpmt and tcpmt respectively to create
a UDP and TCP connection whose flow is configurable. In our study these tools will make a background traffic to simulate the presence of many
users.
Figure 5 - Platform tests
The tests were performed on four identical machines running under FreeBSD 6.1. The
computers are equipped with Pentium D 2.8 GHz
dual-core processors and 1GB of DDR2 RAM.
The network cards used are Intel 82546EB Gigabit Ethernet adaptater. Those cards are limited to 100Mb/s. For some unknow reason, the
medium is then used in half-duplex mode.
3.2
The package ipmt
Platform tests
3.2.4
CPUkiller
CPUkiller is a tool we wrote whose goal is to generate CPU load. The source code is available in
annex. It creates as many threads as there are
parameters, that represent the load on each core
on the machine. (For instance: ./CPUkiller 70
50 generates a charge of 70% on one core and a
charge of 50% over the second core for an average
of 60%)
Tools used
To carry out the tests we used the following tools: 3.2.5
charge cpu.sh
charge cpu.sh is a script we wrote in order to measure the average of the CPU load. It relies on
OpenVPN
in
its
2.1
RC17
version vmstat, a standard Unix system tool to measure
to complete the SSL tunnel available CPU. The script extracts the idle value of vmstat
here:
http://openvpn.net/index.php/open- and makes its average. The source code is given
in annex.
source/downloads.html
3.2.1
OpenVPN
3.2.2
client / server software
3.3
Results
This is a client/server software we wrote in order Gateway 1 and Gateway 2 can use three differto measure the transition time from the TCP to ent communication methods: a direct connection,
3
an unencrypted IPSec connection and an unencrypted OpenVPN connection. The configuration depends on the route added in each of the
gateways connecting PC1 to PC2. However, no
change is necessary on PC1 and PC2.
Transition time/rate (down)
120
100
Transition time (us)
80
60
40
20
0
0
3.3.1
10
20
Testing time of transition
30
40
50
60
70
80
Background rate (Mb/s)
Figure 6 - Transition Time from TCP to Ethernet
Transition time/rate (up)
The goal of the first test is to determine if
the transition time, generally low compared to
the propagation time, would not increase significantly when the flow to route in the tunnel
increases. This phenomenon, which would increase the RTT between two customers, can deteriorate the performance of applications such as
video-conferencing. In this test we want to assess the transition time between TCP and Ethernet in the gateways while increasing the background traffic between PC1 and PC2. To do this,
we use the client/server software which gives us
the minimum, average and maximum time from
the client side transmission transition (down) and
the server side reception transition (up). The
background’s flow is simulated by udpmt and not
tcpmt to avoid the problem of the half-duplex
mode. The measurements are performed with a
step of 10Mb/s (between 0 and 90Mb/s of a useful
rate). Then, we send 200 packets with the client
and retrieve the data with the server. The results
are plotted in figure 6 and 7.
140
120
Transition time (us)
100
80
60
40
20
0
0
10
20
30
40
50
60
70
80
Backgroung rate (Mb/s)
Figure 7 - Transition Time from Ethernet to TCP
The use of IPSec is similar to a direct
connection watching the time of protocol transitions. We can also see that OpenVPN, implemented in user space, which requires copies from
the kernel space, to the user space, and back to
the kernel space, doubles the time of transition
between Ethernet and TCP. However values obtained (about 100us) are negligible even for high
speeds compared to the propagation delay time
on the Internet (Paris-Lyon ≈ 7ms). It appears
that the transition time protocol should not be
determinant in the choice of the solution.
3.3.2
Direct
CPU load test
To ensure a certain QoS, it is necessary that
the machine acting as a gateway has sufficient
computing resources to achieve the forwarding
IPsec
OpenVPN
4
of all the packets in the tunnel without latency
losses. To do this, we look at the evolution of the
CPU load modifying the flow passing through the
bridge. For this manipulation we used udpmt, a
tool creating a flow between PC1 and PC2. Then
we used the script charge cpu.sh to obtain the average load corresponding to each rate. The step
is 5Mb/s (between 5Mb/s and 90Mb/s of a useful
rate). The results are presented in the following
figures.
All these measurements have been carried out without encryption. It arises the question
of what encryption added to the CPU load. This
is required in order to calibrate the equipment.
We propose here to evaluate the CPU load generated by a symmetric encryption 128-bit Blowfish.
We use the same experimental method as before
to obtain the following curves:
OpenVPN encrypted
CPU load / Rate (down)
45
CPU load / Rate (down)
40
30
35
25
CPU load (%)
30
CPU load (%)
20
25
20
15
15
10
10
5
5
0
0
10
20
30
40
50
60
70
80
90
Rate (Mb/s)
0
0
10
20
30
40
50
60
70
80
90
Rate (Mb/s)
Figure 10 - CPU load when the flow enters in the secure
tunnel
Figure 8 - CPU load when the flow enters in the tunnel
CPU load / Rate (up)
CPU load / Rate (up)
45
35
40
30
35
30
CPU load (%)
CPU load (%)
25
20
25
20
15
15
10
10
5
5
0
0
0
0
10
20
30
40
50
60
70
80
90
10
20
30
40
50
60
70
80
90
Rate (Mb/s)
Rate (Mb/s)
Figure 11 - CPU load when the flow exits the secure
tunnel
Figure 9 - CPU load when the flow exits the tunnel
It can be seen that the flow’s increase
causes an increasing of the CPU charge. This is
proportional to the flow data rate. Of course, the
OpenVPN curve is far above IPSec’s one. This
one slightly exceeds that of the direct connection’s
one.
We can see here that the curves remain
linear but their slope increases from 45% down
(transmission) and 24% up (reception). The addition of encryption is not negligible in the final
installation of a VPN and to calibrate the ma5
• For a better approach, we could also consider requirements for the encryption of the
transmission.
chines performing the encryption. However the
load is linear so it’s a easy value to assess.
To calibrate the machine performing the
encryption, it would be interesting to know if
the CPU load can worsen the performances for
a given flow in terms of transition time. For this,
the tool CPUkiller was created and used to simulate a CPU load higher than the charges previously obtained. Having found under other conditions that the RTT exploded for low flows, but
for a high CPU load, the results obtained, namely
a constant time are not published here. Because
of the lack of time we haven’t been to determine
the reasons of these results.
4
5
Conclusions
We have seen that when using the Internet, the
protocol transition times are negligible. Regarding transmission rates, the differences between
IPSec and OpenVPN are not critical (less than
5%) but may support a decision rather than another. The determining factors in the choice of a
VPN solution will be the ease of installation on
machines in the company and the CPU load improved by each solution. For a company with only
Limitations of the study one site and mobile clients, SSL VPN seems to be
the best solution. Indeed the mobile workers are
and perspectives
often connected through a NAT router (ISP box
for example) and can’t use IPSec. For the same
• Given the duration of measurements, we reasons, we see that for a multi-site it is essential
couldn’t conduct them more precisely.
to use an SSL VPN (OpenVPN type) for its mobile workers. But for a site-to-site link, the use
• We have kept the same hardware configura- of a IPSec VPN is preferable thanks to its perfortions for all our tests, but we changed ma- mances and the fact that professional routers are
chines for logistical reasons.
able to manage IPSec networks.
• Machines are not optimized for the routing
and the operating system running in the
background can affect the CPU load and
latency.
6
• The transition time have not been performed for data rates exceeding 90Mb/s because of the difficulties of transmission like
packet retransmission. A possible improvement is to modify the client/server software,
to take into account the TCP retransmission, in order to automate the measures.
[1]Le tunnel GRE, Christian CALECA http://
www.stielec.ac-aix-marseille.fr/cours/caleca/vpn/
le principe.htm
[2]Le tunneling, Alain MILLE http://liris.cnrs.fr/
alain.mille/enseignements/DESS/Le tunneling.htm
[3]http://openvpn.net/
[4]http://www.winpcap.org/
[5]http://www.tcpdump.org/
6
References
Annex
client/serveur TCP
This software allows to determine protocol transition time between TCP and Ethernet
• Client.c:
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
<s t d i o . h>
<e r r n o . h>
< s i g n a l . h>
< s t r i n g . h>
<n e t d b . h>
<n e t i n e t / i n . h>
<s y s / s o c k e t . h>
< s t d l i b . h>
<pcap . h>
<s y s / t i m e . h>
<u n i s t d . h>
<semaphore . h>
//#d e f i n e SERVEURNAME ” 1 0 . 8 . 0 . 1 ”
//#d e f i n e SERVEURNAME ” 1 9 2 . 1 6 8 . 0 . 2 ”
i n t t o s e r v e r s o c k e t = −1;
i n t tuyaux [ 2 ] ;
i n t Compteur = 0 ;
sem t E c r i t ;
int chrono [ 2 ] ;
i n t s t o p =0;
pcap t ∗ adhandle ;
void f i n ( i n t i )
{
pcap breakloop ( adhandle ) ;
shutdown ( t o s e r v e r s o c k e t , 2 ) ;
close ( to server socket ) ;
pthread join () ;
}
void p a c k e t h a n d l e r ( u c h a r ∗param , const s t r u c t p c a p p k t h d r ∗ h e a d e r ,
{
s t r u c t tm ∗ l t i m e ;
char t i m e s t r [ 1 6 ] ;
time t l o c a l t v s e c ;
/∗ c o n v e r t t h e timestamp t o r e a d a b l e f o r m a t ∗/
l o c a l t v s e c = h e a d e r −>t s . t v s e c ;
chrono [0]= l o c a l t v s e c ;
l t i m e=l o c a l t i m e (& l o c a l t v s e c ) ;
s t r f t i m e ( t i m e s t r , s i z e o f t i m e s t r , ”%H:%M:%S” , l t i m e ) ;
//
p r i n t f ( ” Paquet n %d : ” , Compteur ) ;
//
p r i n t f (”% s , % . 6 d l e n :%d\n ” , t i m e s t r , ( i n t ) h e a d e r −>t s . t v u s e c ,
c h r o n o [ 1 ] = h e a d e r −>t s . t v u s e c ;
s e m p o s t (& E c r i t ) ;
Compteur ++;
}
void Capture ( p c a p t ∗ a d h a n d l e )
{
/∗ s t a r t t h e c a p t u r e ∗/
p c a p l o o p ( adhandle ,
0,
p a c k e t h a n d l e r , NULL) ;
}
i n t main ( i n t a r g c , char ∗ a r g v [ ] )
{
char ∗ s e r v e r n a m e = ” 1 9 2 . 1 6 8 . 0 . 2 ” ;
i n t v p n a c t i f =0;
struct s o c k a d d r i n serverSockAddr ;
struct hostent ∗ serverHostEnt ;
long hostAddr ;
long s t a t u s ;
char b u f f e r [ 5 1 2 ] ;
char b l a [ 3 0 ] ;
pcap if t ∗alldevs ;
p c a p i f t ∗d ;
i n t inum ;
i n t i =0;
char e r r b u f [ PCAP ERRBUF SIZE ] ;
7
const u c h a r ∗ p k t d a t a )
h e a d e r −>l e n ) ;
s t r u c t t i m e v a l DateTCP ;
char t i m e s t r [ 1 6 ] ;
u i n t netmask=0 x f f f f f f ;
struct bpf program f c o d e ;
i n t minim = 1 0 0 0 0 0 0 0 0 0 ;
i n t maxim=0;
i n t somme=0;
i n t temps =0;
i n t n b p a i n d e m i e =0;
i n t p r e m i e r p a q u e t =1;
//
s e m i n i t (& E c r i t , 0 , 0 ) ;
s i g n a l ( SIGINT , f i n ) ;
// pour quand on
fait
le
ctrl C
b z e r o (& s e r v e r S o c k A d d r , s i z e o f ( s e r v e r S o c k A d d r ) ) ;
( ( a r g c ==2) && ( ! s t r c m p ( a r g v [ 1 ] , ”−v ” ) ) ) {
// pour l e s o p t i o n s du vpn
s e r v e r n a m e= ” 1 0 . 8 . 0 . 1 ” ;
v p n a c t i f =1;
p r i n t f ( ” O p t i o n s VPN a c t i v e e s \n” ) ;
} e l s e i f ( ( a r g c ==2) && ( ! s t r c m p ( a r g v [ 1 ] , ”−s ” ) ) ) {
// pour l e s o p t i o n s i p s e c
s e r v e r n a m e= ” 1 0 . 0 . 0 . 1 ” ;
v p n a c t i f =2;
p r i n t f ( ” O p t i o n s IPSEC a c t i v e e s \n” ) ;
} else {
p r i n t f ( ” O p t i o n s pour l i e n d i r e c t a c t i v e e s \n” ) ;
}
hostAddr = i n e t a d d r ( s e r v e r n a m e ) ;
i f ( ( long ) hostAddr != ( long ) −1)
bcopy (& hostAddr ,& s e r v e r S o c k A d d r . s i n a d d r , s i z e o f ( hostAddr ) ) ;
else
{
serverHostEnt = gethostbyname ( server name ) ;
i f ( s e r v e r H o s t E n t == NULL)
{
p r i n t f ( ” Probleme g e t h o s t \n” ) ;
exit (0) ;
}
bcopy ( s e r v e r H o s t E n t −>h a d d r ,& s e r v e r S o c k A d d r . s i n a d d r , s e r v e r H o s t E n t −>h l e n g t h ) ;
}
serverSockAddr . s i n p o r t = htons (4242) ;
s e r v e r S o c k A d d r . s i n f a m i l y = AF INET ;
if
/∗ c r e a t i o n de l a s o c k e t ∗/
i f ( ( t o s e r v e r s o c k e t = s o c k e t ( AF INET , SOCK STREAM, 0 ) ) < 0 )
{
p r i n t f ( ” Probleme c r e a t i o n s o c k e t c l i e n t \n” ) ;
exit (0) ;
}
/∗ r e q u e t e de c o n n e x i o n ∗/
i f ( c o n n e c t ( t o s e r v e r s o c k e t , ( s t r u c t s o c k a d d r ∗ )&s e r v e r S o c k A d d r , s i z e o f ( s e r v e r S o c k A d d r ) ) < 0 )
{
p r i n t f ( ” Probleme demande de c o n n e x i o n \n” ) ;
exit (0) ;
}
/∗ R e t r i e v e t h e d e v i c e l i s t on t h e l o c a l machine ∗/
i f ( p c a p f i n d a l l d e v s (& a l l d e v s , e r r b u f ) == −1)
{
f p r i n t f ( s t d e r r , ” E r r o r i n p c a p f i n d a l l d e v s : %s \n” , e r r b u f ) ;
exit (1) ;
}
/∗ P r i n t t h e l i s t ∗/
f o r ( d=a l l d e v s ; d ; d=d−>n e x t )
{
p r i n t f ( ”%d . %s ” , ++i , d−>name ) ;
i f ( d−>d e s c r i p t i o n )
p r i n t f ( ” (% s ) \n” , d−>d e s c r i p t i o n ) ;
else
p r i n t f ( ” ( No d e s c r i p t i o n a v a i l a b l e ) \n” ) ;
}
i f ( i ==0)
{
p r i n t f ( ” \nNo i n t e r f a c e s
exit (0) ;
f o u n d ! Make s u r e Pcap i s
}
p r i n t f ( ” E n t e r t h e i n t e r f a c e number (1−%d ) : ” , i ) ;
s c a n f ( ”%d” , &inum ) ;
i f ( inum < 1 | | inum > i )
{
p r i n t f ( ” \ n I n t e r f a c e number o u t o f
/∗ F r e e t h e d e v i c e l i s t ∗/
pcap freealldevs ( alldevs ) ;
exit (0) ;
}
/∗ Jump t o t h e
f o r ( d=a l l d e v s ,
s e l e c t e d a d a p t e r ∗/
i =0; i < inum−1 ; d=d−>next ,
r a n g e . \ n” ) ;
i ++) ;
8
i n s t a l l e d . \ n” ) ;
/∗ Open t h e d e v i c e ∗/
i f ( ( a d h a n d l e= p c a p o p e n l i v e ( d−>name ,
// name o f t h e d e v i c e
65536 ,
// p o r t i o n o f t h e p a c k e t t o c a p t u r e 6 5 5 3 6 g u a r a n t e e s
c a p t u r e d on a l l t h e l i n k l a y e r s
1,
// p r o m i s c u o u s mode
1000 ,
// r e a d t i m e o u t
errbuf
// e r r o r b u f f e r
) ) == NULL)
{
f p r i n t f ( s t d e r r , ” \ nUnable t o open t h e a d a p t e r . %s
exit (0) ;
is
t h a t the whole packet
will
be
n o t s u p p o r t e d by Pcap \n” , d−>name ) ;
}
/∗ c o m p i l e t h e f i l t e r ∗/
i f ( v p n a c t i f ==1){
i f ( p c a p c o m p i l e ( a d h a n d l e , &f c o d e , ” ( d s t h o s t 1 9 2 . 1 6 8 . 0 . 2 ) and ( s r c h o s t 1 9 2 . 1 6 8 . 0 . 1 ) and ( i p p r o t o
\\ udp ) and ( g r e a t e r 9 0 ) and ( l e s s 2 0 0 ) and ( d s t p o r t 4 0 0 0 ) ” , 1 , netmask ) <0 )
{
f p r i n t f ( s t d e r r , ” \ nUnable t o c o m p i l e t h e p a c k e t f i l t e r . Check t h e s y n t a x . \ n” ) ;
exit (0) ;
}
} e l s e i f ( v p n a c t i f == 2 ) { //
i f ( p c a p c o m p i l e ( a d h a n d l e , &f c o d e , ” ( d s t h o s t 1 9 2 . 1 6 8 . 0 . 2 ) and ( s r c h o s t 1 9 2 . 1 6 8 . 0 . 1 ) and (
g r e a t e r 9 0 ) and ( l e s s 2 0 0 ) ” , 1 , netmask ) <0 )
{
exit (0) ;
}
} else {
i f ( p c a p c o m p i l e ( a d h a n d l e , &f c o d e , ” ( d s t h o s t 1 9 2 . 1 6 8 . 0 . 2 ) and ( s r c h o s t 1 9 2 . 1 6 8 . 0 . 1 ) and (
i p p r o t o \\ t c p ) and ( g r e a t e r 9 0 ) and ( l e s s 2 0 0 ) ” , 1 , netmask ) <0 )
{
exit (0) ;
}
}
/∗ s e t t h e f i l t e r ∗/
i f ( p c a p s e t f i l t e r ( a d h a n d l e , &f c o d e ) <0)
{
f p r i n t f ( s t d e r r , ”\ nError s e t t i n g the
exit (0) ;
}
f i l t e r . \ n” ) ;
p r i n t f ( ” \ n l i s t e n i n g on %s . . . \ n” , d−>name ) ;
/∗ At t h i s p o i n t , we don ’ t need any more t h e
//
//
//
device
list .
Free
it
∗/
p r i n t f ( ” l a n c e m e n t de l a c a p t u r e \n” ) ;
p t h r e a d t ThreadCapt ;
p t h r e a d c r e a t e (&ThreadCapt , NULL, Capture , a d h a n d l e ) ;
while ( 1 )
{
/∗ e n v o i e de donne e t r e c e p t i o n ∗/
p r i n t f ( ” E n t r e r l e t e x t e : \ n” ) ;
// s c a n f (”% s ” , ( c h a r ∗ )&b l a ) ;
usleep (200000) ;
p r i n t f ( ” t e x t e e n t r e : %s \n” ,& b l a ) ;
i f ( ! strcmp ( bla , ” $ q u i t ” ) ) {
/∗ f e r m e t u r e de l a c o n n e x i o n ∗/
shutdown ( t o s e r v e r s o c k e t , 2 ) ;
close ( to server socket ) ;
exit (0) ;
}
else
{
g e t t i m e o f d a y (&DateTCP , NULL) ;
l o c a l t v s e c = DateTCP . t v s e c ;
l t i m e=l o c a l t i m e (& l o c a l t v s e c ) ;
s t r f t i m e ( t i m e s t r , s i z e o f t i m e s t r , ”%H:%M:%S” , l t i m e ) ;
p r i n t f ( ” Envoi Data TCP
: ”) ;
p r i n t f (”% s , % . 6 d\n ” , t i m e s t r , ( i n t ) DateTCP . t v u s e c ) ;
/∗ Envoi de deux p a q u e t s t c p ∗/
write ( to server socket , ” Vive les lasagnes ” ,60) ;
s e m w a i t (& E c r i t ) ; //On a t t e n d que pcap a i t c a p t u r e un p a q u e t
temps=(−DateTCP . t v s e c+c h r o n o [ 0 ] ) ∗1000000 −DateTCP . t v u s e c+c h r o n o [ 1 ] ;
p r i n t f ( ”Temps de t r a n s i t i o n ( d e s c e n t e ) : %d u s \n” , temps ) ;
i f ( p r e m i e r p a q u e t ==0) {
n b p a i n d e m i e ++;
i f ( temps<minim ) {
minim=temps ;
9
}
( temps>maxim ) {
maxim=temps ;
}
somme+=temps ;
p r i n t f ( ”Temps minimal : %d\n” , minim ) ;
p r i n t f ( ”Temps moyen :
%d\n” , somme/ n b p a i n d e m i e ) ;
p r i n t f ( ”Temps maximal : %d\n” , maxim ) ;
p r i n t f ( ”Nombre de p a q u e t s : %d\n” , n b p a i n d e m i e ) ;
p r i n t f ( ” \n−−−−−−−−−−−−−−−−\n\n” ) ;
if
}
p r e m i e r p a q u e t =0;
}
return 1 ;
}
}
• Serveur.c:
#include
#include
#include
#include
#include
#include
#include
#include
#include
<s y s / t y p e s . h>
<s y s / s o c k e t . h>
<n e t i n e t / i n . h>
< s i g n a l . h>
< s t r i n g . h>
<s t d i o . h>
< s t d l i b . h>
<pcap . h>
<semaphore . h>
char b u f f e r [ 5 1 2 ] ;
int ma socket ;
int c l i e n t s o c k e t ;
i n t Compteur = 0 ;
sem t E c r i t ;
sem t Arret ;
i n t s t o p =0;
int chrono [ 2 ] ;
i n t b o o l =0;
pcap t ∗ adhandle ;
void p a c k e t h a n d l e r ( u c h a r ∗param ,
{
const s t r u c t p c a p p k t h d r ∗ h e a d e r ,
const u c h a r ∗ p k t d a t a )
s e m w a i t (& A r r e t ) ;
char t i m e s t r [ 1 6 ] ;
/∗ c o n v e r t t h e timestamp t o r e a d a b l e f o r m a t ∗/
l o c a l t v s e c = h e a d e r −>t s . t v s e c ;
chrono [ 0 ] = l o c a l t v s e c ;
// l t i m e=l o c a l t i m e (& l o c a l t v s e c ) ;
// s t r f t i m e ( t i m e s t r , s i z e o f t i m e s t r , ”%H:%M:%S ” , l t i m e ) ;
p r i n t f ( ” Paquet n %d : ” , Compteur ) ;
// p r i n t f (”% s , % . 6 d l e n :%d\n ” , t i m e s t r , ( i n t ) h e a d e r −>t s . t v u s e c ,
c h r o n o [ 1 ] = h e a d e r −>t s . t v u s e c ;
s e m p o s t (& E c r i t ) ;
Compteur ++;
}
/∗ F o n c t i o n de f e r m e t u r e de c o n n e x i o n en c a s d ’ e c h e c ∗/
void f i n ( i n t i )
{
shutdown ( c l i e n t s o c k e t , 2 ) ;
close ( client socket ) ;
shutdown ( m a s o c k e t , 2 ) ;
c l o s e ( ma socket ) ;
}
void Capture ( p c a p t ∗ a d h a n d l e )
{
/∗ s t a r t t h e c a p t u r e ∗/
p c a p l o o p ( a d h a n d l e , 0 , p a c k e t h a n d l e r , NULL) ;
}
i n t main ( i n t a r g c , char ∗ a r g v [ ] ) {
int port = 4242;
pcap if t ∗alldevs ;
p c a p i f t ∗d ;
i n t inum ;
i n t i =0;
char e r r b u f [ PCAP ERRBUF SIZE ] ;
s t r u c t t i m e v a l DateTCP ;
s t r u c t t i m e v a l DateTCP2 ;
char t i m e s t r [ 1 6 ] ;
10
h e a d e r −>l e n ) ;
u i n t netmask=0 x f f f f f f ;
struct bpf program f c o d e ;
s e m i n i t (& E c r i t , 0 , 0 ) ;
s e m i n i t (& A r r e t , 0 , 0 ) ;
i n t Tps ;
b o o l =0;
g e t t i m e o f d a y (&DateTCP2 , NULL) ;
i n t VPN=0;
i n t min = 1 0 0 0 0 0 0 0 0 0 ;
i n t max=0;
i n t somme=0;
i n t n b p a c k e t =0;
s e m p o s t (& A r r e t ) ;
( ( a r g c ==2) && ( ! s t r c m p ( a r g v [ 1 ] , ”−v ” ) ) ) {
VPN=1;
} e l s e i f ( a r g c ==1){
VPN=0;
} e l s e i f ( ( a r g c ==2) && ( ! s t r c m p ( a r g v [ 1 ] , ”−s ” ) ) ) {
VPN=2;
} else {
p r i n t f ( ” E r r e u r dans l e s a r g u m e n t s \n” ) ;
exit (0) ;
}
p r i n t f ( ”VPN %d\n” ,VPN) ;
if
struct s o c k a d d r i n mon address ,
int mon address longueur , l g ;
if
{
client address ;
/∗ R e t r i e v e t h e d e v i c e
( p c a p f i n d a l l d e v s (& a l l d e v s ,
f p r i n t f ( stderr , ” Error
exit (1) ;
l i s t on t h e l o c a l
e r r b u f ) == −1)
in
machine ∗/
p c a p f i n d a l l d e v s : %s \n” ,
errbuf ) ;
}
/∗ P r i n t t h e l i s t ∗/
f o r ( d=a l l d e v s ; d ; d=d−>n e x t )
{
p r i n t f ( ”%d . %s ” , ++i , d−>name ) ;
i f ( d−>d e s c r i p t i o n )
p r i n t f ( ” (% s ) \n” , d−>d e s c r i p t i o n ) ;
else
p r i n t f ( ” ( No d e s c r i p t i o n a v a i l a b l e ) \n” ) ;
}
i f ( i ==0)
{
p r i n t f ( ” \nNo i n t e r f a c e s
exit (0) ;
f o u n d ! Make s u r e Pcap i s
i n s t a l l e d . \ n” ) ;
}
p r i n t f ( ” E n t e r t h e i n t e r f a c e number (1−%d ) : ” , i ) ;
s c a n f ( ”%d” , &inum ) ;
i f ( inum < 1 | | inum > i )
{
p r i n t f ( ” \ n I n t e r f a c e number o u t o f
exit (0) ;
}
/∗ Jump t o t h e
f o r ( d=a l l d e v s ,
s e l e c t e d a d a p t e r ∗/
i =0; i < inum−1 ; d=d−>next ,
r a n g e . \ n” ) ;
i ++) ;
/∗ Open t h e d e v i c e ∗/
i f ( ( a d h a n d l e= p c a p o p e n l i v e ( d−>name ,
// name o f t h e d e v i c e
65536 ,
// p o r t i o n o f t h e p a c k e t t o c a p t u r e 6 5 5 3 6 g u a r a n t e e s
c a p t u r e d on a l l t h e l i n k l a y e r s
1,
// p r o m i s c u o u s mode
1000 ,
// r e a d t i m e o u t
errbuf
// e r r o r b u f f e r
) ) == NULL)
{
f p r i n t f ( s t d e r r , ” \ nUnable t o open t h e a d a p t e r . %s
exit (0) ;
is
t h a t the whole packet
will
be
n o t s u p p o r t e d by Pcap \n” , d−>name ) ;
}
/∗ c o m p i l e t h e f i l t e r ∗/
i f (VPN==0){
i f ( p c a p c o m p i l e ( a d h a n d l e , &f c o d e , ” ( g r e a t e r 7 5 ) and ( l e s s 2 0 0 ) and ( d s t h o s t 1 9 2 . 1 6 8 . 0 . 2 ) and ( s r c
h o s t 1 9 2 . 1 6 8 . 0 . 1 ) and ( i p p r o t o \\ t c p ) ” , 1 , netmask ) <0 )
{
exit (0) ;
11
}
} e l s e i f (VPN ==1){
h o s t 1 9 2 . 1 6 8 . 0 . 1 ) and ( i p p r o t o \\ udp ) and ( d s t p o r t 4 0 0 0 ) ” , 1 , netmask ) <0 )
{
exit (0) ;
}
} e l s e i f (VPN ==2){
h o s t 1 9 2 . 1 6 8 . 0 . 1 ) ” , 1 , netmask ) <0 ) //
{
exit (0) ;
}
}
/∗ s e t t h e f i l t e r ∗/
i f ( p c a p s e t f i l t e r ( a d h a n d l e , &f c o d e ) <0)
{
f p r i n t f ( s t d e r r , ”\ nError s e t t i n g the
exit (0) ;
}
f i l t e r . \ n” ) ;
p r i n t f ( ” \ n l i s t e n i n g on %s . . . \ n” , d−>name ) ;
/∗ At t h i s p o i n t , we don ’ t need any more t h e
b z e r o (& m o n
mon address
mon address
mon address
device
list .
Free
it
∗/
address , s i z e o f ( mon address ) ) ;
. s i n p o r t = htons (4242) ;
. s i n f a m i l y = AF INET ;
. s i n a d d r . s a d d r = h t o n l (INADDR ANY) ;
/∗ c r e a t i o n de s o c k e t ∗/
i f ( ( m a s o c k e t = s o c k e t ( AF INET , SOCK STREAM, 0 ) )== −1)
{
p r i n t f ( ” Probleme l o r s de l a c r e a t i o n du s o c k e t \n” ) ;
exit (0) ;
}
/∗ b i n d s e r v e u r − s o c k e t ∗/
i f ( b i n d ( m a s o c k e t , ( s t r u c t s o c k a d d r ∗ )&m o n a d d r e s s , s i z e o f ( m o n a d d r e s s ) )==−1){
p r i n t f ( ” P o r t o c c u p e \n” ) ;
exit (0) ;
}
/∗ e c o u t e s u r l a s o c k e t ∗/
l i s t e n ( ma socket , 0 ) ;
p r i n t f ( ” Serveur lance sur l e
p o r t %d \nEn a t t e n t e de c o n n e x i o n . . . \ n” , p o r t ) ;
/∗ a c c e p t e l a c o n n e x i o n ∗/
mon address longueur = sizeof ( c l i e n t a d d r e s s ) ;
c l i e n t s o c k e t = accept ( ma socket ,
( s t r u c t s o c k a d d r ∗ )&c l i e n t a d d r e s s ,
&m o n a d d r e s s l o n g u e u r ) ;
p r i n t f ( ” l a n c e m e n t de l a c a p t u r e \n” ) ;
p t h r e a d t ThreadCapt ;
p t h r e a d c r e a t e (&ThreadCapt , NULL, Capture , a d h a n d l e ) ;
while ( 1 )
{
DateTCP=DateTCP2 ;
s e m w a i t (& E c r i t ) ;
l g = read ( c l i e n t s o c k e t , buffer , 512) ;
g e t t i m e o f d a y (&DateTCP2 , NULL) ;
s e m p o s t (& A r r e t ) ;
// l o c a l t v s e c = DateTCP . t v s e c ;
// l t i m e=l o c a l t i m e (& l o c a l t v s e c ) ;
// s t r f t i m e ( t i m e s t r , s i z e o f t i m e s t r , ”%H:%M:%S ” , l t i m e ) ;
// p r i n t f ( ” R e c e p t i o n Data TCP
: ”) ;
// p r i n t f (”% s , % . 6 d\n ” , t i m e s t r , ( i n t ) DateTCP . t v u s e c ) ;
Tps = ( DateTCP . t v s e c − c h r o n o [ 0 ] ) ∗ 1 0 0 0 0 0 0 + ( DateTCP . t v u s e c − c h r o n o [ 1 ] ) ;
i f ( b o o l ==0){
bool = 1;
} else {
i f ( min>Tps )
min = Tps ;
i f ( max<Tps )
max = Tps ;
somme+=Tps ;
n b p a c k e t ++;
p r i n t f ( ”Temps de t r a n s i t i o n ( montee ) : %d u s \n” , Tps ) ;
p r i n t f ( ”Min %d/Max %d/Avg %d\n” , min , max , somme/ n b p a c k e t ) ;
}
12
( l g <= 0 )
break ;
p r i n t f ( ” Le s e r v e u r a r e c u : %s \n\n−−−−−−−−−−−−−−−−−−−\n\n” , b u f f e r ) ;
if
}
shutdown ( c l i e n t s o c k e t , 2 ) ;
close ( client socket ) ;
shutdown ( m a s o c k e t , 2 ) ;
c l o s e ( ma socket ) ;
}
CPUkiller
This software create a determined CPU load.
#include
#include
#include
#include
#include
<semaphore . h>
< s t d l i b . h>
< s i g n a l . h>
<s t d i o . h>
<p t h r e a d . h>
p t h r e a d t ∗ TabTh ;
i n t NbTh ;
s e m t Attend ;
void f i n ( ) {
int i ;
f o r ( i =0; i <NbTh ; i ++){
p t h r e a d c a n c e l (&(TabTh [ i ] ) ) ;
}
s e m p o s t (& Attend ) ;
}
void Charge ( i n t Ch) {
int a ;
int i ;
i n t dodo ;
s t r u c t t i m e v a l Avant ;
s t r u c t t i m e v a l Apres ;
while ( 1 ) {
g e t t i m e o f d a y (&Avant , NULL) ;
f o r ( i =0; i <=8000000; i ++) ;
g e t t i m e o f d a y (&Apres , NULL) ;
a=( Apres . t v s e c −Avant . t v s e c ) ∗1000000+ Apres . t v u s e c −Avant . t v u s e c ;
dodo = a ∗100/Ch−a ;
i f ( dodo <0)
dodo =0;
u s l e e p ( dodo ) ;
}
}
i n t main ( i n t a r g c , char ∗ a r g v [ ] ) {
int i ;
s e m i n i t (&Attend , 0 , 0 ) ;
NbTh=a r g c −1;
TabTh=m a l l o c (NbTh∗ s i z e o f ( p t h r e a d t ) ) ;
f o r ( i =0; i <NbTh ; i ++){
p t h r e a d c r e a t e (&(TabTh [ i ] ) ,NULL, Charge , a t o i ( a r g v [ i + 1 ] ) ) ;
}
s e m w a i t (& Attend ) ;
return 1 ;
}
charge cpu.sh
This script measures the average CPU load.
#! / b i n / sh
somme=0
n=0
while [ 1 ]
do
n=$ ( ( $n +1) )
r e p=$ ( vmstat 1 2 )
set $rep
r e p=$ {60}
somme=$ ( ( somme+$ r e p ) )
p r i n t f ” Moyenne : $ ( ( somme/ $n ) ) % du CPU o c c u p e \ r ”
done
13

Performance analysis of two secure tunneling mechanisms: IPSec

Transcription

Documents pareils

Gaubert Jean

Programming in Java Exceptions Handling Errors using Exceptions

multi purpose ladder