Исследование — тестирование PPTP соединения

01.04.2022 | VAS Experts

Раскрываем в этой статье пошаговый процесс тестирования PPTP соединения на виртуальных и физических интерфейсах с использованием сетевой карты Intel Ethernet E810-C 100GbE.

squatting ipv4

Спецификация тестируемого стенда:

CPUIntel(R) Xeon(R) CPU E3-1240 V2 @ 3.40GHz
MemoryTotal 16GiB @ 1600MHz
NICEthernet Controller E810-C Dual-Port 100GbE QSFP
Operating SystemLinux CentOS
Linux kernel version4.18.0-348.el8.x86_64
Driverice 0.8.2-k

Цель

  1. Реализовать PPTP-сервер и PPTP-клиент в разных docker-контейнерах на виртуальных интерфейсах(veth), тем самым имитировать реальное PPTP-соединение на одном хосте. Схема подключения представлена на рисунке 1.
  2. Реализовать подключение на физических интерфейсах тестируемой карты. Схема подключения представлена на рисунке 2.
  3. Получить для каждого способа подключения PCAP и сравнить полученные результаты.

Реализация

Схема тестирования на виртуальных интерфейсах

Рис.1. Схема тестирования на виртуальных интерфейсах.

Схема тестирования на физических интерфейсах

Рис.2. Схема тестирования на физических интерфейсах.

Результаты

1. PCAP на стороне клиента в схеме с виртуальными интерфейсами (pptp_w_veth.pcap):

"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","172.50.0.2","172.40.0.2","TCP","74","51246 > 1723 [SYN]
"2","0.000028","172.40.0.2","172.50.0.2","TCP","74","1723 > 51246 [SYN, ACK]
"3","0.000040","172.50.0.2","172.40.0.2","TCP","66","51246 > 1723 [ACK]
"4","0.000205","172.50.0.2","172.40.0.2","PPTP","222","Start-Control-Connection-Request"
"5","0.000214","172.40.0.2","172.50.0.2","TCP","66","1723 > 51246 [ACK]
"6","0.000911","172.40.0.2","172.50.0.2","PPTP","222","Start-Control-Connection-Reply"
"7","0.000915","172.50.0.2","172.40.0.2","TCP","66","51246 > 1723 [ACK]
"8","1.000442","172.50.0.2","172.40.0.2","PPTP","234","Outgoing-Call-Request"
"9","1.000970","172.40.0.2","172.50.0.2","PPTP","98","Outgoing-Call-Reply"
"10","1.000979","172.50.0.2","172.40.0.2","TCP","66","51246 > 1723 [ACK]
"11","1.001157","172.50.0.2","172.40.0.2","PPP LCP","70","Configuration Request"
"12","1.004528","172.40.0.2","172.50.0.2","PPP LCP","70","Configuration Request"
"13","1.004620","172.40.0.2","172.50.0.2","PPP LCP","74","Configuration Ack"
"14","1.004667","172.50.0.2","172.40.0.2","PPP LCP","74","Configuration Ack"
"15","1.004724","172.50.0.2","172.40.0.2","PPP IPCP","64","Configuration Request"
"16","1.004832","172.40.0.2","172.50.0.2","PPP CCP","64","Configuration Request"
"17","1.004838","172.40.0.2","172.50.0.2","PPP IPCP","58","Configuration Request"
"18","1.004864","172.40.0.2","172.50.0.2","PPP IPCP","58","Configuration Reject"
"19","1.004908","172.50.0.2","172.40.0.2","PPP CCP","56","Configuration Request"
"20","1.004920","172.50.0.2","172.40.0.2","PPP CCP","60","Configuration Reject"
"21","1.004939","172.50.0.2","172.40.0.2","PPP IPCP","58","Configuration Ack"
"22","1.004971","172.50.0.2","172.40.0.2","PPP IPCP","58","Configuration Request"
"23","1.005033","172.40.0.2","172.50.0.2","PPP CCP","56","Configuration Ack"
"24","1.005038","172.40.0.2","172.50.0.2","PPP CCP","56","Configuration Request"
"25","1.005062","172.40.0.2","172.50.0.2","PPP IPCP","58","Configuration Nak"
"26","1.005118","172.50.0.2","172.40.0.2","PPP CCP","56","Configuration Ack"
"27","1.005148","172.50.0.2","172.40.0.2","PPP IPCP","58","Configuration Request"
"28","1.005205","172.40.0.2","172.50.0.2","PPP IPCP","62","Configuration Ack"
"29","1.505778","172.50.0.2","172.40.0.2","GRE","46","Encapsulated PPP"

2.1 PCAP на стороне клиента в схеме с физическими интерфейсами (pptp_w_810_client.pcap):

"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","172.30.0.2","172.10.0.2","TCP","74","33730 > 1723 [SYN]
"2","0.000067","172.10.0.2","172.30.0.2","TCP","74","1723 > 33730 [SYN, ACK]
"3","0.000080","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
"4","0.000299","172.30.0.2","172.10.0.2","PPTP","222","Start-Control-Connection-Request"
"5","0.000324","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [ACK]
"6","0.001052","172.10.0.2","172.30.0.2","PPTP","222","Start-Control-Connection-Reply"
"7","0.001058","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
"8","1.000567","172.30.0.2","172.10.0.2","PPTP","234","Outgoing-Call-Request"
"9","1.001172","172.10.0.2","172.30.0.2","PPTP","98","Outgoing-Call-Reply"
"10","1.001192","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
"11","1.001354","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"12","3.997954","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"13","7.001009","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"14","10.004123","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"15","13.007221","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"16","16.010336","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"17","19.013400","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"18","22.016486","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"19","25.019571","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"20","28.022668","172.30.0.2","172.10.0.2","PPP LCP","70","Configuration Request"
"21","31.032879","172.30.0.2","172.10.0.2","PPTP","82","Call-Clear-Request"
"22","31.032941","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [FIN, ACK]
"23","31.032999","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [FIN, ACK]
"24","31.033008","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]

2.2 PCAP на стороне сервера в схеме с физическими интерфейсами(pptp_w_810_server.pcap):

"No.","Time","Source","Destination","Protocol","Length","Info"
"1","0.000000","172.30.0.2","172.10.0.2","TCP","74","33730 > 1723 [SYN]
"2","0.000026","172.10.0.2","172.30.0.2","TCP","74","1723 > 33730 [SYN, ACK]
"3","0.000069","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
"4","0.000290","172.30.0.2","172.10.0.2","PPTP","222","Start-Control-Connection-Request"
"5","0.000298","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [ACK]
"6","0.001014","172.10.0.2","172.30.0.2","PPTP","222","Start-Control-Connection-Reply"
"7","0.001047","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
"8","1.000598","172.30.0.2","172.10.0.2","PPTP","234","Outgoing-Call-Request"
"9","1.001134","172.10.0.2","172.30.0.2","PPTP","98","Outgoing-Call-Reply"
"10","1.001189","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
"11","1.004629","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"12","4.007764","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"13","7.010842","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"14","10.013949","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"15","13.017035","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"16","16.020115","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"17","19.023193","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"18","22.026271","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"19","25.029348","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"20","28.030753","172.10.0.2","172.30.0.2","PPP LCP","70","Configuration Request"
"21","31.032901","172.30.0.2","172.10.0.2","PPTP","82","Call-Clear-Request"
"22","31.032938","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [FIN, ACK]
"23","31.032972","172.10.0.2","172.30.0.2","TCP","66","1723 > 33730 [FIN, ACK]
"24","31.032996","172.30.0.2","172.10.0.2","TCP","66","33730 > 1723 [ACK]
 

Анализ

Из снятого PCAP в схеме с виртуальными интерфейсами на стороне клиента (pptp_w_veth.pcap) видно, что PPTP-соединение проходит успешно.

В схеме на физических интерфейсах (pptp_w_810_server/client.pcap) ошибка в процессе подключения возникает на моменте передачи LCP-пакетов, которые инкапсулируются GRE. Клиент и сервер отправляют LCP (Configure-Request) пакет, но не получают их.

Выводы

Тестирование показало, что карта Intel Ethernet E810 100GbE не пропускает GRE пакеты при попытке PPTP-соединения.

Мы считаем, что эта информация будет полезна сообществу Интернет-провайдеров и поможет правильно подобрать сетевое оборудование. Надеемся, что компания Intel обратит внимание на эту проблему, сможет исправить её и улучшить качество сервисов.

Авторы

Дмитрий Молдаванов, CTO
Кирилл Марченко, инженер

Поделиться в социальных сетях