Network Extrusion

From HandWiki

A network extrusion is a kind of VPN tunnel where a subnet (or host) is moved to another location, without any router advertisement changes. Such a subnet is routed to normally, but then send via a VPN tunnel to appear anywhere else on the internet. This type of VPN connection is often used for:

  • Adding IPv4 public address space to a location that has only 1 public IP address, such as a consumer internet connection
  • Assigning a static IP address to a roaming laptop to ensure it is always reachable on 1 static IP address. This is often done with IPsec and L2TP or XAUTH

In IPsec/Openswan IPv4 configuration, this corresponds to a policy on the client system like:

 conn mylaptop—extruded
      right=192.1.0.1
      rightsubnet=0.0.0.0/0
      left=%defaultroute
      leftsubnet=192.0.0.1/32
      leftsourceip=192.0.0.1

When this IPsec connection is active, the default IP address for outgoing connections is 192.0.0.1. Since this is covered by the IPsec tunnel, the packet will be encrypted and send to the remote IPsec gateway at 192.1.0.1. It will get decrypted and then sent to its original destination. Response packets follow a similar path in reverse.

When using leftsubnet=192.0.0.0/24, one could even run a small network with the laptop as default gateway and provide public IP addresses to many computers, all appearing to live at the remote site.

Generally, IPsec VPNs are used in many cases to route private networks rather than public ones, so while this configuration is not implausible, it is unusual for VPN administrators.

Many remote access situations run as network extrusions so that a corporate firewall can inspect the traffic that travels to and from the laptop computer.

This technique can also be used to tunnel in IPv6 space into networks where only IPv4 space is available (or vice versa)

These tunnels are invisible to traceroute because the IPsec tunnel appears as a single additional hop, just like a subnet.