[vpn-help] VPN Client Road Map Modifications ...

Matthew Grooms mgrooms at shrew.net
Thu Sep 7 19:22:47 CDT 2006 

All,

	With version 1.1 of the VPN Client on the horizon, I wanted to make an 
announcement concerning some recent changes to the 'VPN Client Road Map 
and Future Versions' page of the website.

http://www.shrew.net/vpn/todo.php

	The page is now a more accurate representation of the current 
development plan and goals. If you have reviewed the Road Map recently, 
you may have noticed that a 2.0 release involves changes to the kernel 
driver architecture. After some serious thought, I have decided to fast 
track the new architecture in an effort to correct certain design flaws 
of the 1.x series.

	As the VPN Client has matured, the user-land components have seen a 
great deal of improvement. The kernel driver components were completed 
and stabilized as early as possible and have remained mostly unchanged 
during the life of the 1.x series. While the simplistic nature of these 
drivers was a win for quick implementation and stability, they simply do 
not offer flexibility that future products require. A more forward 
looking model has been chosen and an initial implementation has been 
developed.

Current Driver Architecture :

   IPSECC
   IPSECD
==========
IP | VPROT
----------
NIC | VNET

	In this diagram, everything above the double line is a user-land 
component and everything below is an NDIS kernel component. The VPROT 
driver is an NDIS Protocol driver that sits parallel to the MS TCP/IP 
driver. The VNET driver is an NDIS Miniport driver that sits parallel to 
other network card drivers. The VPROT driver is used to send and receive 
public traffic and the VNET driver is used to send and receive private 
traffic.

Future Driver Architecture :

   IPSECC
   IPSECD
==========
     IP
----------
    VFLT
----------
NIC | VNET

	As you can see, the new kernel driver architecture is quite different. 
The major change is that the NDIS Protocol driver has been supplanted by 
an NDIS Intermediate Filter driver. Since an Intermediate driver sets 
between NDIS Protocol and Miniport drivers, the client will now be able 
to interact with packets that are passed to Miniports other than VNET. 
The second advantage is that packets can be injected below the MS TCP/IP 
layer and intercepted before they are allowed to pass back up to higher 
level protocols. Lastly, VNET can be dumbed down to nearly a do-nothing 
stub driver as all traffic inspection and redirection can be handled at 
the Intermediate driver layer.

	While it will take some time to fully stabilize these new kernel 
drivers, the bulk of the initial work has already been completed. With 
the new model in place, the following changes are now possible ...

1) Prevent TCP/IP from responding with 'unkown UDP port' ICMP messages
2) Add support for VPN tunnels using public interface addresses
3) Add support for in-kernel ESP processing
4) Add support for an optional client side firewall

	After all the required functionality has been added to the kernel 
drivers and stability has been achieved, I will begin the process of 
submitting the components to Microsoft for WHQL certification. After the 
components are certified, digitally signed driver packages can be 
distributed with the VPN Client Software. I hope to make this happen 
before the end of the 2.x series.

Thanks,

-Matthew

More information about the vpn-help mailing list