Anyone using uvlan out there?

A few weeks ago, I stumbled across uvlan... I first thought WTF, then upon researching it a little more, I'm starting to really like the idea for replacing a traditional VPN between sites etc.

From the web site:
uvlan is a User-space Virtual Local Area Network. In other words, uvlan peers act as nodes on a network switch. Routing ethernet traffic between peers inteligently. Thus allowing for multiple networks to share resources and even IP address space. Some may call it a VPN (Virtual Private Network) application, but it's much more powerful. Differences with traditional VPN technology:

    1. It is peer-to-peer
    2. It doesn't require licensing
    3. It is much simpler
    4. It operates at Layer-2 (Ethernet), VPNs generally operate at Layer-3 (IP)
       Layer-2 applications like gaming can't be supported with Layer-3 tunneling.

How does it work?
Using the libpcap (winpcap for windows users) library, uvlan listens to a specific ethernet device. If a broadcast frame is seen, then it is sent off to all the peers so they can add it to their records and emit the broadcast on their local network. Once this happens, the device (computer, router, gaming console, etc) which sent the broadcast will be known by all the peers and remote machines will know of the device's existance and how to route traffic to it.

This behaviour is identical to a hardware switch. Only difference is - this switch is software and the backplane (the medium that passes information between switch ports) is encrypted packets on the internet.

bridge, but with endpoints over a routed IP network.

Has anyone actually used this? Thoughts? Criticisms?

How does it work?
Using the libpcap (winpcap for windows users) library, uvlan listens to a specific ethernet device. If a broadcast frame is seen, then it is sent off to all the peers so they can add it to their records and emit the broadcast on their local network. Once this happens, the device (computer, router, gaming console, etc) which sent the broadcast will be known by all the peers and remote machines will know of the device's existance and how to route traffic to it.

I'd be very concerned if you had a lot of machines running on the same side of a hardware switch and all were "nodes"... they'd replicate all the broadcast frames and n^2 plus the hardware switch's contribution :). Sounds like a problem for machines that are reasonably close together and/or large implementations of these.

Kind of cool otherwise.

Deepak

From the web site:
uvlan is a User-space Virtual Local Area Network. In other words,
uvlan peers act as nodes on a network switch. Routing ethernet
traffic between peers inteligently. Thus allowing for multiple
networks to share resources and even IP address space. Some may call
it a VPN (Virtual Private Network) application, but it's much more
powerful. Differences with traditional VPN technology:

It's a VPN. None of these supposed "differences" are different from the
fundamental characteristics of a VPN:

   1. It is peer-to-peer

invoke_buzzword_of_the_month();

   2. It doesn't require licensing

Plenty of VPN products out there are FOSS;

   3. It is much simpler

Simpler than what?

   4. It operates at Layer-2 (Ethernet), VPNs generally operate at
Layer-3 (IP)

Generally, perhaps, but it's not a requirement of the term "VPN" that it be
an L3 transition.

      Layer-2 applications like gaming can't be supported with
Layer-3 tunneling.

Plenty of games can successfully use IP.

From my understanding, this software is pretty much acting like a
bridge, but with endpoints over a routed IP network.

Has anyone actually used this? Thoughts? Criticisms?

I haven't used this particular software, but I've used OpenVPN (software of
the Gods, by gum) in it's L2 mode, and it's OK as long as you observe all of
the usual restrictions on LAN-like traffic over a low-bandwidth,
high-latency link. Most things that need to use Ethernet assume all sorts
of things that just don't hold over the Internet, and it causes some painful
hassles. But, engineered properly, in the correct circumstances, it can be
handy to bridge two or more segments over a routed network.

A criticism of uvlan in particular is that I wouldn't trust my network
security to people who sound so clueless. Their derision of VPNs, as you
quoted above, shows either a lack of sense or a blind hatred, using libpcap
in this situation gave me some chuckles, and their "What algorithms are
used?" page scares me a little. I'll stick with OpenVPN, myself.

Phone: (03) 90001 6090 - 0412 935 897

Gee you Melbournians are advanced... you've already gone to 11 digit phone
numbers... <grin>

- Matt

Quoting Matt Palmer <mpalmer@hezmatt.org>:

From the web site:
uvlan is a User-space Virtual Local Area Network. In other words,
uvlan peers act as nodes on a network switch. Routing ethernet
traffic between peers inteligently. Thus allowing for multiple
networks to share resources and even IP address space. Some may call
it a VPN (Virtual Private Network) application, but it's much more
powerful. Differences with traditional VPN technology:

It's a VPN. None of these supposed "differences" are different from the
fundamental characteristics of a VPN:

   1. It is peer-to-peer

invoke_buzzword_of_the_month();

Yeah - I don't quite agree with this in the traditional P2P sense, however I think they mean that they can connect multiple sites and have data transit between them. I'll cut them a break here because it's hard to describe how it works in so few words

   2. It doesn't require licensing

Plenty of VPN products out there are FOSS;

Yeah - I wasn't too sure about this either. I haven't seen any VPN software that requires licensing in years. I didn't know anyone still required this?

   3. It is much simpler

Simpler than what?

Routing?

   4. It operates at Layer-2 (Ethernet), VPNs generally operate at
Layer-3 (IP)

Generally, perhaps, but it's not a requirement of the term "VPN" that it be
an L3 transition.

      Layer-2 applications like gaming can't be supported with
Layer-3 tunneling.

Plenty of games can successfully use IP.

I was thinking more the case of joining lans. Obviously its not a solution for all causes, as anything with more than 5-10 nodes per site and more than 2-3 sites would get pretty ugly. I think a nice thing would be for things that can ONLY use a local LAN due to either software or developer restrictions.

From my understanding, this software is pretty much acting like a
bridge, but with endpoints over a routed IP network.

Has anyone actually used this? Thoughts? Criticisms?

I haven't used this particular software, but I've used OpenVPN (software of
the Gods, by gum) in it's L2 mode, and it's OK as long as you observe all of
the usual restrictions on LAN-like traffic over a low-bandwidth,
high-latency link. Most things that need to use Ethernet assume all sorts
of things that just don't hold over the Internet, and it causes some painful
hassles. But, engineered properly, in the correct circumstances, it can be
handy to bridge two or more segments over a routed network.

I've used a lot of VPN stuff in the past, but I've usually always ended up doing it on a router, then had to NAT over it and all sorts of nasty stuff. I think this is a nicer solution if it could be implemented right

A criticism of uvlan in particular is that I wouldn't trust my network
security to people who sound so clueless. Their derision of VPNs, as you
quoted above, shows either a lack of sense or a blind hatred, using libpcap
in this situation gave me some chuckles, and their "What algorithms are
used?" page scares me a little. I'll stick with OpenVPN, myself.

I think it's come about of a case of wanting to do stuff that won't work properly over a routed network (xbox games etc) - however could be nicer for a lot more things.

Phone: (03) 90001 6090 - 0412 935 897

Gee you Melbournians are advanced... you've already gone to 11 digit phone
numbers... <grin>

Damn typos. I've just changed numbers, I must have typo'ed it when updating the sig on my desktop. At least it's right in other places

Quoting Matt Palmer <mpalmer@hezmatt.org>:
>> 2. It doesn't require licensing
>
>Plenty of VPN products out there are FOSS;

Yeah - I wasn't too sure about this either. I haven't seen any VPN
software that requires licensing in years. I didn't know anyone still
required this?

There's plenty of lots-o-money VPN products out there; presumably that's
what they're talking about. The problem is that the statement "uvlan isn't
a VPN because it doesn't require licencing" is a ridiculous statement,
because you don't have to have a licencing requirement to be a VPN.

>> 3. It is much simpler
>
>Simpler than what?

Routing?

Simple is in the eye of the beholder. Switched ethernet networks have their
complexities that routed networks don't...

>> 4. It operates at Layer-2 (Ethernet), VPNs generally operate at
>>Layer-3 (IP)
>
>Generally, perhaps, but it's not a requirement of the term "VPN" that it be
>an L3 transition.
>
>> Layer-2 applications like gaming can't be supported with
>>Layer-3 tunneling.
>
>Plenty of games can successfully use IP.

I was thinking more the case of joining lans. Obviously its not a
solution for all causes, as anything with more than 5-10 nodes per
site and more than 2-3 sites would get pretty ugly. I think a nice
thing would be for things that can ONLY use a local LAN due to either
software or developer restrictions.

Well, obviously.

>>From my understanding, this software is pretty much acting like a
>>bridge, but with endpoints over a routed IP network.
>>
>>Has anyone actually used this? Thoughts? Criticisms?
>
>I haven't used this particular software, but I've used OpenVPN (software of
>the Gods, by gum) in it's L2 mode, and it's OK as long as you observe all
>of
>the usual restrictions on LAN-like traffic over a low-bandwidth,
>high-latency link. Most things that need to use Ethernet assume all sorts
>of things that just don't hold over the Internet, and it causes some
>painful
>hassles. But, engineered properly, in the correct circumstances, it can be
>handy to bridge two or more segments over a routed network.

I've used a lot of VPN stuff in the past, but I've usually always
ended up doing it on a router, then had to NAT over it and all sorts
of nasty stuff. I think this is a nicer solution if it could be
implemented right

I don't think you quite got my point -- you *don't* need uvlan to bridge
Ethernet segments over a routed network; there are other products which will
do the same thing. As I said, I've used OpenVPN to do this job, and my
experiences are given in that block of text you quoted.

>A criticism of uvlan in particular is that I wouldn't trust my network
>security to people who sound so clueless. Their derision of VPNs, as you
>quoted above, shows either a lack of sense or a blind hatred, using libpcap
>in this situation gave me some chuckles, and their "What algorithms are
>used?" page scares me a little. I'll stick with OpenVPN, myself.

I think it's come about of a case of wanting to do stuff that won't
work properly over a routed network (xbox games etc) - however could
be nicer for a lot more things.

XBox games don't work over a routed network? Please tell me that XBox Live
isn't just a giant uvlan install.

- Matt

So its like l2tpv3 vpn.

And, since its based on PC platform, I kind of have to say, in words of
Vijay, "It does not scale", and "What problem is being solved"?

-alex [not mlc anything]

...it seems they are closer to the future ground-breaking 128-bit IP world than the rest. ;-)))

./Carlos

Using the libpcap (winpcap for windows users) library, uvlan
listens to a specific ethernet device. If a broadcast frame
is seen, then it is sent off to all the peers so they can add
it to their records and emit the broadcast on their local
network.

I doubt that we will be deploying Windows servers in our network to
route traffic. This is not the only way to do layer 2 over IP. See
http://www.faqs.org/rfcs/rfc3931.html

--Michael Dillon

XBox Live is regular, routed IP, that doesn't even need to much work to
function from the wrong side of EvilConsumerBroadbandNAT.

I guess the point was talking about original non-360 Xbox games, some of
which supported 'LAN play' by hooking a lot of consoles together on the
same local network. I have no idea what was sitting in the Ethernet
frames that wasn't routable.

Cheers,
Tim.

Broadcast/multicast traffic? They probably expect the other Xboxes to be
on the same broadcast segment.

This brings back memories of KALI from yesteryear, when I was but a wee
lad with an E1 and a hankering for Duke Nuken 3D. Ah, those days..

adrian