andrewla
I had a friend who worked in federal law enforcement who once described a vampire device that they used. It would clamp around a power cable and inject a UPS in the mix so that an electronic device could be removed without turning it off. Seemed like a useful little trick.
theideaofcoffee
This is a great writeup! Especially for those that may want to DIY it, the how and the why and all of that, and not have to shell out for carrier-quality Layer 1 encryption devices. Nice to see that even off-the-shelf components can do it with relative ease at those rates. Also nice to see sane sysctl tunes as well. Anything to make an adversary's day a bit harder. I low key love the explanation of old 10B5 taps, something that so well and truly dead, but the legacy carries on into everything new today.

This is actually a well-trodden area of datacenter interconnect (DCI) devices that do line-rate encryption (to crazy levels like 400G+) to protect those links that may have easily accessible fibers strung along poles, for instance, to prevent just the vampirism described in the post. Packetlight, Ciena, Infinera and others.

dathery
Really cool article, I enjoy reading through all the details behind the decision making.

Just spit-balling a little, but I wonder if Wireguard is the best tool here given that the author is only using it for a single point-to-point link and they control the devices on both ends. That CPU supports AES-NI and probably does it a lot faster than Wireguard's ChaCha20 (hard to get numbers for their server CPU, but the tiny little x86 mini PC I use as my router does AES XTS at 43Gbps according to `cryptsetup benchmark`).

You might see better performance by tunneling the vxlan connection using a different technology which can use AES-NI? Then again, Wireguard is definitely still a good tool for stuff like this, and maybe the performance penalty isn't a big deal here.

c0l0
As I had posted a few weeks ago (https://news.ycombinator.com/item?id=41085314), I recently implemented a very similar thing myself.

My solution ended up using tc's mirred[0] action for implementing a fully L2-transparent frame relay. I wonder if their setup achieves the same degree of transparency, because afaiui, that's just not possible involving a 802.1Q-compliant (Linux) bridge.

I spent close to a week optimizing my setup looking at kernel flame graphs and perf results, reading adapter-specific tuning guides and driver source, and can say that the only really meaningful performance optimizations (in both the Broadwell- and Zen3/Vermeer-based implementations I tried) were disabling mitigations in the kernel (esp. on Zen3, that boosted performance by more than 20%), and getting CPU frequency scaling/idle states sorted out correctly (which yielded much higher wins on the older Broadwell uarch, because power state transition appears to happen much quicker on Zen3).

As for the solution presented in the (on the whole really great; I love it!) article, I have my doubts about the effectiveness of the cargo-culted "sysctl tuning" mentioned - TCP, for example, is simply not involved at all in the described setup, so "tuning" its buffer allocations cannot have any effect on the workload.

Kudos to the writers for solving their problem in a creative, cost-effective and maintainable way! :)

[0]: https://www.man7.org/linux/man-pages/man8/tc-mirred.8.html

qhwudbebd
I'm interested in their last step, in which they set

  vm.dirty_ratio = 40
  vm.dirty_background_ratio = 10
  vm.swappiness=10

  governor=performance
  energy_perf_bias=performance
  min_perf_pct=100
to raise a surprisingly low performance ceiling.

I can't believe they were under any memory pressure, so the first three presumably made no difference, but it's also quite surprising to me that the default ondemand cpu governor was responsible for such a dramatic performance hit. Not throttling up quickly enough leading to higher latency maybe? Very interesting anyway.

nsteel
Did Cisco really invent MACSec?! I thought it was cooked up by the IEEE and supported in hardware from many vendors. I imagine they all have their own bugs though, it's quite a complicated spec. I know some switch/router vendors also now offer hardware-accelerated end-to-end encryption, similar to IPsec, Nokia call their's anysec but I'm sure the other players have their own. The benefit of those is you'd get full bandwidth (e.g. Tbps).
exabrial
Why MACSEC isn't the default is pretty crazy! given that is is extremely stateless (encrypting at the frame level) and counters should be pretty reliable (only go up, since there's two parties) you could take advantages of some AES and GCM modes that would pretty quickly spot injection, replay, and other attacks.

But getting back to the main topic of the paper: why not just S2S IPSec the link?

dietr1ch
Missing attack: Cause a disruption that obviously breaks the connection while further away you get time to tap it properly.

"Oh, no, a truck run into the pole carrying the copper/fiber, it must be an accident and no intervention is going on undetected because of the outage."

What we really need is promiscuous connectivity , but fully untrusted connections. It's maddening why it's hard to communicate 2 wireless devices while they are literally sharing the same radio spectrum and multiple radios could be used to talk to each other.

nullc
Tapping is even easier if you have access to the cable end in a patch panel.

I have a computer setup with a one-way gige connection for reviewing potentially malicious content in an air-gapped manner. The transmit side transceiver needs to see an incoming signal, so I just use one of these to feed its own output back into it:

https://www.amazon.com/dp/B0B8ZHBK26

aaronmdjones

    # setup a 8020 MTU on wg0 interface to account for the 80 bytes wireguard headers overhead
    # 20-byte IPv4 header or 40 byte IPv6 header, 8-byte UDP header  4-byte type, 4-byte key index, 8-byte nonce, 16-byte authentication tag)
    /sbin/ip li set dev wg0 mtu 8020
Shouldn't that be 8920? To go with the 9000 byte MTU on the outer interface above it.
icehawk
I did something like this to stretch L2 as I was moving into a new home. Worked great after I realized t-mobile does not like passing IP fragments.

Got to use it again to set up a remote telescope for the eclipse.

westurner
A notebook with pandas would have had a df.plot().

9.71 Gbps with wg on a 10GBps link with sysctl tunings, custom MTUs,.

I had heard of token ring, but not 10BASE5: https://en.wikipedia.org/wiki/10BASE5

mrbluecoat
> Eth/IP/UDP/WG/IP/UDP/VXLAN/Eth/802.1q/IP/Payload

I'd love to see your IT manager's face when you propose it :D

ggernov
I prefer to just run fiber inside of a copper gas line.