Skip to content

PANTHEONtech/qp-vpp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
cmd/qp-vpp
cmd/qp-vpp
 
 
go-api
go-api
 
 
internal
internal
 
 
resources
resources
 
 
scripts
scripts
 
 
svg
svg
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
dockerfile
dockerfile
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
startup.conf
startup.conf
 
 

Repository files navigation

Quantum-Proof VPP

This demo uses the Qrypt entropy stream to derive a pre-shared key (PSK), and uses it to add additional layer of security for VPP WireGuard peers. VPP WireGuard PSK is an optional parameter that adds encryption on top of the standard key exchange. The PSK derived from a quantum-safe entropy source is intended to improve the resistance against future quantum-computing threats.

Demo topology

Demo topology

Endpoint configuration

The config file reference.

Key exchange

The entropy as a key material must be securely shared between endpoints to generate the same PSK in different endpoints at a different time. For this purpose Qrypt provides BLAST protocol for delivery and synchronization.

Both qp-vpp endpoints connect to Qrypt SDK. One endpoint is an initiator (marked in the config file) and generates AES key with metadata. A part of the key configuration is the TLL that puts a time limit on how long can the metadata be used to replicate the key.

Key rotation

The new key is generated every 10 seconds (the default key-rotation-ttl value in qp-vpp-1.yaml). The initiator (qp-vpp-1) requests a new AES key and shares the metadata, both endpoints then reconfigure WireGuard endpoint peer to keep the connection up.

Demo prerequisites

  1. Login to Qrypt developer portal
  2. Download the Qrypt "BLAST C SDK Linux x86_64" v0.12.8 (under Changelogs) and save it to /qrypt-sdk/QryptSecurity-c-linux-x86_64.tar.gz (do not extract it)
  3. Generate a new token and put it to file /qrypt-sdk/token

Make sure both files exist in /qrypt-sdk before building the image.

Quickstart

  1. Run make build-binary to build the qp-vpp binary
  2. Build the qp-vpp docker container with make build-demo-image. The VPP version with wireguard-psk feature enabled is pre-configured. The image is tagged as vpp:wireguard
  3. Start the demo make demo

What the Demo Does

  1. Starts two QP-VPP endpoints: qp-vpp-1 (initiator) and qp-vpp-2 (synchronizer).
  2. qp-vpp-2 starts a local server on port :7007 and waits for the initiator to share the metadata.
  3. qp-vpp-1 uses Qrypt-SDK to generate AES key and shared the metadata with qp-vpp-2
  4. Both endpoints configure VPP WireGuard interface and peer using an AES/PSK.
  5. The demo verifies connectivity by having both VPP instances ping each other.

All interface names, IP addresses, and public/private keys are pre-defined in the endpoint configuration files in resources.

Inspect the Running Demo

Open a shell inside the containers:

docker exec qp-vpp-1 bash
docker exec qp-vpp-2 bash

Or inspect the VPP configuration directly:

docker exec qp-vpp-1 vppctl sh int
docker exec qp-vpp-2 vppctl sh wireguard peer

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages