Understand the basic components of computer networks, learn about relevant protocols, and equip yourself with a handful of tools you'll use in your daily life.
- PPCA is not a project designed for intense competition. As long as you follow the basic rules and complete the necessary tasks, you don't need to worry about your grade at all.
- Therefore, we hope that everyone chooses a project they are genuinely interested in, rather than just doing it for the grade.
- We hope everyone has fun.
The basic tasks are required to be completed in the first week. In the following three weeks, you need to complete at least 4 intermediate or advanced tasks, with at least one task chosen from the advanced categories.
We hope that the tools you implement will be something you will truly use in your later life, weathering the test of real-world usage. Usability, code quality and commit hygiene will be considered in code review.
Using an existing virtual tun implementation is also acceptable, so long as you write the nftables rules yourself.
UDP NAT behavior is limited to Full Cone or Symmetric.
You may find most socks5 client implementations out there do not obey RFC in terms of UDP behavior, or do not support UDP at all. The writer ultimately found one that does, but has forgotten the name.
Capture and inspect HTTPS traffic just like mitmproxy does.
Although you may write a standalone demo first, you should implement these two features on a popular networking tool with high code quality.
Note: Task 2 is composed of two parts (2.1 and 2.2). Both parts must be completed to be considered one full advanced task. Completing only one part will be counted as 0.5 advanced tasks.
A simple implementation of frp (Fast Reverse Proxy) that maps a port on a local machine A in the intranet to a port on a remote machine B in the internet, allowing the internet to access the service on A through B.
The implementation should support both TCP and UDP protocols, and support both TCP and QUIC in the transport layer.
Security should be enforced with mutual TLS authentication, with utilities to generate certificates and keys for both A and B based on openssl.
Bandwidth and latency should be comparable to the original frp implementation under 1Gbps network conditions.
Also, your implementation should be different from the original frp implementation.
Most tutorials on the internet only show how to set up a transparent proxy on the primary gateway, i.e., the router.
However, if the primary gateway crashes, the entire network will be affected.
Therefore, it is a better idea to set up the transparent proxy on a secondary device in the network, such as an old Linux laptop or a Raspberry Pi.
Other devices in the network can be transparently proxyed by simply setting the secondary device as the gateway, without installing any software on them.
Suppose you have a server A outside your LAN, and a server B inside your LAN. You need to make A appear as if it is on the same network as B, so that devices in your LAN can access A using its local IP address. Further requirements:
Ashould have independent IPv4 and IPv6 addresses, different fromB.Ashould be able to access devices inB's network, including those outsideB's assigned IP-CIDR, and vice versa.- The outgoing traffic from
Ashould not go throughB, but directly to the internet. - Devices in
A's original network should still be able to accessAusing its original IP address.
Implement a virtual TUN device that acts as a VPN client for IKEv2. But instead of routing all traffic through the VPN, like a standard VPN client, it exposes the virtual network as a SOCKS5 proxy server.
This allows for more flexible routing of traffic through the VPN, as you can choose which applications use the VPN, or which domains are routed through the VPN.
You can either implement a standalone binary, or integrate it into a popular networking tool with high code quality.
Implement a non-standard SNI proxy that can handle HTTP/3 traffic with custom clients.
If there are any other features you want to implement yourself, you can apply to the TA. After the TA evaluates the workload, an appropriate point value will be assigned.
- Basic Task: 25%
- Intermediate Task: 15% each
- Advanced Task: 25% each, w/ ranking based scoring
- Bonus: 10%
Notes:
- Do not expect to get a full score easily in the intermediate and advanced tasks. Usability, code quality and commit hygiene will be considered in code review.
- We hope that everyone try out different realms of networking. If multiple people choose the same advanced task, only the best implementation will receive full points.
Reference Books:
- Beej’s Guide to Network Programming
- High Performance Browser Networking
- The content of this book goes far beyond the requirements of this project. You only need to read the "Networking 101" section and parts of the "HTTP" section.
- TCP/IP Tutorial and Technical Overview
Protocol Documents:
- RFC 1928: SOCKS Protocol Version 5
- RFC 1035: Domain Names - Implementation and Specification
- RFC 9293: Transmission Control Protocol (TCP)
- RFC 768: User Datagram Protocol
- RFC 1149: A Standard for the Transmission of IP Datagrams on Avian Carriers
- RFC 9112: HTTP/1.1
- RFC 9114: HTTP/3
- HTTP on MDN
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3
Blogs and Articles:
- Cloudflare Blogs, such as tls handshake, tls 1.3, (recommended by Hanning Wang)
- Wikipedia Articles, such as SOCKS5
Feel free to add more.
Thanks to Alan Liang from the 2021 ACM Class for laying the foundation for this project.