Hamachi

From Wikipedia, the free encyclopedia

This article is about the computer networking software. For the Japanese fish and sushi ingredient, see Japanese amberjack.

Hamachi

Hamachi screenshot
Developer:	LogMeIn Inc.
Latest release:	1.0.1.5 / Jan 15, 2007
OS:	Microsoft Windows, Linux, Mac OS X
Use:	P2P, VPN
License:	Freeware
Website:	www.logmeinhamachi.com

Hamachi is a centrally-managed zero-configuration virtual private networking (VPN) freeware application capable of establishing direct links between computers that are behind NAT firewalls without requiring reconfiguration (in most cases). Currently available as a beta version for Microsoft Windows, Mac OS X and Linux. On August 8, 2006, it was announced that Hamachi was being purchased by LogMeIn^[1].

1 How it works
2 Security
3 References
4 See also
5 External links
- 5.1 Gaming with Hamachi

[edit] How it works

Hamachi is a centrally-managed VPN system. It comprises the server cluster managed by the vendor of the system and the client software, which is installed on end-user computers.

Client software adds a virtual network interface to a computer, and it is used for intercepting outbound as well as injecting inbound VPN traffic. Outbound traffic sent by the operating system to this interface is delivered to the client software, which encrypts and authenticates it and then sends it to the destination VPN peer over a specially initiated UDP connection. Hamachi currently handles tunneling of IP traffic including broadcasts and multicast. The Windows version also recognizes and tunnels IPX traffic.

Each client establishes and maintains a control connection to the server cluster. When the connection is established, the client goes through a login sequence, followed by the discovery process and state synchronization. The login step authenticates the client to the server and vice versa. The discovery is used to determine the topology of client's Internet connection, specifically to detect the presence of NAT and firewall devices on its route to the Internet. The synchronization step brings a client's view of its private networks in sync with other members of these networks.

When a member of a network goes online or offline, the server instructs other network peers to either establish or tear down tunnels to the former. When establishing tunnels between the peers, Hamachi uses a server-assisted NAT-traversal technique, similar to UDP hole punching. Detailed information on how it works has not been made public. The vendor claims "...to successfully mediate P2P connections in roughly 95% of all cases ..." [3]. This process does not work on certain combinations of NAT devices, requiring the user to explicitly set up a port forward. Additionally 1.0 series of client software are capable of relaying traffic through vendor-maintained 'relay servers'.

In the event of unexpectedly losing a connection to the server, the client retains all its tunnels and starts actively checking their status. When the server unexpectedly loses client's connection, it informs client's peers about the fact and expects them to also start liveliness checks. This enables Hamachi tunnels to withstand transient network problems on the route between the client and the server as well as short periods of complete server unavailability.

Each Hamachi client is assigned an IP address from the 5.0.0.0/8 network. This address is assigned when the client logs into the system for the first time, and is henceforth associated with the client's public crypto key. As long as the client retains its key, it can log into the system and use this 5.x.x.x IP address.

The 5.0.0.0/8 network is used to avoid collisions with private IP networks that might already be in use on the client side. Specifically - 10.x.x.x/8, 172.16.x.x/12 and 192.168.x.x/16. The 5.0.0.0/8 network has been reserved by the IANA for the past ten years and is not used in the Internet routing domain. Should this range be allocated, Hamachi users will not be able to connect to any Internet IP addresses within the range as long as the Hamachi client is running.

Using a Class A subnet has the additional benefit of creating a single broadcast domain between all clients. This makes it possible to use LAN protocols that rely on IP broadcasts for discovery and announcement services over Hamachi networks.

Hamachi is frequently used for gaming and remote administration. The vendor provides free basic service and extra features for a fee.

In February 2007, an IP-level block has been imposed by Hamachi servers on parts of Vietnamese Internet space due "the scale of the system abuse originating from blocked addresses" ^[2]. According to ^[3] the company is working on a less intrusive solution to the problem.

[edit] Security

As with all closed-source or non-thoroughly reviewed applications, several security considerations apply:

the absence of source code for review
its current beta status and possible impact of remaining bugs on security

Additionally due to Hamachi's use as a VPN application the following considerations apply:

additional risk of disclosure of sensitive data which is stored or may be logged by the mediation server- minimal where data is not forwarded
the security risks due to vulnerable services on remote machines otherwise not accessible behind a NAT, common to all VPNs

Although Hamachi uses strong, industry-standard algorithms to encrypt data [3], the implementation remains closed source and therefore cannot be fully audited by the public for potential security problems or backdoors.

For the product to work, a "mediation server", operated by the vendor, is required. This server stores the nickname, maintenance password, statically allocated 5.0.0.0/8 IP address and the associated authentication token of the user. For every established tunnel, it could log the real IP address of the user, time of establishment and duration as well as the other interconnected users.

As all peers sharing a tunnel have full "LAN-like" access to each others computers, security problems may arise if firewalls are not used, as with any insecure situation. The security features of the NAT router/firewall are bypassed. This is not specific to Hamachi and needs to be addressed with other VPNs as well.

In the Security Now! podcast Steve Gibson described Hamachi as a: "...brand new, ready to emerge from its long development beta phase, ultra-secure, lightweight, high-performance, highly polished, multi-platform, peer-to-peer and FREE! personal virtual private networking system ..." and that he had "... fully vetted the system's security architecture ...".^[4]

In the following episode, to a question raised by Randal Schwartz: "Hamachi's not open source. How can we trust it?", Gibson replied: "... it's one of the things that made me anxious and continues to make me anxious. I'm going to end up probably over on OpenVPN ...". Later he continued: "But Hamachi is - I'm convinced that Alex has really designed this system exactly as he's told me he has. He's got years of experience with security, implementing IPSec tunnels, you know, classic VPN solutions. I couldn't feel any better about this than I do, short of doing a complete source audit ... which is just not practical. So it's certainly the case though that, well, I mean, you know, we're trusting Bill when we use Windows." and "... I'm sure Alex has told me the truth, but I have no proof of it."^[5]