GFK's Palace: Software review: Hamachi

« Violence en France | Main | CPAN.pm on OpenSlug »

décembre 16, 2005

Software review: Hamachi

I've been following for some weeks the discussion about VPN on Steve Gibson and Leo Laporte Security Now podcast. This week, they talked about Hamachi, a free VPN client.

I must say that I'm impressed, really impressed, it's a great piece of software. However, I think that I've found a fatal flaw in their design that could sink that Titanic.

What is it?

Hamachi is a small program that stays open in the background, and manages secured connections between computers that you approved. It's available for Windows 2000/XP and i386 Linux, but a MacOSX version should be available Real Soon Now.

Ease of use

The windows version has a graphical user interface that is really easy to use. The first time you install the program, there's a little wizard that explains how to use the most important functions.

Having worked with other VPN products before, I'm absolutely stunned by the simplicity of the system. So little buttons, so little parameters, yet it works on the first try. This is absolutely brilliant, especially when you compare it to the alphabet soup of the other protocols.

Being "born" in the Macintosh world, one thing that particularly irritates me is unusual user interfaces. There are guidelines for making a good user interface, yet smart asses stubbornly continue to invent their own. Specifically, what's driving me nuts with their interface is:

About every function of this program is accessed with right clicking. That will be nice on the MacOSX version with its one button mouse...

Dark grey/light grey color scheme. Can't you just make it look like the rest of the computer?

Small top window buttons that look like a cheap rip-off of MacOSX.

If the program is running in the system tray, clicking on the "close" button should close the window, not the program.

Anyway, I realise that most people won't care about that, so I'll shut-up about it.

NAT traversal

One of the biggest reasons for a network administrator to do acid-reflux is NAT, Network Address Translation. It's a great of way of solving the IP address shortage, but it breaks the network paradigm. Setting up peer-to-peer applications (games, videoconferencing, VoIP, Instant Messaging, etc) is a pain in the butt when dealing with NAT.

The smart people at Hamachi say that they have solved this problem for 97% of the situations. While I don't have proof of this number, I can attest that it worked for 100% of the situations I tested. Thumb's up for that! Sorry Mr. Ebert, I won't do it again...

IP addressing

The first thing that Steve Gibson talked about was the IP addressing used by Hamachi: the 5.0.0.0/8 subnet. This is highly surprising since it's an ICANN/IANA Reserved subnet. In other words they have no right to use it, but they did and it's what makes their program so great. I also believe that's what will make it sink.

When you first log into the program, you get an IP address in the 5.0.0.0/8 subnet -- yes, a public, routable, full blown, IP address. And it's yours, Hamachi guarantees that no one else will get this IP address. This address will be used to reach the computer that this instance of Hamachi is running on using the encrypted network.

The networking type of people reading this will ask the obvious question: Who the fuck do they think they are distributing IP addresses like that? Right now this shouldn't be problem, since the 5.0.0.0/8 subnet is reserved, no one in his right mind would use it. Oops! That's the problem: once another wild kid decides to use that subnet for their own killer application, problems are going to happen.

If Hamachi want to go legit, they'll have to take their protocol to the IETF, ISO or another standard publishing body. Once they do that, the chance that they'll get the 5.0.0.0/8 subnet for their protocol is very slim. That means that you'll have to use another IP address for the "standard compliant" version of Hamachi. Each user will need to reconfigure all of their programs to use the new IP. A nightmare is looming...

In a way, I understand why they did this. If they had gone to a standard body and tried to standardize their protocol, they would have got an answer ranging from "screw you" to "make a working prototype first." After the prototype is made, it takes years for the standard to be approved -- and Microsoft would have patented it while no one was looking.

I'm convinced that using the 5.0.0.0/8 subnet is a dead-end; it's never going to be standard. Hamachi will remain a clever hack, never a serious application. The worst thing here is that they could have avoided this problem, there's a standard that has been designed to avoid this problem: IPv6, the new version of the Internet Protocol. The version of the Internet Protocol used by Hamachi is IPv4.

If an IP address in the IPv4 world is worth 1$/month, it's not worth a penny in the IPv6 world, anyone will get millions of them from their ISP. It's not a problem; it's what IPv6 was designed for. It would be possible to give an IPv6 address to every atom in the universe.

Hamachi could ask ICANN/IANA for an IPv6 subnet and I'm pretty sure that they would get one. Then they could distribute addresses in that subnet with full legitimacy. Every modern OS supports IPv6 now, so the low-level routing that's done by the program would work just as well.

The IP addressing issue is, in my opinion, the worst problem with this system. It's all ready too late to make an easy switch to IPv6 -- it has been since they released that first IP address to the public. The problem is that every minute it gets worse.

Free as in beer

Several companies that try to solve the VPN problem charge a fee for their solutions, Hamachi doesn't. They can do that in part because they don't act as a proxy for the bulk of the encrypted traffic, keeping their bandwidth costs down.

While they provide a Linux version of their program, it's only available in binary form, not open source. It's a bit disconcerting to use a free binary to secure your sensitive data. More importantly I doubt that they'll provide binaries for every esoteric version of Unix out there. What's the good of having a VPN that you can't use on all of your servers?

From a market point of view, this is dangerous too. I'm sure that some open-source zealot will make an open-source clone of Hamachi. After some time, I wouldn't be surprised if the open-source version would be more popular than the official one -- anyone remembers OpenSSH vs ssh®? If Hamachi would release an open-source version of their client, they would avoid that competition, and even get leverage from the bright minds of the open-source world.

Performance

While writing this review, I wondered what performance hit I would get when using the VPN provided by Hamachi. I did some benchmarking with NetPerf.

Benchmark without VPN

This test is done on my local 100 Mbps network, between a Pentium 1.6 GHz with 512 MB RAM running WinXP SP2 and a AMD Athlon XP2000+ 1.3 GHz with 512 MB RAM running Debian testing.

C:\Tele>netperf-a4.exe -H 192.168.0.2
TCP STREAM TEST to 192.168.0.2
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    10^6bits/sec
 87380   8192   8192    10.00      83.75

Benchmark with VPN

This test was done between the same two machines but using the encrypted tunnel provided by Hamachi.

C:\Tele>netperf-a4.exe -H 5.12.76.70
TCP STREAM TEST to 5.12.76.70
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    10^6bits/sec
 87380   8192   8192    10.00      23.45

The 72% loss might be a bit impressive but it's important to realise that we're still getting 23 Mbps through this encrypted tunnel. When will you need more than that? Most Internet connections provide a fraction of that. Heck, you could run a dozen high-quality videoconferencing channels through it!

Summary

Pros

Zero configuration (really!)
Easy to use
Can bypass the vast majority of NAT routers
Free
Good performance

Cons

Non standard protocol, addressing
Unusual interface (right click madness)
Closed source

Overall an impressive feat of engineering, I'm using it and I'm happy with it. However, I'm sure that an open-source version that uses IPv6 addresses will eventually kill this bird.

Posted by gfk at décembre 16, 2005 4:23 PM

Comments

Hi Guillaume,

I read your review linked from /. thread about Hamachi. As you may see I also posted a response there and I want to follow up on it with private email. [Alex authorized the posting of this email here.]

The section of the review that bashes the use of 5.x.x.x, you are missing one huge point there. We are not distributing Internet IP addresses, we distribute IP addresses that are used in an isolated private routing domain. They are not visible to Internet, they are not addressible from it nor the Internet can be reached from our virtual adapters.

This is pretty much like you can setup your private phone system at home and use 10 digit number to address the kitchen. The addressing system is the same as public phone system, but the addressing domain is not. So they co-exist.

Clearly this can create address collisions should IANA decide to open up 5/8 subnet. But the only problem it will create is it will require Hamachi-equipped node to manage their 5.x.x.x routing more precisely. And perhaps add a mechanism for setting up routing preferences in these cases.

IPv6 is a good and better alternative, but it is [not] feasible for dumb-user systems because of a numerous support issues on Windows boxes. Windows implementation is basically not widely used, therefore it is not mature enough and it WILL cause major support problems.

If you have any questions or comments, I'd be interested in hearing them.

Cheers,
Alex

Posted by: Alex Pankratov at décembre 21, 2005 6:16 PM

Alex Pankratov a écrit :
Hi Guillaume,

Hi Alex,

I read your review linked from /. thread about Hamachi. As you may see I also posted a response there and I want to follow up on it with private email.

It's all in your honor. It's not often that we see software authors care enough to respond to criticism.

The section of the review that bashes the use of 5.x.x.x, you are missing one huge point here. We are not distributing Internet IP addresses, we distribute IP addresses that are used in an isolated private routing domain. They are not visible to Internet, they are not addressible from it nor the Internet can be reached from our virtual adapters.

Very true, but you'll certainly agree with me that this is a design that should be avoided is possible. I understand that this was not easily feasible in your case. As I said in my review, if you had waited to receive approbation from IANA/IETF/ISO/etc, this program would never have been made.

Did you consider using the link local range, 169.254.0.0/16 (RFC 3300)? You would have had to use a more complex addressing scheme, for example to attribute addresses so that they're unique to each Hamachi network.

It's not clear to me how you would do that. If Hamachi has assigned me 5.1.2.3 and the rest of the world sees it as assigned to www.google.com, no clever routing mechanism is going to solve that problem.

I guess you're right, but it's kind of a chicken and egg problem. No one is using IPv6 since it's not working well and it's not working well since no one is using it.

Could you add to your wishlist the option of having an IPv6 address assigned to my computer instead of a 5/8 address? At least, those masochistic enough to use IPv6 will be able to.

If you have any questions or comments, I'd be interested in hearing them.

Do you mind if I post your message in the comments section of the blog entry? So that readers can see your rebuttal.

Cheers,
Alex

Happy holidays,
GFK's

Posted by: Guillaume Filion at décembre 21, 2005 6:25 PM

Very true, but you'll certainly agree with me that this is a design that should be avoided is possible.

It is a matter of goals and instruments. For zero-configuration system that must have very low degree of an address collision chances, this is the only option.

I understand that this was not easily feasible in your case. As I said in my review, if you had waited to receive approbation from IANA/IETF/ISO/etc, this program would never have been made.

I must say I was ticked off by the 'who the fuck' part and the fact that you basically made an incorrect assumption and went on with critique. I am obviously in no position to tell you how to write your own reviews, but I do find this type of review style quite a bit strange.

It's an option, but it significantly complicates tasks of address management. Also because IPs are assigned dynamically, it effectively prevents users from using their personal firewalls to enfore access control in their virtual networks. And for the same reason it requires users to have far more trust in a server that they have with static IP option.

No, it won't. What I was referring to is giving the user an ability to resolve address collisions manually. A good example is a Fastweb provider in Italy that currently uses 5/8 range for a city of Genoa. Just one big NAT'ed city. Hamachi does not natively work in this setup, but it can be configured to enable communications with specified subset of Hamachi peers.

Could you add to your wishlist the option of having an IPv6 address assigned to my computer instead of a 5/8 address? At least, those masochistic enough to use IPv6 will be able to.

It is already there. There's very little demand for it at the moment though as you can imagine.

Do you mind if I post your message in the comments section of the blog entry? So that readers can see your rebuttal.

Sure thing.

Happy holidays,
GFK's

Likewise.
Alex

Posted by: Alex Pankratov at décembre 21, 2005 6:32 PM

What could be interesting is a Hamachi experiment with IPv6. Let's call it Hamachi6. Since most people are already in networks of people they know and people they have local influence on, this could work. You wouldn't necessarily be excluding anyone, since they can keep to their IPv4 version of Hamachi.

When the early adaptors have finished dealing with the bugs and usability issues, it would then be possible to encourage the other people to move. It would create a parallel Hamachi version, but maybe it would give th l33t users the feeling they have something extra ;)

A nice base for the protocol could be Miredo, an implementation of Microsofts Teredo technology, since much of the work has already been done, and it already deals with NATs on a large number of platforms.

The only question is since there is no such thing as a private address range with IPv6, would this defeat the purpose?

Posted by: tamarok at juin 5, 2006 7:29 PM

Hello tamarok,

I think that Hamachi is aimed at people with little to medium networking knowledge. Which must be around 99.5% of the Internet users...

Real geeks (the other 0.5%) would likely use something like OpenVPN. And anyone using IPv6 can be qualified as a "real geek." ;-)

Also, about the need for VPN on IPv6. Even if there are no private addresses, there will be networks that will be firewalled so a VPN will still be needed.

Cheers,
GFK's

Posted by: GFK's at juin 5, 2006 7:41 PM

Re: "It would be possible to give an IPv6 address to every atom in the universe." The nitpicking scientist in me made me search Google for "number of atoms in the universe" and the answer came back as in the order of 10^80 (10 to the power of 80), which in binary is about 2^266. Thus it would take 266 bit addresses to number every atom in the (observable) universe. IPv6 "only" uses 128 bit addresses, for a total of 3.4 x 2^38 of addresses, enough to give every person on the planet 5.6 x 10^28 addresses. Since the human body consists of about 7 x 10^27 atoms, it would be more correct to say that there will be enough IPv6 addresses for the entire human population of this planet to give one to every atom of their bodies, though not every atom on this planet, let alone the universe.

Posted by: Joe Wein at mai 1, 2009 8:29 PM

GFK's Palace

"One worthwhile task carried to a successful conclusion is worth half-a-hundred half-finished tasks." -- Malcom S. Forbes