This project was built to deeply understand how TCP and TLS operate over a routed Layer-3 network.
Instead of using physical hardware, Linux network namespaces were used to simulate:
- Isolated network nodes (client, router, server)
- Two different IP subnets
- IP forwarding across a software router
- Real packet-level protocol behavior
The objective was to analyze:
- TCP 3-way handshake
- TLS 1.2 handshake workflow
- Certificate exchange in plaintext
- Encryption boundary after
ChangeCipherSpec - TTL decrement across a router (Layer-3 proof)
This project was later extended to include Mutual TLS (mTLS) to demonstrate two-way authentication, where both client and server verify each other's identity using certificates.
This project provides a hands-on, packet-level understanding of secure communication mechanisms used in modern distributed systems and zero-trust architectures.
| Namespace | Interface IP | Subnet |
|---|---|---|
| red (Client) | 10.0.1.2 | 10.0.1.0/24 |
| router | 10.0.1.1 / 10.0.2.1 | Two connected subnets |
| blue (Server) | 10.0.2.2 | 10.0.2.0/24 |
- Default gateway (red):
10.0.1.1 - Default gateway (blue):
10.0.2.1 - IP forwarding enabled in router namespace
- Ubuntu 22.04 (or compatible Linux system)
- iproute2
- OpenSSL
- tcpdump
- Wireshark (host machine)
./generate_certs.shsudo ./setup.shsudo ip netns exec red ping 10.0.2.2Expected observation:
- Successful ping replies
- TTL decreases from 64 → 63 (proof of router traversal)
sudo ./cleanup.shThis section demonstrates capturing and analyzing the TLS handshake at packet level in a clean, linear workflow.
sudo ip netns exec router tcpdump -i any port 4433 -w tls_capture.pcapKeep this running.
(Open a new terminal)
sudo ip netns exec blue openssl s_server \
-accept 4433 \
-cert /certs/server.crt \
-key /certs/server.key \
-tls1_2Expected output:
ACCEPT
(Open another terminal)
sudo ip netns exec red openssl s_client \
-connect 10.0.2.2:4433 \
-CAfile /certs/ca.crt \
-tls1_2This initiates the TLS handshake.
Press:
Ctrl + Cin the tcpdump terminal.
Open the generated .pcap file in Wireshark.
tls
tcp.port == 4433
- TCP 3-way handshake occurs before TLS begins
- TLS handshake messages visible:
- ClientHello
- ServerHello
- Certificate
- ServerHelloDone
- ClientKeyExchange
- Encryption starts after
ChangeCipherSpec - Subsequent packets appear as:
TLS Application Data
This section demonstrates mutual authentication where both client and server verify each other using certificates.
sudo ip netns exec router tcpdump -i any port 4433 -w mtls_capture.pcapKeep this running.
sudo ip netns exec blue openssl s_server \
-accept 4433 \
-cert /certs/server.crt \
-key /certs/server.key \
-CAfile /certs/ca.crt \
-Verify 1 \
-tls1_2sudo ip netns exec red openssl s_client \
-connect 10.0.2.2:4433 \
-cert /certs/client.crt \
-key /certs/client.key \
-CAfile /certs/ca.crt \
-tls1_2Expected result:
- Handshake succeeds
- Client and server authenticate each other
sudo ip netns exec red openssl s_client \
-connect 10.0.2.2:4433 \
-CAfile /certs/ca.crtExpected result:
- Handshake fails
- Server rejects client
Press:
Ctrl + Cin the tcpdump terminal.
Open the generated .pcap file in Wireshark.
tls
tcp.port == 4433
- Server sends
Certificate Request - Client responds with its
Certificate - Client proves identity using
Certificate Verify - Mutual authentication is established
- Without client certificate → handshake failure
After ChangeCipherSpec, Wireshark shows:
TLS Application Data
This applies to both TLS and mTLS, indicating the transition from asymmetric to symmetric encryption.
Initial TTL: 64
Observed TTL: 63
| Feature | TLS | mTLS |
|---|---|---|
| Server Authentication | ✅ | ✅ |
| Client Authentication | ❌ | ✅ |
| Certificate Exchange | One-way | Two-way |
| Security Level | High | Very High |
| Use Cases | HTTPS | Zero Trust, Microservices |
network_namespaces/
│
├── blue_namespace/
│ ├── server.crt
│ ├── server.key
│ └── ca.crt
│
├── red_namespace/
│ ├── client.crt
│ ├── client.key
│ └── ca.crt
│
├── ca/
│ ├── ca.crt
│ └── ca.key
│
├── diagrams/
│ └── topology.png
│
├── screenshots/
│
├── report/
│ └── report.pdf
│
├── setup.sh
├── cleanup.sh
├── generate_certs.sh
├── README.md
├── tls_capture.pcap
└── mtls_capture.pcap
Self-signed certificates are used for educational purposes only.
- Layer-3 routing using namespaces
- TCP handshake understanding
- TLS 1.2 internals
- Mutual TLS (mTLS) authentication
- Certificate Authority (CA) concepts
- Packet-level analysis with Wireshark
Samyak Gedam
National Institute of Technology Surathkal, Karnataka
Built as part of first task in mini-project course during my 2nd Semester.