Slides - KTH

dingdongboomΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

86 εμφανίσεις

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

1

VPN Solutions

Jon
-
Olov Vatn

KTH/IMIT/TSLab

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

2

Outline


VPN definition


Background/history


What layer?


Tunneling


Some protocols


Security


VPN for wireless LANs


Provider provisioned VPNs

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

3

What is a Virtual Private
Network (VPN)?

A
private data network

that makes
use of the
public

telecommunication
infrastructure, maintaining privacy
through the use of a
tunneling

protocol and
security

procedures.

-

http://www.vpnc.org/terms.html


23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

4

Example of an IP VPN


LAN
-
to
-
LAN


Connecting offices
networks


Router
-
to
-
router
tunneling


Mesh or hub/spoke


Host
-
to
-
LAN


Telecommuters


Visitors etc

Internet

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

5

Before IP VPNs


Leased lines, dial
-
up


ATM, Frame Relay


permanent (or switched) virtual circuits


Expensive


Modem banks


Phone charges


Remote Access Servers


Adding a new site could take time


Now each site only needs a single (IP) connection.


23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

6

Layer
-
2 or Layer
-
3 VPN?


What if the different networks should be different IP
-
subnets?


The tunnel end
-
points should look like IP routers


What if the customer would like their different networks to look like
one big LAN?


The tunnel end
-
points should look like an Ethernet bridges (half
-
bridges)


What if a single host likes to connect to its ”home router”?


The tunnel could be designed to carry a PPP session.

Routing or bridging?

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

7

Tunneling techniques


Encapsulation/decapsulation


Some interesting technologies


GRE


MPLS


L2TP, PPTP


IPSEC


SSL





Example: IP in IP tunneling using
Generic Routing Encapsulation
(GRE)

(RFC 2874)


GRE very generic (contains
Ethertype)


Everything over everything?


H1

GRE Hdr

Payload

IP Hdr

R1

Payload

IP Hdr

IP Hdr

R2

H2

Link Hdr

Link Hdr

Payload

IP Hdr

Link Hdr

Possibly

encrypted

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

8

Layer 2 Tunneling Protocol (L2TP)


RFC 2661 (L2TP), similar to the
Point
-
to
-
point tunneling protocol
(PPTP), by Microsoft


Extends PPP connection from
the Network Access Server
(NAS) to ”home router”.


Avoids long
-
haul dial
-
ups to
home NAS (use local NAS).


L2TP tunnels PPP sessions


IP address from home network


PPP contains Ethertype


Can carry IP, IPX, Appletalk, …


H1

UDP

Payload

IP

R1

L2TP

IP

R2

H2

PPP

Link

Payload

IP

Link

dial up

Payload

IP

PPP

NAS

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

9

Layer 2 Tunneling Protocol (cont)


An L2TP enabled host with an IP connection can
establish the tunnel themselves


Not only for dial
-
up.


UDP

H1

L2TP

IP

R2

H2

Link

Payload

IP

Link

Payload

IP

PPP

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

10

Multiprotocol Label Switching (MPLS)


Anything over anything


”Connection
-
oriented”


Connection
-
identifier


Stackable/aggregation


Depends on carrier


VCI/VPI (ATM),


shim header (Ethernet)


wavelength (Optical)


Quality of Service (QoS)


Traffic engineering


Routing
not

based on
destination IP address


Different flows can be
assigned different paths


RFC 3031, …


Eth

MPLS

Shim header (containing label, ethertype etc)

Payload (e.g. IP)

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

11

Security


Tunnel establishment


Authentication handshake


Negotiation of cipher suite


Generation of session
key(s).


Authentication infrastructure


Manual configuration


Third party


Certificates Authorities

Public Key Infrastructure


Key distribution centers

”Kerberos
-
like” model


Data transfer


Encapulation format


Encryption

DES, AES, Blow
-
fish, …


Integrity protection /
packet authentication

HMAC
-
SHA1, MD5, …


Replay protection, etc

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

12

IPSec VPNs


RFC 2406, 2408, 2409, …


Authentication handshake


Internet Key Exchange (IKE)


Based on public key
(encryption or signature), or
pre
-
shared key


Aggressive/main mode


Encapsulation format


Encrypted Security Payload
(ESP)


Tunnel or transport mode

IP Header

ESP Header

Encrypted

Padding

MIC

Payload

Next Header = ‘50’ (ESP)

TCP = 6

UDP = 17

ESP = 50

IP = 4

Encrypted

Pad Len NXT

(Figure included with permission from

Alberto Escudero, KTH/IMIT/TSLAB)

Session ID

Sequence #

IV
(size alg
-
dependent)

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

13

Modes of operation


Transport mode




Tunnel mode



IP header

IPsec

Rest of pkt

New IP header

IPsec

IP header

Rest of pkt

A

B

A

B

F1

F2


New IP header

(Slide included with permission from Alberto Escudero, KTH/IMIT/TSLAB)

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

14

A sample system


IPSec


Simple PKI


Certification Authority

Need not be online


Revocation lists,
certificate database

Directory server, e.g. LDAP


Compare FreeS/WAN


Opportunistic


DNS as database


Internet

CA

DB

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

15

VPNs for wireless LANs

How would a company enable
secure WLAN access to
their intranet?

One suggestion:


Secure network inside
firewall


Wireless Access outside

Treat the WLAN as any
remote network


VPN vs IEEE 802.1X?


VPN for confidentiality and
integrity protection


IEEE 802.1X for WLAN
access control

Company

network

FW

Internet

WLAN access

network

AP

AP

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

16

Provider provisioned VPNs


Large VPNs can be difficult and/or
costly to manage.


Trusted VPNs


MPLS
-
BGP


Peer model rather than overlay


Both Layer
-
2 and Layer
-
3 VPNs


Two working groups within IETF

23 Jan 2004

VPN solutions, J
-
O Vatn © 2004

17

References and reading


Virtual Private Network Consortium

(VPNC),
http://www.vpnc.org/


”Virtual Private Networks (VPN) ” Web ProForum tutorials,
International Engineering Consortium,
http://www.iec.org


FreeS/WAN project (Linux),
http://www.freeswan.org


VTUN


Virtual tunnels (Unix),
http://sourceforge.net/projects/vtun/


IETF, http://www.ietf.org