VPN definition
Background/history
What layer?
Tunneling
Some protocols
Security
VPN for wireless LANs
Provider provisioned VPNs
What is a Virtual Private Network (VPN)?
A private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
- http://www.vpnc.org/terms.html
Example of an IP VPN
Internet LAN-to-LAN
Connecting offices networks
Router-to-router tunneling
Mesh or hub/spoke
Host-to-LAN
Telecommuters
Visitors etc
Before IP VPNs
Leased lines, dial-up
ATM, Frame Relay
permanent (or switched) virtual circuits
Expensive
Modem banks
Phone charges
Remote Access Servers
Adding a new site could take time
Now each site only needs a single (IP) connection.
Layer-2 or Layer-3 VPN?
Routing or bridging? What if the different networks should be different IP-subnets?
The tunnel end-points should look like IP routers
What if the customer would like their different networks to look like one big LAN?
The tunnel end-points should look like an Ethernet bridges (half-bridges)
What if a single host likes to connect to its ”home router”?
The tunnel could be designed to carry a PPP session.
Tunneling techniques
H1 GRE Hdr Payload IP Hdr R1 Payload IP Hdr IP Hdr R2 H2 Link Hdr Link Hdr Payload IP Hdr Link Hdr Possibly
encrypted Encapsulation/decapsulation
Some interesting technologies
GRE
MPLS
L2TP, PPTP
IPSEC
SSL
… Example: IP in IP tunneling using Generic Routing Encapsulation (GRE) (RFC 2874)
GRE very generic (contains Ethertype)
Everything over everything?
Layer 2 Tunneling Protocol (L2TP)
H1 UDP Payload IP R1 L2TP IP R2 H2 PPP Link Payload IP Link dial up Payload IP PPP NAS RFC 2661 (L2TP), similar to the Point-to-point tunneling protocol (PPTP), by Microsoft
Extends PPP connection from the Network Access Server (NAS) to ”home router”. Avoids long-haul dial-ups to home NAS (use local NAS).
L2TP tunnels PPP sessions
IP address from home network
PPP contains Ethertype
Can carry IP, IPX, Appletalk, …
Layer 2 Tunneling Protocol (cont)
UDP H1 L2TP IP R2 H2 Link Payload IP Link Payload IP PPP An L2TP enabled host with an IP connection can establish the tunnel themselves
Not only for dial-up.
Multiprotocol Label Switching (MPLS)
Eth MPLS Shim header (containing label, ethertype etc) Payload (e.g. IP) Anything over anything
”Connection-oriented”
Connection-identifier
Stackable/aggregation
Depends on carrier
VCI/VPI (ATM),
shim header (Ethernet)
wavelength (Optical) Quality of Service (QoS)
Traffic engineering
Routing not based on destination IP address
Different flows can be assigned different paths
RFC 3031, …
Security
Tunnel establishment
Authentication handshake
Negotiation of cipher suite
Generation of session key(s).
Authentication infrastructure
Manual configuration
Third party
Certificates Authorities
Public Key Infrastructure
Key distribution centers
”Kerberos-like” model Data transfer
Encapulation format
Encryption
DES, AES, Blow-fish, …
Integrity protection / packet authentication
HMAC-SHA1, MD5, …
Replay protection, etc
IPSec VPNs
IP Header ESP Header Encrypted Padding MIC Payload Next Header = ‘50’ (ESP) TCP = 6
UDP = 17
ESP = 50
IP = 4 Encrypted Pad Len NXT (Figure included with permission from
Alberto Escudero, KTH/IMIT/TSLAB) Session ID Sequence # IV (size alg-dependent) RFC 2406, 2408, 2409, …
Authentication handshake
Internet Key Exchange (IKE)
Based on public key (encryption or signature), or pre-shared key
Aggressive/main mode
Encapsulation format
Encrypted Security Payload (ESP)
Tunnel or transport mode
Modes of operation
IP header IPsec Rest of pkt New IP header IPsec IP header Rest of pkt A B A B F1 F2
New IP header (Slide included with permission from Alberto Escudero, KTH/IMIT/TSLAB) Transport mode
Tunnel mode
A sample system
Internet CA DB IPSec
Simple PKI
Certification Authority
Need not be online
Revocation lists, certificate database
Directory server, e.g. LDAP
Compare FreeS/WAN
Opportunistic
DNS as database
VPNs for wireless LANs
Company
network FW Internet WLAN access
network AP AP How would a company enable secure WLAN access to their intranet?
One suggestion:
Secure network inside firewall
Wireless Access outside
Treat the WLAN as any remote network
VPN vs IEEE 802.1X?
VPN for confidentiality and integrity protection
IEEE 802.1X for WLAN access control
Provider provisioned VPNs
Large VPNs can be difficult and/or costly to manage.
Trusted VPNs
MPLS-BGP
Peer model rather than overlay
Both Layer-2 and Layer-3 VPNs
Two working groups within IETF
Comments