Transcript VPNs and Tunneling - IT 529 Advanced Networking

VPNs, IPSec and Tunneling
Brett Greenwood
IT 529
March 23, 2004
Overview
•
•
•
•
Communication needs
VPN types and implementations
IPSec
Other tunneling protocols
– MPLS VPNs
– AToM
– GRE
– PPTP
– L2TP
Corporate Communication
• Intranets
• Extranets
• Remote Users
• Issues
–
–
–
–
Privacy
Loss of data integrity
Identity spoofing
Denial-of-service
Solution:
Virtual Private Networks
• “A VPN is one or more WAN links over a shared
public network, typically over the Internet or an
IP backbone from a Network Service Provider
(NSP), that simulates the behavior of dedicated
WAN links over leased lines.” - NOAA
• VPN Types
–
–
–
–
Legacy (trusted)
Secure
Trusted
Hybrid
Legacy (Trusted) VPNs
• One or more circuits leased from a
communications provider.
• Each leased circuit acted like a single wire in a
network that was controlled by the customer.
• No one else could use the same circuit, but
privacy not guaranteed.
• The VPN customer trusted the VPN provider to
maintain the integrity of the circuits and to use
the best available business practices to avoid
snooping of the network traffic.
Trusted VPNs
• Trusted VPNs use the internet rather than
traditional communications infrastructure
• WANs can be deployed using Trusted
VPNs
• Security not guaranteed
Secure VPNs
• Traffic encrypted at the
edge of one network or at
the originating computer.
• Traffic moved over the
Internet like any other
data.
• Traffic decrypted when it
reaches the corporate
network or a receiving
computer.
Hybrid VPNs
• Incorporate a Secure VPN over a portion
of a Trusted VPN.
Implementing Secure VPNs
• Goals
– Confidentiality (encryption)
– Integrity
– Authenticity (digital signature)
– Replay protection
• Internet Security Protocol (IPSec) most
widely used for VPN implementation
IP Security Protocol
•
Header for securing payload placed
after the IP header and before the Layer
4 protocol (i.e. TCP or UDP):
- Authentication Header (AH) - data
integrity
- Encapsulating Security Payload (ESP)
- confidentiality and data integrity
IPSec Operation Modes
• Transport Mode
– Payload only encrypted
• Tunnel Mode
– Entire datagram encrypted
– Encapsulated in new IP packet
– Encryption may be performed by a router or
other device on behalf of hosts
Tunnel Mode
Encryption
Decryption
`
IPSec Tunnel
`
Security Associations
• Establish trust between two devices in a peer-to-peer
relationship and enable VPN endpoints to agree on a set
of conversational rules by negotiating policies with a
potential peer.
• Identified through an IP address, a security protocol
identifier, and a unique Security Parameter Index (SPI)
value (a 32-bit number embedded in packet headers).
• Types:
– Internet Key Exchange (IKE) - provides negotiation, peer
authentication, key management, and key exchange.
Bidirectional protocol; provides a secure communication channel
between two devices that is used to negotiate an encryption
algorithm, a hash algorithm, an authentication method, and any
relevant group information.
– IPsec Security Association (IPsec SA) - unidirectional, requiring
separate IPsec SAs established in each direction.
IKE Security & Encryption
• Key exchange: Diffie-Hellman key exchange for deriving
key material between peers on a public network
• Signing key exchanges: public key cryptography—
guarantees the identity of the two parties and avoid manin-the-middle attacks
• Encryption: bulk encryption algorithms (DES)
• Packet authentication: Keyed hash algorithms (HMAC)
combined with traditional hash algorithms (MD5 or SHA)
• Digital ID cards: digital certificates signed by a
certificate authority
Other Tunnel Protocols
•
•
•
•
•
MPLS VPNs
AToM
GRE
PPTP
L2TP
Typical Uses of Tunneling
MPLS VPNs
• “Per-customer tunnels" enabled by service providers operating
MPLS cores.
• Allow enterprises to outsource all or part of their WAN core to a
service provider.
• Allow service providers to separate customer address space on the
provider edge (PE) router.
• When customer traffic enters the service provider's core, a unique
VPN label is appended to the incoming IP packet and then switched
across a tunnel label-switch path (LSP).
• LSPs can be determined based on quality-of-service (QoS)
requirements, traffic engineering, or minimum bandwidth
requirements.
• The tunnel LSP and the VPN label are removed just before sending
the traffic on to the customer's network. Label imposition and
disposition are completely transparent to the customer.
Any Transport Over
MPLS (AToM)
• Transports Layer 2 frames across an MPLS
network
• Similar to an MPLS VPN in that it appends a
label to customer traffic prior to sending it to the
destination peer
• Uses an extended or directed Label Distribution
Protocol (LDP) session to negotiate a unique
virtual circuit or pseudowire label to identify
customer traffic of varying Layer 2 types
Generic Routing
Encapsulation (GRE)
• Takes packets/frames from one network system
and places them inside frames from another
network system in a peer-to-peer configuration.
• Often used to transport legacy Layer 3 protocols
over an IP backbone.
• Packet header with :
– an IP (v4) tunneling or delivery header
– a GRE header with optional fields that include tunnel
key, checksum, and sequencing fields
– the payload (or tunneled Layer 3 packet)
Point-to-Point Tunneling
Protocol (PPTP)
• Developed by Microsoft
• Widely deployed in Microsoft systems to
enable voluntary VPNs.
• Provides weak encryption
Layer 2 Tunneling
Protocol (L2TP)
• Incorporates best attributes of PPTP and Cisco’s Layer 2
Forwarding (L2F)
• L2TP is used to tunnel PPP over a public IP network
• Divorces the Point-to-Point (PPP) endpoint from the
Layer 2 circuit termination point—user connects to local
local ISP POP, PPP frames tunneled across the packetswitched network (PSN) for remote termination on an
L2TP network server (LNS).
• Used by service providers to deploy VPNs directly to
business customers and other ISPs in a wholesale dial
scenario, and by enterprises to support remote users.
Conclusion
• Virtual Private Networks
• Internet Security Protocol
• Tunneling