FIRE: Flexible Intra-AS Routing Environment
Download
Report
Transcript FIRE: Flexible Intra-AS Routing Environment
Privacy Issues in
Virtual Private Networks
Tim Strayer
BBN Technologies
What is a VPN?
• Private network running over shared
network infrastructure (Internet)
Allows interconnection of different
corporate network sites
Allows remote users to access the
corporate network
Allows controlled access between different
corporate networks
2
Why VPNs?
Frame Relay
Or
Intranet
ATM
Or
Dial-Up Service
Intranet
Headquarters
Private
Public
“Intranet”
Internet
Network
Headquarters
Remote Site
Intranet
Remote Site
3
VPN Rationale
• Private Networks
Costly
Inflexible
Multiple Infrastructures
• Virtual Private Networks
Inexpensive
Configurable
Single Infrastructure
4
The First VPN
• 1975, BBN delivered the first Private
Line Interface (PLI) to the Navy
• Created secure network communication
over the ARPANET
• Used a proprietary encryption and
manual keying system
5
VPN Technologies
• Tunneling
Overlay facilitates sharing common infrastructure
IPsec, PPTP, L2TP, MPLS
• Security
Authentication: PKI, RADIUS, Smartcard
Access Control: Directory Servers, ACLs
Data Security: Confidentiality, Integrity
• Provisioning
QoS
Traffic Engineering
6
Island Metaphor
“Hello!”
“Hello!”
SS Encapsulator
“Hello!”
SS Encapsulator
“Oh!
Hi!
“???”
“Hello!”
SS Encapsulator
7
Tunneling
Inner Packet
Outer Header
Trailer
For target network
For transport network
• Usually layers are inverted
2
3
4
7
Ethernet
IP
TCP
FTP
2
3
2
3
Ethernet
IP
PPP
IP
8
Tunnels at Layer 2
• Point-to-Point Tunneling Protocol
(PPTP)
Integrated into Microsoft DUN and RAS
Authentication/encryption provided by PPP
3
4
2
3
IP
GREv2
PPP
IP/IPX
• Layer 2 Tunneling Protocol (L2TP)
Combines PPTP with Cisco L2F
Layer 2 tunneling, UDP encapsulation
3
4
2
3
IP
UDP
PPP
IP/IPX/IPsec
9
IPsec Protocol Suite
• Data encryption and authentication
Two protocols
• Encapsulating Security Payload (ESP) assures data
privacy and party authentication
• Authentication Header (AH) assures only party
authentication
Cryptographic key management
• Works well with Public Key Infrastructure and X.509
Certificates
• Transport and tunnel modes of operation
• IPsec VPNs use tunnel mode and ESP
10
IPsec Tunneling
New IP Header
Sequence Number
Encrypted
Authenticated
Security Parameter Index
Original IP Header
Original IP Payload
Original
IP Packet
ESP Trailer
ESP Authentication
11
MPLS “Tunneling”
• Multi-Protocol Label Switching
High speed switching technology
Tunnel any layer
Built into edge/core routers and switches
No authentication/encryption
Label
IP Header
IP Payload
Original Packet
12
IPsec vs. MPLS
• Two dominant VPN technologies
• Let’s compare them viz. their
approaches to privacy
13
What is meant by Private?
• No one can see your stuff
Emphasis is on security
Confidentiality, integrity, authentication,
authorization, access control
• Carve out a piece of a shared network
for your own use
Emphasis is on availability
Traffic engineering
14
Evolution of IPsec
• First defined as a security mode for
IPv6
• “Ported” to IPv4
• Combines tunneling with security
Orthogonal services
• Complex key management
15
Evolution of MPLS
• ATM’s VCI/VPI used for cut-through
switching
Separates routing from forwarding
Supports resource allocation
• MPLS
IP cut-through switching using label
Routers switch on preestablished label
Routers don’t care what’s behind the label
Originally proposed to accelerate routing
16
A Protocol Looking for a Use
• Fast routing argument lost with new
routing technology
Switching technology applied to IP header
• MPLS for traffic engineering
“Connection” oriented
Stateful – keeps tracks resource allocation
and usage
RSVP adapted for signaling
• Hot router selling feature
17
MPLS-VPN Security
• Label Switch Routers will drop packets
that do not belong to the VPN based on
label
• BGP guards against injected routes
using MD-5 authentication
• Note:
No data confidentiality
Weak authentication
BGP is not sufficient to prevent fake routes
18
Why MPLS-VPN?
• Embed label switching in routers
Sell more routers
• Replace Frame Relay and ATM with
something that looks like these services
No profit in Frame Relay or ATM anymore
• Control provisioning at the edge of ISP
Sell value added service
• ISP dependent
Keeps customers within provider’s network
19
Why IPsec-VPN?
• No changes to core routers
Security gateway/tunnel endpoint placed
anywhere that is appropriate
• Separation through obfuscation
Real data confidentiality
Real authentication
• Routing protocol agnostic
No (more than current) reliance on well-behaved
protocols
• ISP agnostic
20
Guarding “Privates”
• What separates a VPN’s traffic from all
other traffic?
IPsec: data encryption
MPLS: different labels, forwarding tables
• Who is responsible for separation?
IPsec:
• ISPs, but not necessarily
• Corporate IT group and even individuals
MPLS: ISPs
21
Dichotomy of Assumptions
• IPsec assumes goal is:
IP delivery
No trust of intermediate systems
• MPLS assumes goal is:
Engineered delivery
Trust entities in the middle
• Begged question: Is leaving security to
someone else a good thing?
22
Which is the Right Way?
• Depends on what control you are willing
to cede to service providers
What SLAs you demand
What you want to “black box”
• Depends on what you mean by “private”
No one is supposed to use your resources
No one is able to see your stuff
23
Trends in VPNs
• IPsec is being built into routers,
gateways, and firewalls, and can run at
very high speeds
• Layer 2 tunneled through MPLS
Martini Draft
• Combining MPLS and IPsec
IP tunneled through IPsec tunneled
through MPLS
Best of both worlds
24
There’s more to it
• Establishing a VPN is much more than
just building a set of tunnels between
sites
Authentication
Access Control
Data Confidentiality
Data Integrity
Remote Access
25
Where does “Private” go?
• Virtual Private Network
Makes sense
What the designers had in mind
• Virtual Private Network
What happens if you’re not careful
26
More about me
• This talk and other information at
http://www.ir.bbn.com/~strayer
27