Virtual Private Network (VPN) 1
A corporation with multiple geographic sites can use one of two approaches to building a corporate intranet. – Private network connections The corporation leases serial lines to connect its sites. Each leased connection extends from a router at one of the corporation’s sites to a router at another site; data passes directly from a router at one sit to a router at another site. – Public Internet connection. Each site contracts with a local ISP for Internet service. Data sent from one corporate site to another passes across the global Internet. 2
The chief advantage of using leased lines to interconnect sites arises because the resulting network is completely private. The chief advantage of using Internet connections is low cost. Unfortunately, the Internet cannot guarantee confindentiality. As it travels from source to destination, a datagram passes across intermediate networks that may be shared. As a consequence outsiders may be able to obtain copies of the datagram and examine the content. VPN: use the global Internet to transfer data among corporate sites, but take additional steps to ensure that the data cannot be read by outsiders. 3
A VPN is implemented in software. First, the organization obtains an Internet connection for each of its sites. Second the organization choose a router at each site to run VPN software (usually the router that connects the site to the Internet). Third, the organization configures the VPN software in each router to know about the VPN routers at each of others sites 4
VPN Software The VPN software operates like a conventional packet filter. The next hop for each outgoing datagrams must be a VPN router at another site of the organization. The traffic is restricted to pass directly from one corporate site to another exactly as the sites had leased lines connecting them VPN software encrypts each outgoing datagram before transmission. All communications remains confidential. 5
Tunneling Should the entire datagram be encrypted for transmission? If the datagram header is encrypted, routers in the Internet will not be able to interpret header fields they neeed to use when forwarding the datagram. If the header is not enctypted, outsiders will know the source and destination addresses and may be able to deduce information. To keep information completely hidden as datagrams pass across the Internet from one site to another, VPN software use an IP-in-IP tunnel 6
The sending VPN software encrypts the entire datagram and places the result inside another datagram for transmission. Suppose that a computer X at site 1 creates a datagram for a computer Y at site 3. The datagram is forwarded through site 1 at router R1 (i.e., the router that connects site 1 to Internet). The VPN software on R1 encrypts the original datagram and encapsulates it in a new datagram for transmission to router at site 2. When the encapsulated datagram arrives,VPN software on R2 decrypts the payload to extract the original datagram and them forwards it to the destination Y. 7
original (unencrypted payload) src=X dst=Y encrypt Encrypted Version of Original Datagram Encrypted datagram Encapsulated In IP For Transmission src=R1 dst=R2 8
The original datagram header has the source and destination addresses of two computers in the organization. To keep data secure during transmission across the Internet, the entire original datagram including the header, is encrypted. Thus all datagrams traveling across the Internet from site 1 to site 2 have a source address of router R1 and a destination address of router R2. 9
VPN VPN “permanent” to connect sites of a corporation. VPN “temporary” to remotely connect to the site of the corporation mobile computers. In both cases a software must be installed (in the routers belonging to the sites and/or in the personal computer of the user.) called VPN terminator. The VPN terminator encrypts the data and sends them to VPN terminator of the different site The keys needed to encrypt and decrypt are known only to the terminator software. 10