Virtual Private Networks (VPN) Chapters 10, 11, 12

Outline The Concept of VPNs: ch. 10 VPNs defined Types Generic Routing Encapsulation (GRE): ch. 11 Layer 2 Tunneling Protocol (L2TP): ch. 12 IPsec VPNs: ch. 13 Other types of VPNs? http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

What is VPN? A VPN is a means of carrying private traffic over a public network. Often used to connect two private networks, over a public network, to form a virtual network The word virtual means that, to the users on either end, the two private networks seem to be seamlessly connected to each other. That is, they are part of a single virtual private network (although physically they are two separate networks).  implication? connectivity, security, privacy The VPN should provide the same connectivity and privacy you would find on a typical local private network. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Different Types of VPNs Based on encryption: Encrypted VPNs Nonencrypted VPNs Based on OSI model: Data link layer VPNs Network layer VPNs Application layer VPNs Based on business functionality: Intranet VPNs Extranet VPNs Question: How do we classify ‘SSL VPNs’ and ‘IPsec VPNs’? see OpenVPN and SSL VPN Revolution (or local copy) http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Encrypted vs Nonencrypted VPNs In encrypted VPNs, encryption mechanisms are used to secure the traffic across the public network. Example: IPsec VPNs In nonencrypted VPNs, either data security is not ensured at all, or is ensured by other means (including encryption at higher layers). Examples: MPLS VPNs (Multiprotocol Label Switching) cisco white paper GRE-based VPNs (ch. 11) Uses higher layer encryption for confidentiality http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

VPNs at different OSI layers The layer where VPN is constructed affects its functionality. Example: In encrypted VPNs, the layer where encryption occurs determines how much traffic gets encrypted the level of transparency for the end users Data link layer VPNs (Layer-2) Example protocols: Frame Relay, ATM Drawbacks: Expensive - Requires dedicated Layer 2 pathways may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection Q: Is L2TP a layer 2 VPN? http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

VPNs at different OSI layers Network layer VPNs (Layer-3) Created using layer 3 tunneling and/or encryption Q: difference between encapsulation and tunneling ? See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by using the IP layer to do that) Advantages: A ‘proper’ layer Low enough: transparency High enough: IP addressing Cisco focuses on this layer for its VPNs. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

VPNs at different OSI layers Application layer VPNs Created to “work” specifically with certain applications Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL) SSH (encrypted and secure login sessions to network devices) Drawbacks: May not be seamless (transparency issue) Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004) “The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … A VPN is a site-to-site tunnel. … There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. … A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. … A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …” http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Other Classification of VPNs ? Intranet VPNs vs Extranet VPNs Remote Access VPNs vs Site-to-site VPNs http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Generic Routing Encapsulation (GRE) Provides low overhead tunneling (often between two private networks) Does not provide encryption Used to encapsulate an arbitrary layer protocol over another arbitrary layer protocol: delivery header + GRE header + payload packet Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol nested inside e.g., IP protocol type 47: GRE packets using IPv4 headers RFCs: RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina, October 1994 (INFORMATIONAL) RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD) RFC2890 Key and Sequence Number Extensions to GRE G. Dommety, September 2000 (PROPOSED STANDARD) “TUNNELING protocols”: A network protocol that encapsulates packets at a peer level or below. It is used to transport multiple protocols over a common network as well as provide the vehicle for encrypted virtual private networks (VPNs). It is said to "tunnel" because it "pushes through" packets of different types. It is also called an "encapsulation protocol," which is confusing, because all protocols encapsulate. In a regular protocol, the lower layer protocol encapsulates the higher level protocol. For example, the network layer protocol (layer 3) encapsulates a transport layer packet (layer 4). In contrast, a tunneling protocol encapsulates a packet of the same or lower protocol. For example, GRE could encapsulate a layer 3 IPX packet within a layer 3 IP packet. VPLS encapsulates a layer 2 Ethernet frame within a layer 3 IP packet. See IP tunneling and L2TP. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Generic Routing Encapsulation GRE Header (based on RFC1701, deprecated): Figure 11-2 GRE Header (based on RFC 2784 & 2890): Figure 11-4 C = 1, checksum present Checksum: to ensure the integrity of the GRE header and the payload packet; contains a checksum of the GRE header and the payload packet Key: contains a number to prevent misconfiguration of packets; may be used to identify individual traffic flow within a tunnel Not the same as a cryptographic key http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Generic Routing Encapsulation Summary: GRE mainly perform ‘tunneling’. Does not provide a means to securely encrypt its payload Often relies on application layer to provide encryption May be used together with a network layer encryption (such as IPsec) Example 1: use GRE to encapsulate non-IP traffic and then encrypt the GRE packet using IPsec Example 2: use GRE to encapsulate multicast traffic, and then encrypt the GRE packet using IPsec Question: Why not simply use IPsec? http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Generic Routing Encapsulation Case Studies: A GRE tunnel connecting two private networks: Figure 11-5 GRE between multiple sites: Figure 11-6 GRE between two sites running IPX http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Layer 2 Tunneling Protocol (L2TP) An example of network layer VPN: use IP packets to encapsulate Layer 2 frames RFCs: RFC2661 Layer Two Tunneling Protocol L2TP W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter. August 1999 (PROPOSED STANDARD) a standard method for tunneling Point-to-Point Protocol (PPP) [RFC1661] sessions. L2TP has since been adopted for tunneling a number of other L2 protocols (e.g., Ethernet, Frame Relay, etc). RFC3931 Layer Two Tunneling Protocol - Version 3 (L2TPv3) J. Lau, Ed., M. Townsley, Ed., I. Goyret, Ed. March 2005 (PROPOSED STANDARD) L2TPv3 defines the base control protocol and encapsulation for tunneling multiple Layer 2 connections between two IP nodes. L2TPv3 consists of the control protocol for dynamic creation, maintenance, and teardown of L2TP sessions, and the L2TP data encapsulation to multiplex and demultiplex L2 data streams between two L2TP nodes across an IP network. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Layer 2 Tunneling Protocol PPP [RFC1661] PPP defines an encapsulation mechanism for transporting multiprotocol packets across layer 2 (L2) point-to-point links.  That is, a tunneling protocol Used to tunnel PPP over a public network using IP Typically, a user obtains a L2 connection to a Network Access Server (NAS) using one of a number of techniques (e.g., dialup POTS, ISDN, ADSL, etc.) and then runs PPP over that connection. In such a configuration, the L2 termination point and PPP session endpoint reside on the same physical device (i.e., the NAS). L2TP L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched network. With L2TP, a user has an L2 connection to an L2TP access concentrator (LAC, e.g., modem bank, ADSL DSLAM, etc.), and the concentrator then tunnels individual PPP frames to the NAS. (See Fig. 12-1) This allows the actual processing of PPP packets to be divorced from the termination of the L2 circuit. dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Layer 2 Tunneling Protocol L2TP (according to TheFreeDictionary, http://computing-dictionary.thefreedictionary.com/L2TP) A protocol from the IETF that allows a PPP session to travel over multiple links and networks. L2TP is used to allow remote users access to the corporate network. PPP is used to encapsulate IP packets from the user's PC to the ISP, and L2TP extends that session across the Internet. L2TP was derived from Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's Layer 2 Forwarding (L2F) technology. dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Layer 2 Tunneling Protocol From Access Concentrator to Network Server The "L2TP Access Concentrator" (LAC) encapsulates PPP frames with L2TP headers and sends them over the Internet as UDP packets (or over an ATM, frame relay or X.25 network). At the other end, the "L2TP Network Server" (LNS) terminates the PPP session and hands the IP packets to the LAN. L2TP software can also be run in the user's PC. Carriers also use L2TP to offer remote points of presence (POPs) to smaller ISPs. Users in remote locations dial into the carrier's local modem pool, and the carrier's LAC forwards L2TP traffic to the ISP's LNS. L2TP and IPsec L2TP does not include encryption (as does PPTP), but is often used with IPsec in order to provide virtual private network (VPN) connections from remote users to the corporate LAN. dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

Layer 2 Tunneling Protocol Types of L2TP Tunnels Compulsory L2TP Tunneling The client is completely unaware of the presence of an L2TP connection. The L2TP Access Concentrator (LAC) is aware of L2TP. Figure 12-3: (client)  PPP + Data  (LAC)  L2TP + Data  (LNS) Voluntary L2TP Tunneling The client is aware of the presence of an L2TP connection. The LAC is unaware of L2TP. Figure 12-4: (client)  PPP + L2TP + Data  (LAC)  L2TP + Data  (LNS) dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

L2TP Operations Assumptions: Compulsory tunneling The Procedure: The Client initiates a PPP connection to the LAC. The LAC does LCP negotiation with the client, and challenges the client for authentication credentials. The client supplies the credentials (such as user name, domain name, password). The LAC uses the domain name to ascertain which LNS it needs to contact (in the case of multiple domains). The LAC begins establishing an L2TP tunnel with the LNS. Two Stages of L2TP Tunnel Setup: Set up a control session between the LAC and the LNS. Set up the actual L2TP tunnel for passing the data (aka. ‘creating the session’) Notes: Between a pair of LAC and LNS, there may exist multiple tunnels. Across a single L2TP tunnel, there may exist multiple sessions. * dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) * LCP negotiation: Short for Link Control Protocol, a protocol that is part of the PPP. In PPP communications, both the sending and receiving devices send out LCP packets to determine specific information that will be required for the data transmission. The LCP checks the identity of the linked device and either accepts or rejects the peer device, determines the acceptable packet size for transmission, searches for errors in configuration and can terminate the link if the parameters are not satisfied. Data cannot be transmitted over the network until the LCP packet determines that the link is acceptable. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

L2TP Operations Control Connection Establishment Figure 12-5 Session Establishment Figure 12-6 Figure 12-8: Transaction Flow for L2TP Establishment Header Format of L2TP Packets Figure 12-9 * dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) * LCP negotiation: Short for Link Control Protocol, a protocol that is part of the PPP. In PPP communications, both the sending and receiving devices send out LCP packets to determine specific information that will be required for the data transmission. The LCP checks the identity of the linked device and either accepts or rejects the peer device, determines the acceptable packet size for transmission, searches for errors in configuration and can terminate the link if the parameters are not satisfied. Data cannot be transmitted over the network until the LCP packet determines that the link is acceptable. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt

L2TP Operations Case Studies: Setting up compulsory L2TP Tunneling Figure 12-10 Protecting L2TP Traffic using IPsec in a compulsory tunneling setup Figure 12-11 * dialup POTS: Plain Old Telephone System Also called PSTN (Public Switched Telephone Network) * LCP negotiation: Short for Link Control Protocol, a protocol that is part of the PPP. In PPP communications, both the sending and receiving devices send out LCP packets to determine specific information that will be required for the data transmission. The LCP checks the identity of the linked device and either accepts or rejects the peer device, determines the acceptable packet size for transmission, searches for errors in configuration and can terminate the link if the parameters are not satisfied. Data cannot be transmitted over the network until the LCP packet determines that the link is acceptable. http://sce.uhcl.edu/yang/teaching/.../VPN.ppt