VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

University of Tsukuba 2 Agenda 1.VPN ~Site-to-Site connection~ ~Remote-to-Site connection~ IP security protocol SSL-VPN 2.Solution 3.Experiment 4.Implementation 5.Conclusion

University of Tsukuba 3 VPN

4 Internet VPN Site ASite B  We typically use “IPsec” in Site-to-Site VPN connection Many devices support “IPsec” VPN ~ Site-to-Site connection~

University of Tsukuba 5 Internet VPN ~Remote-to-Site connection~ VPN SiteRemote User  We usually use “SSL-VPN” in Remote Access PPTP is also common

University of Tsukuba 6 IP security protocol （ IPsec ） （ 1/3 ） IP Header ESP Header ESP Auth ESP Trailer Original IP packet TCP Header ESP Header ESP Auth ESP Trailer TCP Header IP Header AH Header TCP Header payload IP Header TCP Header IP Header Tunnel IP Header AH Header TCP Header IP Header Transport Tunnel ESP AH ESP AH Tunnel IP Header payload

University of Tsukuba 7 payload IPsec （ 2/3 ） ~Authentication~ IP Header ESP Header ESP Auth ESP Trailer TCP Header ESP Header ESP Auth ESP Trailer TCP Header IP Header AH Header TCP Header IP Header TCP Header IP Header Tunnel IP Header AH Header TCP Header IP Header Transport Tunnel ESP AH ESP AH Tunnel IP Header authentication Original IP packet payload authentication

University of Tsukuba 8 IPsec （ 3/3 ） ~Encryption~ IP Header ESP Header ESP Auth ESP Trailer TCP Header ESP Header ESP Auth ESP Trailer TCP Header IP Header AH Header TCP Header IP Header TCP Header IP Header Tunnel IP Header AH Header TCP Header IP Header Transport Tunnel ESP AH ESP AH Tunnel IP Header Original IP packet payload encryption

University of Tsukuba 9 SSL-VPN （ 1/3 ） IP Header Record Header TCP Header Reverse Proxy MAC IP Header Record Header TCP Header MAC IP Header TCP Header IP Header Record Header TCP Header MAC IP Header TCP Header Ethernet Header CRC Port Forwarding L2-Tunneling IP Header TCP Header Original IP packet payload

University of Tsukuba 10 SSL-VPN （ 2/3 ） ~Authentication~ IP Header Record Header TCP Header Reverse Proxy MAC IP Header Record Header TCP Header MAC IP Header TCP Header IP Header Record Header TCP Header MAC IP Header TCP Header Ethernet Header CRC Port Forwarding L2-Tunneling Original IP packet IP Header TCP Header payload authentication

University of Tsukuba 11 SSL-VPN （ 3/3 ） ~Encryption~ IP Header Record Header TCP Header Reverse Proxy MAC IP Header Record Header TCP Header MAC IP Header TCP Header IP Header Record Header TCP Header MAC IP Header TCP Header Ethernet Header CRC Port Forwarding L2-Tunneling Original IP packet IP Header TCP Header payload encryption

University of Tsukuba 12 Motivation  Setup difficulty It is bothering for common users to make VPN configuration  Must be “Static” Each endpoint requires “Static” IP address Site-to-Site : “Static”- “Static”, Remote-to-Site : “Dynamic”-“Static” more “Simplicity” more “Flexibility”

University of Tsukuba 13 Idea  Implement application Simple VPN configuration for clients “Dynamic” – “Dynamic” connection Which protocol should we use ? Introduce the “VPN-Management-Server” VPN-Management-Server handles bothering procedure

University of Tsukuba 14 Experiment

University of Tsukuba 15 Experiment with selection of protocol  Criterion Connectivity (connect or disconnect)  Target IPsec V.S. SSL-VPN  Experimental Network University of Tsukuba campus network (Univ. Tsukuba) Tsukuba WAN Kyushu GigaPOP Project (QGPOP) Network Organization for Research and Technology in Hokkaido (NORTH) Japan Science and Technology Agency (JST) Commercial Internet Service Provider (ISP)

University of Tsukuba 16 Result of the Experiment Endpoint BIPsec Endpoint AUniv. TsukubaTsukuba WANQGPOPNORTHJSTISP Univ. Tsukuba×××××× Tsukuba WAN×○○○×○ QGPOP×○ ‐‐ × ‐ NORTH×○ ‐‐‐‐ JST××× ‐‐‐ ISP×○ ‐‐‐‐ Endpoint BSSL-VPN Endpoint AUniv. TsukubaTsukuba WANQGPOPNORTHJSTISP Univ. Tsukuba○○○○○○ Tsukuba WAN○○○○○○ QGPOP○○ ‐‐ ○○ NORTH○○ ‐‐‐‐ JST○○○ ‐‐ ○ ISP○○○ ‐ ○ ‐ ○:connect, ×: disconnect, - : none SSL-VPN is more suitable than IPsec !

University of Tsukuba 17 Implementation

University of Tsukuba 18 Implementation of proposal system  Environments OS : Windows Language : C++ Library : openssl-0.9.8c USB token : iKey 1000  Features When we insert the USB token into a PC, VPN is established  Example Sharing data in a meeting

University of Tsukuba 19 SSL connection SSL authentication (Client IP address) Request Send Register Request Verify Client’s Certificate Verify Server’s Certificate (IP address) included in IP Header ( source IP address ) included in application data ( IP address ) Check ・ ( source IP address ) ・ ( IP address ) ClientVPN-Management-Server ・ Client Certificate Serial Number ・ IP Classification Information Procedure sequence

Repository Registry VPN module Certification issue VPN-management Server SSL AuthVPN-Server Client SSL connect Client information ・ Client Certification Serial Number ・ Header IP ・ Payload IP ・ IP Classification Information (Global IP, Private IP) Auth info ・ CA Private / Public key ・ Server Private / Public key SSL Auth IC chip USB-token ： iKey storage Reference VPN module create encryption algoVirtual IP access point IPConnect Port communication protocol Client Environment judge IP address VPN connection Virtual IF creation packet routing tun / tap device send packet Payload IP address Header IP address （ Global IP,Private IP ） Payload IP address Registry Reference ・ CA Public key ・ Client Private / Public key Client application program

University of Tsukuba 21 Conclusion

University of Tsukuba 22 Conclusion  VPN IPsec and SSL-VPN  Focus on the following problems Setup difficulty Must be “Static” IP  My application Simple VPN configuration for clients Enable “Dynamic – Dynamic” connection

University of Tsukuba 23 Thank you ! I appreciate network supports of Prof. Okamura (Kyushu Univ.). Thanks go to Prof. Kasahara for this session arrangements. Thanks also to Prof. Okamoto, Researchers Dr. Oyama and Dr. Inomata for their supports and guidelines.

University of Tsukuba 24 VPN-Server’s module Send Run VPN-Server process Accept VPN-Client connection Configure VPN-Server’s configuration Case 1. ( source IP address ) matches to ( IP address ) ClientVPN-Management-Server Case 1

University of Tsukuba 25 VPN-Client’s module Send Run VPN-Client process Connect VPN-Server Configure VPN-Client’s configuration Case 2. ( source IP address ) doesn’t matches to ( IP address ) There is VPN-Server in the client and ClientVPN-Management-Server Case 2

University of Tsukuba 26 VPN-Client’s module Send Run VPN-Client process Connect VPN-Server (VPN-Management Server) Configure VPN-Client’s configuration Case 3. ( source IP address ) doesn’t matches to ( IP address ) and Run VPN-Server process Accept VPN-Client connection All clients are VPN-Client VPN Connection VPN connection establish ClientVPN-Management-Server Case 3

University of Tsukuba 27 What is USB Token ?  USB with protecting field and IC chip Smartcard + Card reader specifications X.509 Authentication memory1024 bit RSA (software) MD5 hash algorithm (hardware) 8K memory 、（ iKey K memory ） 64-bit Serial NumberPKCS #11 middleware (v2.01) 1.5 MbpsThree security levels of file access 2-hierarchical directory4KB write run time : 3(s) Software IPSec/IKERADIUS PPTPOutlook Express NetscapeInternet Explore