Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor Raimo Kantola InstructorM.Sc. Ville Hapuoja Helsinki University of Technology Networking laboratory Master’s thesis seminar
Introduction IPsec is current best practise solution for implementing virtual private networks over the public Internet IPsec solutions are classified in two categories o GW-to-GW o Client-to-GW (remote access) Service operators offer IPsec VPN-solutions for corporate customers Object of the thesis: Evaluate if a new service platform is ready to be used in commercial service production for IPsec client-to-GW VPN service. Methods include a literature study on IPsec service components and IPsec client-to-GW service architecture. The characteristics of the new platform are evaluated based on vendor documentation and example configurations.
Agenda o Introduction o IPsec client-to-GW VPN service architecture o IP service switch concept o Concept evaluation o Technical evaluation o Problem with IPsec and NAT o Conclusions
IPsec client-to-GW VPN service architecture (1/2) o The public Internet or other insecure network enables connectivity o IPsec client is typically a piece of software installed in a client machine o VPN gateway terminates the IPsec client connections o Authentication infrastructure, for example PKI, is required for strong client authentication o Authorisation infrastructure is needed for access control o Management infrastructure for all the blocks mentioned above o Protected network contains the secured network services offered to the clients
IPsec client-to-GW VPN service architecture (2/2)
IP service switch concept (1/2) o Traditionally IP services have been implemented with dedicated CPE appliances o The IP service switch concept is combines many of these services into a single appliance o Services are offered in the service provider network instead of customer premises o Reduces the amount of equipment, integrates services management and makes service provisioning easier
IP service switch concept (2/2) Legacy CPE implementation Service switch implementation
Evaluation of the concept o The IP service switch concept introduces an opportunity for service providers through smaller capital and operational costs o The concept offers scalability in amount of served subscribers, service offering and management o Introduces a possible single point of failure o The performance of a multifunctional device does not achieve the performance of dedicated service appliances
Technical evaluation of the new platform (1/2) o The platform under evaluation is CoSine Communications IP Processing Switch IPSX 3500 , a multifunctional IP service switch o The characteristics of the IPsec VPN GW functionality of the CoSine platform are evaluated o Starting point is the current service implementation and functionality o Integration of the existing authentication, authorisation, management and network infrastructure should be seamless o Performance should be adequate for mass-scale IPsec service production
Technical evaluation of the new platform (2/2) o The CoSine platform has all the basic IPsec VPN GW functionality o Necessary functions and interfaces for integration to the service operator network and infrastructure exist o The CoSine platform offers provider class performance in IPsec tunnel termination and encryption o Main problem in technical implementation is the NAT-Traversal solution o Inconsistent NAT-T solution leads to interoperability problems
Problem with IPsec and NAT (1/2) o Network address translation is everywhere in the Internet o NAT modifies the IP address and port fields in the IP header and in some cases in the IP payload o NAT cannot modify IPsec protected packet because of the encryption or checksum calculation.
Problem with IPsec and NAT (2/2) o No existing standard for implementing IPsec NAT Traversal o Several vendor specific solutions exist, no guarantee of interoperability o CoSine’s NAT Traversal solution based on early IETF drafts o No complete NAT-T implementation in CoSine for pure IPsec tunnel implementation o The NAT Traversal solution has to be the same at both ends of the IPsec VPN tunnel o CoSine is not interoperable with the current IPsec client-to-GW VPN service
Summary The IP service switch concept has lots of potential. The performance, scalability and other characteristics of the CoSine platform are adequate for mass-scale IP service delivery. Interoperability problems exist with NAT-T and IPsec tunnel mode. Deployment of the CoSine platform would require rethinking of the other service components and service functionality. The standardisation of the IPsec NAT-Traversal is still unfinished at IETF. As long as this is the case the interoperability problems will exist.