Virtual Private Networks and Spawning Networks Department of Computer Science
Wired Magazine Hype List Feb 1998 Virtual Private Networks Ranked #1 The wonderful thing about virtual private networks is that its myriad definitions give every company a fair chance to claim that its existing product is actually a VPN. But no matter what definition you choose, the networking buzz- phrase doesn't make sense. The idea is to create a private network via tunneling and/or encryption over the public Internet. Sure, it's a lot cheaper than using your own frame relay connections, but it works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around. Other items on the list n Hacker Consultants n MiniDisc n Windows NT 5.0 n Interior Design
Overview What is a VPN ? Requirements and Motivation Scenarios Methods Practical VPN Spawning Networks : VPNs on the fly
What is a VPN ? Network : A Network consists of any number of devices which can communicate through some arbitrary method Private: –Data Privacy and data integrityPrivacy –Access is restricted to defined set of entities –Privacy of addressing and routing system Addressing used by VPN community is separate and discrete from underlying shared network Same for routing Virtual: –Private communication over shared network infrastructure e.g. Internet One Line Definition
What is a VPN ? Network : A Network consists of any number of devices which can communicate through some arbitrary method Private: –Data Privacy and data integrityPrivacy –Access is restricted to defined set of entities –Privacy of addressing and routing system Addressing used by VPN community is separate and discrete from underlying shared network Same for routing Virtual: –Private communication over shared network infrastructure e.g. Internet (encryption and authentication)
One Line Definition A VPN is a private network constructed within a public network infrastructure, such as the global internet One Line Definition
Scenarios Two end-systems e.g. e-commerce Remote access network –E.g. a large firm with hundreds of sales people in the field Site to Site –Branch Office connection network – intranet VPN –Business partner networks – extranet VPN Combination of above
Motivations Economics of Communications –Cheaper than constructing or leasing physical networks for private communication Communications Privacy –Depends on the technology used to construct the VPN Global Reachability Scalability ( compared to custom networks )
Requirements Data Security –Authentication –Confidentiality –Integrity Tunneling Mechanisms QoS Guarantees
Methods to construct VPNs Most common – TunnelingTunneling Tunnel connects two VPN endpoints –Traffic opaque to underlying IP backbone –IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link Advantages –Segregation of common host network from the VPN –Routing of VPN isolated from common host network –Encapsulate different protocol families
Methods to construct VPNs Most common – Tunneling Tunnel connects two VPN endpoints –Traffic opaque to underlying IP backbone –IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link Advantages –Segregation of common host network from the VPN –Routing of VPN isolated from common host network –Encapsulate different protocol families “tunneling" is a technology that allows a network transport protocol to carry information for other protocols within its own packets. For example, IPX data packets can be encapsulated in IP packets for transport across the Internet, which isn't normally possible
Tunnels Cons –Administrative overhead – manual configuration –Scaling problems – point to point or point to multipoint ? –QoS Performance issues Encapsulation overhead No control over path on the common network ( e.g. IP ) Three different protocols –Carrier protocol – e.g. most common is IP –Encapsulating protocol - (GRE, IPSec, L2F, PPTP, L2TP) –Passenger protocol - The original data (IPX, NetBeui, IP)
Encapsulating Protocols PPTP vs L2F –PPTP wraps PPP in IPPPTP PPP –L2F uses Layer Two protocols, such as Frame Relay and ATM, for tunneling. L2TP – –supposed to offer the best of PPTP and L2F –Supports multiple concurrent tunnels per client IPSec – broad based open solution for encryption and authentication on a per packet basis Two modes – tunnel and transport Integrated with L2TP for security ( transport mode ) Tunnels
Encapsulating Protocols PPTP vs L2F –PPTP wraps PPP in IPPPTP –L2F uses Layer Two protocols, such as Frame Relay and ATM, for tunneling. L2TP – –supposed to offer the best of PPTP and L2F –Supports multiple concurrent tunnels per client IPSec – broad based open solution for encryption and authentication on a per packet basis Two modes – tunnel and transport Integrated with L2TP for security ( transport mode ) The Point-to-Point Protocol (PPP) provides a method for transmitting datagrams over serial point-to-point links. Tunnels
PPTP Protocol –Data channel: PPP over IP GRE (Generic Routing Encapsulation) –Encapsulates link layer (PPP), communicates at network layer (IP) –Call setup handled in a control channel Tunnels
ISP Gateway PPTP Client Computer PPTP Server Computer PPP Encapsulator IP Packets SMB Packets PPTP Interface SLIP Interface PPP Decapsulator IP Packets PPTP Interface SLIP Interface IP Packets IP GRE Packets SMB Packets PPTP Tunneling Example Tunnels
PPTP Tunneling Example PPTP Interface IP Header TCP Header Payload Data PPP Header IP GRE Header PPP Encapsulator IP Header TCP Header Payload Data PPP Header IP Header TCP Header Payload Data SLIP Interface IP Header TCP Header Payload Data PPP Header IP GRE Header SLIP Header TCP/IP Packet Modem IP GRE is not handled by many firewalls Tunnels
PPTP in a Nutshell Tunnels
Practical VPN SSH Example
What is SSH ? Overview of Secure Shell. SSH is a secure replacement for the “r” utilities. Availability: Downloadable & Commercial versions. Resources: Both commercial and free are widely available. SSH is very popular and there’s a lot of expertise out there
SecureCRT The SecureCRT client application combines the secure logon and data transfer capabilities of Secure Shell (SSH) with the reliability, usability, and configurability of a proven Windows® terminal emulator.
Simple SSH VPN Host-to-host IP tunneling In SecureCRT: Open session options for a host
Simple SSH VPN (2) Now select the “Advanced” button
SSH – Port forwarding Open up the remote connection n Open browser or application to : – :8080 in our example n We should now connect to remote service
Simple SSH VPN
Not Just for Hosts Network to Network
VPN on Linux n VPN – HOWTO n Two Main Ingredients: –ssh/sshd – for privacy –pppd n The pppd commands establish a working connection. It's strictly a bilateral umbilical cord between the VPN servers that extends no mutual connectivity to workstations on the networks. n Mutual Connectivity between workstations: That is done by the route commands. Once these commands have been executed, the two networks have been transparently pooled into a single group of machines, all mutually visible via Internet addresses. n PPP Interface assigned an IP address
Example ssh tunnel here
An Interesting challenge VPN for VM Computing on Grids Goals –Security for the VPN Via ssh –Static address for VMs undergoing migration –Different VMs may communicate with each other –Assume minimum co-operation from the remote host
Spawning Networks
Main idea: Automating the process of realizing distinct network architectures on demand OS Analogy : “We envision spawning networks as having the capability to spawn not processes but complex network architectures”
Spawning Networks Two child networks are spawned by the parent network. The first child network is a Cellular IP virtual network that supports wireless extensions to the parent network. The other child network supports a differentiated services architecture operating over the same network infrastructure. An additional level of nesting is shown where the Cellular IP network spawns a child network.
Spawning Networks
Genesis kernel has the capability to spawn child network architectures that can support alternative distributed network algos and services
Spawning Networks
Programmable data path Operate on the same physical node Each routelet corresponds to a distinict virtual network Network inheritance tree
Ports and engines are dynamically created during the spawning phase from a set of transport modules, which represent a set of generic routelet plugins Encapsulators, which add specific headers (e.g., RTP, IPv4) to packets at the end systems or routelets Forwarders, which execute particular packet forwarding mechanisms (e.g., IPv6, MPLS, Cellular IP) at routelets Classifiers, which separate packets in order to receive special treatment by routelets Processors, which process packets based on architecturally specific plugins (e.g., police, mark, monitor, shape, filter packets) Schedulers, which regulate the use of virtual link capacity based on a programmable buffer and queue management capability Child ports and engines can be constructed by directly