CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN - PowerPoint PPT Presentation

CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs

VPN Taxonomy CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure LAN Non-secure Secure Non-secure

What is a VPN? CS519 � Making a shared network look like a private network � Why do this? � Private networks have all kinds of advantages • (we’ll get to that) � But building a private network is expensive • (cheaper to have shared resources rather than dedicated)

History of VPNs CS519 � Originally a telephone network concept � Separated offices could have a phone system that looked like one internal phone system � Benefits? � Fewer digits to dial � Could have different tariffs • Company didn’t have to pay for individual long distance calls � Came with own blocking probabilities, etc. • Service guarantees better (or worse) than public phone service

Original data VPNs CS519 � Lots of different network technologies in those days � Decnet, Appletalk, SNA, XNS, IPX, … � None of these were meant to scale to global proportions � Virtually always used in corporate settings � Providers offer virtual circuits between customer sites � Frame Relay or ATM � A lot cheaper than dedicated leased lines � Customer runs whatever network technology over these � These still exist (but being replaced by IP VPNs)

VPN Taxonomy CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure LAN Non-secure Secure Non-secure

Advantages of original data VPNs CS519 � Repeat: a lot cheaper than dedicated leased lines � Corporate users had no other choice � This was the whole business behind frame- relay and ATM services � Fine-grained bandwidth tariffs � Bandwidth guarantees � Service Level Agreements (SLA) � “Multi-protocol”

Frame Relay VPN Example CS519 CE CE CE FR FR CE FR FR CE FR FR FR CE CE = Customer CE Equipment CE FR = Frame Relay

Define circuits CE to CE (for given customer: purple) CS519 CE3 CE1 CE1 24 FR FR CE3 12 FR 31 FR CE4 FR FR FR CE2 CE = Customer CE4 Equipment CE2 FR = Frame Relay

Customer establishes routing tables (per protocol) CS519 CE3 CE1 CE1 24 FR FR CE3 12 dest circuit FR CE2 24 31 CE3 12 FR CE4 31 CE4 FR FR FR CE2 CE = Customer CE4 Equipment CE2 FR = Frame Relay

Provider provisions underlying network CS519 CE3 CE1 CE1 FR FR CE3 FR FR Provider does queuing analysis of load through each link, determines, throughput characteristics, gives CE4 service guarantees to customers FR accordingly. FR FR CE2 CE = Customer CE4 Equipment CE2 FR = Frame Relay

How has the world changed? CS519 � Everything is IP now � Some old stuff still around, but most data networks are just IP � So, why do we still care about VPNs???

IP VPN benefits CS519 � IP not really global (private addresses) � VPN makes separated IP sites look like one private IP network � Security � Bandwidth guarantees across ISP � QoS, SLAs � Simplified network operation � ISP can do the routing for you

Client VPNs CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure LAN Non-secure Secure Non-secure

Client VPNs CS519 � Solves problem of how to connect remote hosts to a firewalled network � Security and private addresses benefits only � Not simplicity or QoS benefits

Client VPNs CS519 � Solves problem of how to connect remote hosts to a firewalled network Site Site (private FW/ Host network) Internet VPN IPsec Site Remote Tunnels Host Host Remote Host

Client VPNs: Configuration CS519 VPN IP addr: 20.1.1.1 User name: joe Password: Rtu44!+3wyZ Site 20.1.1.1 FW/ Host VPN Site Remote joe: Rtu44!+3wyZ Host Host sally: 5Yee#34hB!2

Client VPNs CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure LAN Non-secure Secure Non-secure

Client VPNs: Configuration CS519 More likely AAA or LDAP backend has the passwords VPN IP addr: 20.1.1.1 User name: joe Password: Rtu44!+3wyZ AAA Site 20.1.1.1 FW/ Host VPN Site Remote joe: Rtu44!+3wyZ Host Host sally: 5Yee#34hB!2

Client VPNs: Host gets local IP address CS519 DHCP AAA Site 20.1.1.1 FW/ Host VPN 30.1.1.1 Router Site Remote Host Host

Client VPNs: Host connects to VPN CS519 VPN authenticates remote host through backend database (RADIUS or LDAP) AAA Site 20.1.1.1 FW/ RADIUS Host VPN IPsec Site Remote Host 30.1.1.1 Host

Client VPNs: VPN assigns site address CS519 As proprietary enhancement to IPsec, or with PPP (over IPsec) 10.1.1.1 AAA Site 20.1.1.1 FW/ RADIUS Host VPN 10.1.1.1 IPsec Site Remote Host 30.1.1.1 Host

Client VPNs: Packets tunneled over IPsec CS519 AAA Site 20.1.1.1 FW/ RADIUS Host VPN 10.1.1.1 10.1.1.2 IPsec Site Remote Host 30.1.1.1 Host 10.1.1.1 10.1.1.1 10.1.1.2 10.1.1.2 30.1.1.1 30.1.1.1 20.1.1.2 20.1.1.2 IPsec Tunnel

Client VPNs: Packets tunneled over IPsec CS519 Some VPN clients smart enough to avoid sending non-VPN traffic through the VPN tunnel Not this This Public AAA Host Site 20.1.1.1 FW/ RADIUS Host VPN 10.1.1.1 10.1.1.2 IPsec Site Remote Host 30.1.1.1 Host

IPsec CS519 � Two parts: Session Establishment (key exchange) and Payload � IKE/ISAKMP is session establishment � Negotiate encryption algorithms � Negotiate payload headers (AH, ESP) � Negotiate policies � Keying can be either: � Symmetric shared keys � Public keys (in certificates) � Either way, a session key is negotiated by IKE

IPsec Payloads CS519 � AH: Authentication Header � Authenticates each packet but doesn’t encrypt � Has fallen out of favor (redundant and no more efficient) � ESP: Encapsulating Security Payload � Encrypts (with authentication as side effect)

IPsec transmission modes: Transport or Tunnel mode CS519 Transport mode. Used when IPsec TCP/UDP Transport tunnel is end-to-end. Operates over IPsec some of the IP fields, and doesn’t ESP or AH work with NAT! IP Tunnel mode. Used when IPsec TCP/UDP Transport tunnel not end-to-end. Hides the IP IP identity of endpoints. Operates IPsec ESP or AH over inner IP fields…can work with IP NAT.

AH header format CS519 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Authentication Data (variable) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ESP header format CS519 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Data* (variable) | | | | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Padding (0-255 bytes) | +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Pad Length | Next Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authentication Data (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

New IPsec transmission modes CS519 TCP/UDP Transport IPsec ESP or AH NAT UDP Extra layer of UDP allows IP IPsec to work over NAT. TCP/UDP Transport IP IPsec ESP or AH UDP NAT IP

Client VPNs CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure LAN Non-secure Secure Non-secure