Network Access for Remote Users Dr John S. Graham ULCC - - PowerPoint PPT Presentation

network access for remote users
SMART_READER_LITE
LIVE PREVIEW

Network Access for Remote Users Dr John S. Graham ULCC - - PowerPoint PPT Presentation

Sep 09, 2023 740 likes •961 views

Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of Technologies Remote Site Private Leased Lines Kilostream or Megastream Circuits LES ISDN EPS9 ISP Remote User

slide-1
SLIDE 1

Network Access for Remote Users

Dr John S. Graham ULCC j.graham@ulcc.ac.uk

slide-2
SLIDE 2

Review of Technologies

  • Remote Site

– Private Leased Lines

  • Kilostream or Megastream Circuits
  • LES

– ISDN – EPS9 – ISP

  • Remote User

– Private Dialup Service – ISP

slide-3
SLIDE 3

Site-to-Site Private Infrastructure

slide-4
SLIDE 4

Traditional Dialup Service

High Costs Support Burden Limited to 56K Analogue Dialup Limited Service Security Guaranteed

slide-5
SLIDE 5

Virtual Private Network

Highly Flexible Solution Uses Existing Infrastructure

Complex Security Issues

slide-6
SLIDE 6

VPN Roadmap

Tunnelling Symmetric Asymmetric Encryption Endpoints Data User Authentication IP Framework

VPN

slide-7
SLIDE 7

Tunnelling Methods

  • Layer III

– GRE – IPSec

  • Layer II

– L2F – PPTP – L2TP

slide-8
SLIDE 8

Layer 3 Tunnelling (GRE)

TCP IP Data GRE IP

GRE

TCP IP Data

passenger protocol encapsulating protocol carrier protocol

slide-9
SLIDE 9

Tunnelling In Action

IP GRE TCP IP Data

Destination 62.49.38.138 Source 192.168.17.26 194.82.103.186

IP GRE TCP IP Data

192.168.17.26

slide-10
SLIDE 10

Layer 2 Tunnelling (L2TP)

TCP IP Data L2TP UDP IP PPP TCP IP Data L2TP UDP IP PPP ESP ESP

L2TP L2TP + IPSec

TCP IP Data PPP

slide-11
SLIDE 11

Layer 2 Tunnelling Modes

Compulsory L2 Tunnelling Voluntary L2 Tunnelling

slide-12
SLIDE 12

Authentication

  • Peer Identity

– Shared Secret – Digital Certificate

  • Data Integrity

– Digital Signatures

  • User Identity

– Kerberos – RADIUS

slide-13
SLIDE 13

IP Security (IPSec)

  • Protocols

– Authentication Header – Encapsulating Security Payload – Internet Key Exchange

  • Modes

– Tunnel – Transport

slide-14
SLIDE 14

IPSec Protocols

Sequence Number Authentication Data SPI Next Header Payload Length Reserved Sequence Number SPI Authentication Data Data Next Header Pad Length Pad IV Authentication Header (51) Encapsulating Security Protocol (50)

slide-15
SLIDE 15

IPSec Modes

Tunnel Mode Transport Mode

IP AH/ESP TCP IP Data AH/ESP TCP IP Data

slide-16
SLIDE 16

Equipment at Remote Site

  • ‘Wires Only’ ADSL Connection

– One Static IP Address

  • Splitter
  • Cisco 827H Router

– Ethernet hub (4 ports) plus ATM port

slide-17
SLIDE 17

Customer Installation

slide-18
SLIDE 18

Router Configuration

Routing Table NAT IPSec Tunnel Dialer A1 A2 B1 B2 B3 Ethernet

slide-19
SLIDE 19

IPSec Followed by NAT

  • Immutable fields of outer IP header

included in AH protocol’s ICV data.

  • Transport mode IPSec renders TCP/UDP

checksums invalid.

  • Multiple incompatibilities between SA

parameters and NAT.

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt

slide-20
SLIDE 20

Fragmentation Hell

slide-21
SLIDE 21

http://www.ja.net/documents/