Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. - - PowerPoint PPT Presentation

routerlab tunneling
SMART_READER_LITE
LIVE PREVIEW

Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. - - PowerPoint PPT Presentation

Jan 13, 2023 388 likes •665 views

Overview L2/L3/L4 VPN Other tunneling technologies Routerlab: Tunneling Thorben Kr uger original slides by Philipp S. Tiesel and Franziska Lichtblau June 1, 2016 1 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Overview 1

slide-1
SLIDE 1

Overview L2/L3/L4 VPN Other tunneling technologies

Routerlab: Tunneling

Thorben Kr¨ uger

  • riginal slides by Philipp S. Tiesel and Franziska Lichtblau

June 1, 2016

1 / 27

slide-2
SLIDE 2

Overview L2/L3/L4 VPN Other tunneling technologies

1

Overview

2

L2/L3/L4 VPN IPSec OpenVPN

3

Other tunneling technologies

2 / 27

slide-3
SLIDE 3

Overview L2/L3/L4 VPN Other tunneling technologies

Overview

3 / 27

slide-4
SLIDE 4

Overview L2/L3/L4 VPN Other tunneling technologies

Tunneling: Use cases

  • Secure communication (encryption and authentification)
  • Connecting discontiguous network segments
  • Enabling telecommuting
  • Bypass restrictive firewalls and proxies
  • Transition technology (IPv6 over IPv4)
  • Traffic engineering

4 / 27

slide-5
SLIDE 5

Overview L2/L3/L4 VPN Other tunneling technologies

What is tunneling?

  • Embed one protocol inside of another protocol
  • Establishing of logical layers through the network
  • Virtual Private Network
  • What can be tunneled. . . through what. . .

– IP over IP – IP over UDP – TCP over SSH – See RFC 1217 for escalation of this idea. . .

5 / 27

slide-6
SLIDE 6

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

L2/L3/L4 VPN

6 / 27

slide-7
SLIDE 7

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Overview

  • MPLS establishes layer 2 tunnels based on labels assigned to

packets

  • IPSec provides encryption and authentication in IP packet

level

  • OpenVPN is a point-to-point tunneling technology which can

be used in bridged or routed networks

  • PPPoE is a link layer protocol for encapsulating PPP frames

inside ethernet frames

7 / 27

slide-8
SLIDE 8

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

IPSec

8 / 27

slide-9
SLIDE 9

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Basics

  • Encryption and authentication of IP packets on layer 3
  • Usually used as a tunneling technology even if an established

connection is not strictly necessary

  • Initially designed to enable opportunistic encryption between

Internet nodes

  • Implementations: strongswan, openswan/libreswan, freeswan

9 / 27

slide-10
SLIDE 10

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Authentication Header

  • Ensures integrity and authenticity of IP packets
  • Inserts a header into the IP packet including a cryptographic

checksum of the packet’s contents.

  • Protects the non mutable fields of an IP datagram
  • Caution: Trying to use AH through NAT needs extra

consideration as NAT makes changes to authenticated header fields

  • IPSec in AH mode without encryption is possible, but rarely

used (on purpose)

10 / 27

slide-11
SLIDE 11

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Encapsualted Security Payload

  • Responsible for encryption of IP packets
  • Provides authenticity as well, but src- and dst IP are not part
  • f the checksum
  • Prevention from IP spoofing through authentication of

communication end points when the tunnel is established

11 / 27

slide-12
SLIDE 12

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Tunnel mode

  • Entire IP packet is protected by IPSec
  • New IP header is wrapped ”around” the old packet
  • Original IP header not visible
  • Commonly used between gateways with ESP enabled

New IP Header IP Header TCP/ UDP ESP Trailer ESP AUTH Trailer ESP Header Original IP Packet Encrypted with ESP Header Singed by ESP Auth Trailer Data

12 / 27

slide-13
SLIDE 13

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Transport mode

  • Original IP header used for encapsulation (not encrypted)
  • Usually used for end-to-end security
  • IPSec is running on the end hosts
  • TCP/

UDP ESP Trailer ESP AUTH Trailer Data ESP Header Original IP Header

IP Header

Encrypted with ESP Header Singed by ESP Auth Trailer Original IP Packet Original IP Header moved to the front

13 / 27

slide-14
SLIDE 14

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

IKE - Internet Key Exchange

  • Security Associations: Security policies for communication

between entities need to be defined

  • Key management protocol: Exchange of keys for encryption

and authentication over unsecured channels

  • Manages Security Associations (SAs) for IPSec
  • IKE for IPSec is not mandatory, but widely used

– Automatic negotiation of specific parameters – CA support – Ability to change encryption keys during an IPSec session

14 / 27

slide-15
SLIDE 15

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

OpenVPN

15 / 27

slide-16
SLIDE 16

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

OpenVPN: Basics

  • SSL/TLS based user-space VPN: Works on various

devices/platform

  • Works based on virtual network interfaces
  • Layer 2 (TAP mode) & Layer 3 (TUN Mode)
  • Encapsulation in UDP or TCP

16 / 27

slide-17
SLIDE 17

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Layer 3: TUN Mode

  • Virtual point-to-point link
  • End points have tunX interface
  • TUN interfaces get IP adresses out of the same subnet
  • Communication routed through this interfaces

17 / 27

slide-18
SLIDE 18

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Layer 2: TAP Mode

  • Use case: Merge two ethernet broadcast domains
  • Bridging mode: Packet forwarding based on layer 2 adresses
  • Forwarding between virtual TAP devices and bridge to the

local LAN

  • Used when applications running over the VPN rely on network

broadcast (like online games)

18 / 27

slide-19
SLIDE 19

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Encapsulation

  • OpenVPN traffic is wrapped in UDP connection (TCP

possible as well)

  • Usage of arbitrary ports for easy bypass of firewalls
  • Nearly no problems with NATs

19 / 27

slide-20
SLIDE 20

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

Encryption and Authentication

  • Based on OpenSSL - for encryption, key exchange, . . .
  • PSK (pre shared key), SSL/TSL certificates,

username/password

  • Authentication based on SSL certificate chain

20 / 27

slide-21
SLIDE 21

Overview L2/L3/L4 VPN Other tunneling technologies IPSec OpenVPN

IPSec vs. OpenVPN

  • Traditionally: OpenVPN easier to deploy - works ”out of the

box”

  • Today: Modern IPSec implementations are up to the task as

well

  • Virtual interfaces of OpenVPN make routing possible
  • IPSec works based on SAs and corresponding policies

21 / 27

slide-22
SLIDE 22

Overview L2/L3/L4 VPN Other tunneling technologies

Other tunneling technologies

22 / 27

slide-23
SLIDE 23

Overview L2/L3/L4 VPN Other tunneling technologies

IPv6 Transition technologies

  • Problem: You want to adopt IPv6 as a future technology, but

nobody is using IPv6 yet. . .

  • Possible solution: Wrap your new IPv6 packets in IPv4

packets and send them through the existing Internet – 6to4: No explicit tunnel setup, but communication via relay routers – Teredo: IPv6 traffic encapsulated in IPv4 based UDP datagrams – . . .

23 / 27

slide-24
SLIDE 24

Overview L2/L3/L4 VPN Other tunneling technologies

IPv6 Transition technologies

  • Problem: You have migrated your access provider network to

IPv6, but many endpoints in the internet only have IPv4. . .

  • Possible solution: Use tunneling and NAT to allow host in a

IPv6 network to use IPv4 (DS-Lite (RFC 6333)) – Let the CPE assigns IPv4 RFC1918 addresses to end hosts and announce itself as default gateway. – The CPE/B4 then encapsulates all IPv4 packets in IPv6 and sends them to the Address Family Transition Router (AFTR) – The AFTR decapsulates the IPv4 Packets and NATs them to a global unicast IPv4 address – This way, providers can use IPv6 in the backbone while still offering IPv4 services to customers

24 / 27

slide-25
SLIDE 25

Overview L2/L3/L4 VPN Other tunneling technologies

Layer 2 tunneling: MPLS

  • MPLS: Establishes tunnels on layer 2 level between different

network segments

  • Layer 2 packets get a 32 bit label - forwarding decision only

based on assigned labels

  • Each label corresponds to virtual link (similar to VLANs)
  • Avoids complexity of IP based routing
  • Is used through the Internet (not only in local LANs like

VLANs)

25 / 27

slide-26
SLIDE 26

Overview L2/L3/L4 VPN Other tunneling technologies

Cellular Backhaul: GTP

  • GPRS Tunneling Protocol (GTP): used for many different

purposes in an GPRS / EPC backbone.

  • Used to encapsulate cellular data traffic and control traffic
  • Basic building block to allow mobility
  • Based on UDP

26 / 27

slide-27
SLIDE 27

Overview L2/L3/L4 VPN Other tunneling technologies

Thank you

Any Questions?

27 / 27