VPNs Flashcards
AH
Authentication Header
Protocol Guarantes integrity (connectionless) and authentication of the source of the data. Does not guarantee confidentiality.
SPI: Security assaciation for this datagram (session id and how to verify signature)
Is inserted between IP header and payload.
Routers process datagrams as always, but NAT has problems with it.
ESP
Encapsulating Security Payload
Guarantees authenticity of source, integrity and privacy to IP packets: authenticates and encrypts packet payload.
IKE
Internet Key Exchange Protocol
A IKE SA must be established between A and B to negotiate about the secret keys used in the child SA.
IKE allows preshared secret keys or certificates.
ISAKMP
Internet Security Association Key Management Protocol
It’s an IKE sub-protocol to rinegotiate secrets keys periodically in a secure way.
IPSec VPNs
IPsec tunnel between VPN gateways.
Provides encryption, authentication, encapsulation.
Modes of operation:
- Transport mode: IP header is not fully protected, authenticated if AH is used.
- Tunnel mode: protects both IP header and payload.
IPsec does not define which algorithms should be used to authenticate and encrypt the connection, the two parties agree upon the above negotiating.
Why VPN?
Virtual Private Networks reduce costs:
- Private Networks are expensive:
- Private leased lines
- Long distance dial-up solutions
VPN enables selective and flexible access tocorporate network (services):
- Limited services available to external users
- All intranet functionalities available tocorporate users accessing from the Internet
Access/Remote/Dial-in VPN
One of two VPN flavors.
- Connects terminal to remote network
- Virtualizes (dial-up) access connection
- e.g., ISDN, PSTN, cable, DSL
- PPTP, L2TP
Authentication/Authorization: performed by vpn gw; policies and info of the corp. network.
Address allocation: corp. addr. dynamically allocated, same address as when directly connected.
Security: by vpn gateway if customer provisioned, by provider otherwise.
Site-to-Site VPN
One of two VPN flavors.
- Connect remote networks
- Virtualizes leased line
- IPsec, GRE, MPLS
Intranet VPN
One of two deployment scenarios.
Interconnection of corporate headquarters, remote offices, branch offices, telecommuter, traveling employee
Extranet VPN
One of two deployment scenarios.
Interconnection of customers, suppliers, partners, or communities of interest to a corporate intranet
- -Provide controlled access to an individual customer/partner/provider user
Extranet VPN specific issues
- Gateway positioning (restricted access to network resources from interconnected networks)
- Firewall at the VPN
- Overlapping address spaces between networks connected to the extranet
- NAT
- Open, standard-based solution
- Enables interoperability among different organization
- Traffic control
- Avoid that partner traffic compromises performance on corporate network.
Centralized internet access
Remote branches/users access public IP network only to reach headquarters.
Internet access only from HQ.
VPN carries also traffic to and from the internet.
Centralized access control (firewall)
Distributed internet access
Remote branches/users access the internet through their ip network connection.
VPN is deployed only for corporate traffic.
Deployment models
- Overlay Model
- Peer Model
Internet Access types
- Centralized
- Distributed
VPN Flavors
- Site-to-Site
- Access VPNs
Deployment Scenarios
- Intranet
- Extranet
Overlay Model
Deployment model.
The public network does not participate in realizing the VPN, it just provides means of communication between them.
Each VPN GW knows every other VPN GW.
Routing is performed by the VPN Gateways.
Peer Model
Each VPN gateway interacts with a public router (its peer):
- To exchange routing information
- SP network distributes routing info
- Public network routes traffic between gateways of the same VPN.
VPN Provision
- Customer Provisioned
- Provider Provisioned
Customer Provisioned
Customer (from SP POV), builds and manages the VPN by theirself, tunnels are instantiated between Customer Edges (CE).
Provider Provisioned
Provider implements the solution: owns, configures, mangages devices implementing vpn functionalities.
Traffic belonging to different vpns is separated by the provider devices.
CE may behave as if they were connected to a private network.
PE terminates tunnels.
VPN Components
VPN Topologies
Hub and spoke:
- Each pair of nodes can communicate only through the HQ -> problem: bottlenecks
- Fits data flow of many corporations.
Mesh:
- Large number of tunnels (harder config)
- Optimized routing
VPN Hierarchy
Layer 3 VPN
Layer 3 packets are forwarded through the public network.
Routing based on layer 3 addresses:
- peer: vpn/corporate/customer addresses.
- ovelay: backbone addresses.
CEs are either ip routers or hosts.
Tunneling:
- GRE, IPSec: IP-in-IP
- L2TP, PPTP (based on GRE): layer 2 frame within IP packet.
Tunnelling does not ensure security by itself
Layer 4 VPN
VPN built using TCP connections: tunnels realized by TCP.
Security achieved with SSL/TLS.
Tunnels can possibly be terminated on end systems.
GRE
Generic Routing Encapsulation
Able to encapsulate any protocol inside a virtualized point-to-point links over IP.
Deployed by PPTP.
GRE header sits between IP header and payload.
Campi interessanti:
- CRKS: presence/absence of flags
- strict source routing (s): discarded packet if source routing list is empty and destination hasn’t been reached yet.
- Recur: max number of additional encapsulation permitted.
- Protocol: ID of payload protocol
- Routing: Sequence of router ip addresses for for source routing.
Other mechanisms:
- Flow control (sliding window)
- Out of order packets (discarded bc PPP cannot handle out of order)
- Timeout values: recomputed each time an ack packet is received
- Congestion control:
- Timeout do not cause retrasmission (their value shoud be rapidly increased).
GRE: IPv4 Encapsulation header
Contains also source routing info.
IP address list: source routing information (list of ASs or routers to traverse).
SRE Offset: byte of IP address of current next hop (updated at each source route hop)
SRE Length: total address list length (in bytes).
L2TP
Layer 2 Tunneling protocol
It enables the tunneling of any layer 2 protocol through IP.
The LAC simulates a PPP connection with the corporate server.
- PPP frames arrives to LAC, that instantiate a tunnel L2TP with LNS if not already present.
- To establish connection with LNS, LAC authenticates to the LNS using Challenge Handshake Auth. Prot., creating a new connection.
There are 2 channels for each connection:
- data channel
- control channel: to manage communication, to control the order of the packets and to relay to lost ones.
Notice that PPP frames are always in order and can be lost.
Multiple sessions can exist inside the same tunnel, that share the same control channel.
Security: it does not make sense to use crypto for L2TP packets, since the service provider can see layer 2 frames. Any security measure must be implemented end2end.
Optionally IPSec can be used through the tunnel, even though it’s complicated to configure.
L2TP Header
T: 0 -> data 1 -> control
Ns: sequence number
Nr: sequence number of next control messae
Packet inside L2TP tunnel: list headers
The reason for UDP?
A packet without a layer 4 incapsulation is more likely to be discarded by a firewall.
Also since L2TP wants to be an alternative to PPTP (proposed by OS vendors), L2TP engineers wanted the protocol to be accessible at the application level, not kerenl level, since OS is responsible for layer 3.
PPTP
Point-to-Point Tunneling Protocol
Originally developed for Customer Provisioned Access VPNs, later was expanded for the use in Provider provisioned Access VPNs by adding a PAC (PPTP Access Concetrator) that is similar to a LAC.
Developed by OS vendors, like Microsoft.
PPTP enables the remote user to connects directly to the PPTP network server (PNS).
PPTP doesn’t allow for protocol negotiation, there are optional security measures, like MPPE (crypto protocol by MSFT) and MS CHAP for authentication. For these reasons security is considered poor.
PPTP: packets headers
Data channel:
PPTP ses Enhanced GRE to incapsulate PPP frames in IP. Payload could be encrypted with MPPE.
Control channel:
Control messages are necessary for establishment, management and closure of the connection. Sent at TCP port 1723 (PNS).
VPN Gateway and Firewalls: Positioning
Inside: no inspection of VPN traffic
Prallel: potential uncontrolled access
Outside: most consistent, VPN gw protected by access router.
Integrated: maximum flexibility.
MPLS/BGP VPN Components
PE Routing exchanges info through I-BGP.
VRF table, VPN Routing and Forwarding:
- It is contained in PE routers, they use it to understand to which PE they need to send the packet, then they attach the label referring to it on top of the label for the Customer edge.
- Associated to one or more ports.
- contains forwarding information to be used for traffic received through the port.
Benefits of VRF:
- no addressing plan constraints
- no exchange of info between CEs
- Provider don’t have a virtual backbone per customer.
- VPN can span multiple providers
- Security equivalent to frame relay or atm (traffic isolation but no crypted)
- QoS supported through experimental bits in MPLS header.
Routing exchanges at edges based on MP-BGP: support for different families of adresses.
Route Filtering: PE routers determine which routers to install in VRF.
Support for overlapping addresses: Route Distinguisher + IP address
