VVIRTUALIRTUAL P PRIVATERIVATE N NETWORKSETWORKS

KKARTHIKARTHIK M MOHANASUNDARAMOHANASUNDARAMWWRIGHT RIGHT SSTATE TATE UUNIVERSITYNIVERSITY

AbstractAbstract

The main purpose of this presentation is to discuss the concept of virtual private networks, the reasons that lead to the development of this concept and the technology behind this concept

Evolution of ConceptEvolution of Concept

• The language of the Internet is IP [Internet Protocol]

• Everything travels on top of IP• IP does not provide ‘Security’

• IP packets can be forged and manipulated en route

Virtual Private NetworkVirtual Private Network

• A virtual private network is the extension of a private network that encompasses links across shared or public networks like the internet

• Emulates a point-to-point private link

Continued ..Continued ..

Types of VPN ConnectionTypes of VPN Connection

• Router – to – Router VPN connection

• Intranet based VPN connections

• Internet based VPN connections

• Combined Internet & Intranet VPN’s

• Remote Access VPN connection

Elements of VPN

• VPN Server • VPN Client

• VPN Connection • Tunnel

• Transit Public Network

TunnelingTunneling

• Tunneling is the act of encapsulating ordinary (non-secure) IP packets inside encrypted (secure) IP packets

• Tunneling provides privacy by encrypting everything that goes into and comes out of a secure tunnel

Tunneling ProtocolsTunneling Protocols

• Point-to-point tunneling protocol [PPTP]

• Layer 2 tunneling protocol [L2TP]

• Internet protocol security [IPSec]

Disadvantages of PPTP

• Mainly developed for the windows world

• Developed by Microsoft for creating tunnels in windows NT™

• Built on top of point-to-point protocol• Weak encryption capabilities

Credentials of L2TPCredentials of L2TP

• Proposed by Cisco® Systems• Operates on low level network layer• Runs over UDP as opposed to TCP.

[UDP is a faster,leaner and less-

reliable protocol]• L2TP is “Firewall Friendly”

Credentials of IPSecCredentials of IPSec• Developed by foremost Encryption Experts

• Allows support of multiple encryption algorithms

• Provides an ‘integrity check’ of the IP packets

• Uses Machine Level Certificates, authenticating by Public Key Encryption

• Provides excellent encryption technology due to which L2TP uses IPSec as the default

Deep into IPSecDeep into IPSec

Internet Protocol Security [IPSec] is a suite of

protocols being developed by the IETF that

seemlessly integrate security into IP and

provide data source authentication, data

integrity, confidentiality and protection

Continued ..Continued ..The IPSec suite comprises of :

• Authentication Header [Responsible for authentication the IP Traffic]

• Encapsulating Security Payload [Responsible for encrypting the IP Traffic]

• Key Management [Responsible for several services mainly for managing & exchanging keys]

Authentication HeaderAuthentication Header

• In-between the IP Header and Payload

The AH comprises of :

• Security Parameter Index (SPI)

• Sequence Number

• Authentication Data

Continued ..Continued ..• Security Parameter Index (SPI) informs

the receiver the security protocol used by the sender

• Sequence Number informs the number of

packets sent that use the same parameters

• Authentication Data is the digital

signature of the packet

Continued ..Continued ..

Encapsulating Security PayloadEncapsulating Security Payload

• Handles encryption of IP data at packet level• Comprises of similar features like the

Authentication Header• Provides the additional functionality of

encryption• Does padding of data to ensure proper length

for certain encryption algorithms• Preferred when encryption and authentication

is required

Continued ..Continued ..

Key ManagementKey Management

Duties include :

• Negotiating protocols, algorithms and

keys to be used in the communication

• Verifying the identity of the other party

• Managing and Exchanging keys

Continued ..Continued ..

• The key management protocol is called The Internet Security Association and Key Management Protocol (ISAKMP)/Oakley key exchange protocol

• Handles exchange of symmetric keys between the sender and receiver

ISAKMPISAKMP• Based on Diffie-Hellman model of key

generation• The two parties exchange public keys

and combine with a private key• Allows the SPI to be reformatted at

specific intervals• More secure as the SPI is changed

periodically

Continued ..Continued ..

Methods of Key Exchange:

• Main Mode

• Aggressive Mode

• Quick Mode

Security AssociationSecurity Association

• Keeps track of all details of keys and algorithms of an IPSec session

• Includes information about • AH authentication algorithms

• ESP encryption algorithms and keys lifespan of the keys and

• Method of exchange of keys

Main Mode ISAKMPMain Mode ISAKMP• First Phase of ISAKMP Security

Association• Set’s up the Mechanism for future

communications• Agreement on authentication,

algorithms and keys takes place• Requires three back and forth

exchanges

Continued ..Continued ..Three exchange in Main Mode :• First the two parties agree on

algorithms and hashes for communication

• Second the parties exchange public keys

• Third both the parties verify the identity of the other party

Aggressive & Quick ModeAggressive & Quick Mode

• Same result as the Main mode but

takes only two back and forth

exchanges

• Quick Mode is used to create new

material for generating keys

Example ExchangeExample Exchange

An example key management scheme is shown below :

[root@Codd root]# ipsec auto --up hoare-codd104 "hoare-codd" #1: STATE_MAIN_I1: initiate106 "hoare-codd" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2108 "hoare-codd" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3004 "hoare-codd" #1: STATE_MAIN_I4: ISAKMP SA established112 "hoare-codd" #2: STATE_QUICK_I1: initiate004 "hoare-codd" #2: STATE_QUICK_I2: sent QI2, IPsec SA established[root@Codd root]#

Disadvantages of IPSecDisadvantages of IPSec

• Major drawback is the Network Layer Perspective followed

• Ignorant about the authenticity of people using the setup

• ESP can lead to fragmentation resulting in reduced throughput

Demo of IPSec

• A demonstration has been arranged

using FreeS/WAN which is an IPSec

implementation for Linux.

• The demo demonstrates the gateway-

to-gateway mode of IPSec