v irtual p rivate n etworks k arthik m ohanasundaram w right s tate u niversity
DESCRIPTION
Evolution of Concept The language of the Internet is IP [Internet Protocol] Everything travels on top of IP IP does not provide ‘Security’ IP packets can be forged and manipulated en routeTRANSCRIPT
VVIRTUALIRTUAL P PRIVATERIVATE N NETWORKSETWORKS
KKARTHIKARTHIK M MOHANASUNDARAMOHANASUNDARAMWWRIGHT RIGHT SSTATE TATE UUNIVERSITYNIVERSITY
AbstractAbstract
The main purpose of this presentation is to discuss the concept of virtual private networks, the reasons that lead to the development of this concept and the technology behind this concept
Evolution of ConceptEvolution of Concept
• The language of the Internet is IP [Internet Protocol]
• Everything travels on top of IP• IP does not provide ‘Security’
• IP packets can be forged and manipulated en route
Virtual Private NetworkVirtual Private Network
• A virtual private network is the extension of a private network that encompasses links across shared or public networks like the internet
• Emulates a point-to-point private link
Continued ..Continued ..
Types of VPN ConnectionTypes of VPN Connection
• Router – to – Router VPN connection
• Intranet based VPN connections
• Internet based VPN connections
• Combined Internet & Intranet VPN’s
• Remote Access VPN connection
Elements of VPN
• VPN Server • VPN Client
• VPN Connection • Tunnel
• Transit Public Network
TunnelingTunneling
• Tunneling is the act of encapsulating ordinary (non-secure) IP packets inside encrypted (secure) IP packets
• Tunneling provides privacy by encrypting everything that goes into and comes out of a secure tunnel
Tunneling ProtocolsTunneling Protocols
• Point-to-point tunneling protocol [PPTP]
• Layer 2 tunneling protocol [L2TP]
• Internet protocol security [IPSec]
Disadvantages of PPTP
• Mainly developed for the windows world
• Developed by Microsoft for creating tunnels in windows NT™
• Built on top of point-to-point protocol• Weak encryption capabilities
Credentials of L2TPCredentials of L2TP
• Proposed by Cisco® Systems• Operates on low level network layer• Runs over UDP as opposed to TCP.
[UDP is a faster,leaner and less-
reliable protocol]• L2TP is “Firewall Friendly”
Credentials of IPSecCredentials of IPSec• Developed by foremost Encryption Experts
• Allows support of multiple encryption algorithms
• Provides an ‘integrity check’ of the IP packets
• Uses Machine Level Certificates, authenticating by Public Key Encryption
• Provides excellent encryption technology due to which L2TP uses IPSec as the default
Deep into IPSecDeep into IPSec
Internet Protocol Security [IPSec] is a suite of
protocols being developed by the IETF that
seemlessly integrate security into IP and
provide data source authentication, data
integrity, confidentiality and protection
Continued ..Continued ..The IPSec suite comprises of :
• Authentication Header [Responsible for authentication the IP Traffic]
• Encapsulating Security Payload [Responsible for encrypting the IP Traffic]
• Key Management [Responsible for several services mainly for managing & exchanging keys]
Authentication HeaderAuthentication Header
• In-between the IP Header and Payload
The AH comprises of :
• Security Parameter Index (SPI)
• Sequence Number
• Authentication Data
Continued ..Continued ..• Security Parameter Index (SPI) informs
the receiver the security protocol used by the sender
• Sequence Number informs the number of
packets sent that use the same parameters
• Authentication Data is the digital
signature of the packet
Continued ..Continued ..
Encapsulating Security PayloadEncapsulating Security Payload
• Handles encryption of IP data at packet level• Comprises of similar features like the
Authentication Header• Provides the additional functionality of
encryption• Does padding of data to ensure proper length
for certain encryption algorithms• Preferred when encryption and authentication
is required
Continued ..Continued ..
Key ManagementKey Management
Duties include :
• Negotiating protocols, algorithms and
keys to be used in the communication
• Verifying the identity of the other party
• Managing and Exchanging keys
Continued ..Continued ..
• The key management protocol is called The Internet Security Association and Key Management Protocol (ISAKMP)/Oakley key exchange protocol
• Handles exchange of symmetric keys between the sender and receiver
ISAKMPISAKMP• Based on Diffie-Hellman model of key
generation• The two parties exchange public keys
and combine with a private key• Allows the SPI to be reformatted at
specific intervals• More secure as the SPI is changed
periodically
Continued ..Continued ..
Methods of Key Exchange:
• Main Mode
• Aggressive Mode
• Quick Mode
Security AssociationSecurity Association
• Keeps track of all details of keys and algorithms of an IPSec session
• Includes information about • AH authentication algorithms
• ESP encryption algorithms and keys lifespan of the keys and
• Method of exchange of keys
Main Mode ISAKMPMain Mode ISAKMP• First Phase of ISAKMP Security
Association• Set’s up the Mechanism for future
communications• Agreement on authentication,
algorithms and keys takes place• Requires three back and forth
exchanges
Continued ..Continued ..Three exchange in Main Mode :• First the two parties agree on
algorithms and hashes for communication
• Second the parties exchange public keys
• Third both the parties verify the identity of the other party
Aggressive & Quick ModeAggressive & Quick Mode
• Same result as the Main mode but
takes only two back and forth
exchanges
• Quick Mode is used to create new
material for generating keys
Example ExchangeExample Exchange
An example key management scheme is shown below :
[root@Codd root]# ipsec auto --up hoare-codd104 "hoare-codd" #1: STATE_MAIN_I1: initiate106 "hoare-codd" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2108 "hoare-codd" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3004 "hoare-codd" #1: STATE_MAIN_I4: ISAKMP SA established112 "hoare-codd" #2: STATE_QUICK_I1: initiate004 "hoare-codd" #2: STATE_QUICK_I2: sent QI2, IPsec SA established[root@Codd root]#
Disadvantages of IPSecDisadvantages of IPSec
• Major drawback is the Network Layer Perspective followed
• Ignorant about the authenticity of people using the setup
• ESP can lead to fragmentation resulting in reduced throughput
Demo of IPSec
• A demonstration has been arranged
using FreeS/WAN which is an IPSec
implementation for Linux.
• The demo demonstrates the gateway-
to-gateway mode of IPSec