1Tunnels and VPNTunnels and VPN**ss*virtual private networks*virtual private networksWhatWhat’’s a tunnel?s a tunnel?encapsulation of data packets in data packetsinner packets opaque to outer packets’ networkmay or may not be encrypted– that’s outside “tunnel” definition2Lab experiment topologyLab experiment topologyeth0? eth2? eth3?interface names enumerated unpredictably,must be determined every swap-in session;Script “nicaddressing” providedTcpdumpTcpdumpof of ipipipip––packet becomes payloadpacket becomes payloadin one side of tunnel endpoint…and out the othera ping shoots…IP header startsIP payload startsnode3’s red incoming-packet & outgoing-payload are IP-identical**allowing for TTL decrement and checksum recalc(simultaneous)3Lab tunnels you will buildLab tunnels you will buildencryptedunencryptednon-tunnel channeltruetunnelsshstunnelOpenVPNIP over IPTunnels spawn new interfacesTunnels spawn new interfacestunl0 (ip-ip)tap0 (OpenVPN)ipsec0 (IPSec)ppp0 (ppp-ssh)cipcb1 (CIPE)eth0eth1Virtual (software)Physical (hardware)4Using hardware interfacesUsing hardware interfacesAppeth1eth0(Technical note: the choice of interface by an app is indirect. App source code expresses only an IP address. Downstream, IP software in network stack maps the address into an interface via the routing table.)Using software interfacesUsing software interfacesAppeth1eth0cipcb1•looks like an interface to an app•looks like an app to an interface•gets to massage traffic passing through5WhatWhat’’s a VPNs a VPN a virtual net overlaid on an underlying net a private net retaining exclusivity through confidentiality– implemented by encryption– applying cryptographic methods you have studiedTUNNELSTUNNELS6Tunnel within a networkTunnel within a networkABCDEFGH I- Packet stream of protocol X- Packet stream of protocol Y- Packet stream: “X over Y” or “X tunneled in/through Y”A packet to be tunneledA packet to be tunneledSource Address Destination AddressData Payload7Tunnel packetTunnel packetTunnelSource AddressTunnelDestination AddressSource Address Destination AddressData PayloadTunnel packet’s payload is a(nother) packetTunnelHeaderX over Y tunnelingX over Y tunnelingTunnelSource AddressTunnelDestination AddressSource Address Destination AddressData PayloadTunnelHeaderPacket of protocol XPacket of protocol Y8Another way to draw it Another way to draw it ……low-levelheadermid-levelheaderhigh-levelheaderpayload/cargo/freightprotocol Xprotocol Yprotocol ZUses of tunnelingUses of tunneling carry payloads over domains where otherwise illegal– carry protocols that are illegal– carry addresses that are illegal apply common services to multiple traffic flows9‘‘IllegalIllegal’’protocols over IPprotocols over IPIPX and/or IPv6 Network A IPX and/or IPv6 Network BIP Network C(e.g. the internet)e.g.,Netware and/orIPv6e.g.,Netware and/orIPv6‘‘IllegalIllegal’’addresses over IPaddresses over IPIP Network C(e.g. the internet)Private IP Network A Private IP Network Be.g.,192.168….172.16…. and/or10….e.g.,192.168….172.16…. and/or10….10Applying common servicesApplying common servicesIPX Network A IPX Network BIP Network C(e.g. the internet)crypto and/orcompression applied(to entire tunnel)by e.g. ssh or stunnel (ssl) or OpenVPN or IPSeccrypto and/orcompression appliedLayer 3 tunnelingLayer 3 tunnelingexample: IP over IPexample: IP over IPIPheader 2IPheader 1payloadlayer 3layer 311IPheader 2IPheader 1payloadlayer 3extra“security”headerLayer 3 tunnelingLayer 3 tunnelingexample: example: IPsecIPseclayer 3VPNSVPNS12PlacementPlacement--based Architecturesbased Architectures Site-to-site Intranet VPN Remote access VPNSiteSite--toto--site VPN via internetsite VPN via internetNetwork A Network B13Network ARemote access VPNRemote access VPNvia internet connectionvia internet connectionVPN gatewayHome telecommuterRoad warriorISP/hotellab exercise product 1lab exercise product 1IPIPIPIP14What is it?What is it? Conveys an IP packet between machines… not as a packet… but as cargo in another packet Destination shucks carrier packet, releases cargo as packet into local networking machinery “Tunnel” since one packet “passes through” another Implemented in linux by module ipip.oConveys a car between states– … not as a car/motor-vehicle– … but as cargo in a boatDestination throws away boat, releases car as a motor vehicleonto local roadways“Tunnel” since one vehicle “passes through” anotherImplemented by Lake Michigan Carferry ServiceS.S. BadgerS.S. Badger15IP itself is an IP IP itself is an IP subprotocolsubprotocolIP Header Format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Version| IHL |Type of Service| Total Length |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Identification |Flags| Fragment Offset |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time to Live | Protocol | Header Checksum |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Source Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Destination Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Options | Padding |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+4 for IP(6 for TCP17 for UDP50 for ESP, etc)Sample LANSample LANLocal Network – 192.168.1.0 Remote Network – 192.168.2.0192.168.1.1192.168.2.1100.1.1.1200.2.2.2192.168.2.2192.168.1.2ABDEWorkstations – A and EGateways – B and DSomeconnection16““Some connectionSome connection”” Could be the internet Could be a single intermediate machine Equivalent, for the 2 gatewaysSample LANSample LANLocal Network – 192.168.1.0 Remote Network – 192.168.2.0192.168.1.1192.168.2.1100.1.1.1 200.2.2.2192.168.2.2192.168.1.2ABDEWorkstations – A and EGateways – B and DInternet surrogate – C (B’s ISP; D’s ISP)C100.1.1.254 200.2.2.254eth0 eth1eth1 eth1eth0eth0eth0eth017Wanted: a 2Wanted: a 2ndndbridge to crossbridge to crossLocal Network – 192.168.1.0 Remote Network –