CS519: Computer NetworksLecture 8: Apr 21, 2004VPNsCS519VPN TaxonomyVPNClientNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secureCS519What is a VPN?| Making a shared network look like a private network| Why do this?z Private networks have all kinds of advantages • (we’ll get to that)z But building a private network is expensive• (cheaper to have shared resources rather than dedicated)CS519History of VPNs| Originally a telephone network conceptz Separated offices could have a phone system that looked like one internal phone system| Benefits?z Fewer digits to dialz Could have different tariffs• Company didn’t have to pay for individual long distance callsz Came with own blocking probabilities, etc.• Service guarantees better (or worse) than public phone serviceCS519Original data VPNs| Lots of different network technologies in those daysz Decnet, Appletalk, SNA, XNS, IPX, …z None of these were meant to scale to global proportionsz Virtually always used in corporate settings| Providers offer virtual circuits between customer sitesz Frame Relay or ATMz A lot cheaper than dedicated leased lines| Customer runs whatever network technology over these | These still exist (but being replaced by IP VPNs)CS519VPN TaxonomyVPNClientNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secureCS519Advantages of original data VPNs| Repeat: a lot cheaper than dedicated leased linesz Corporate users had no other choicez This was the whole business behind frame-relay and ATM services| Fine-grained bandwidth tariffs| Bandwidth guaranteesz Service Level Agreements (SLA)| “Multi-protocol”CS519Frame Relay VPN ExampleFRFRFRFRFRFRFRCECECECECECECECECE = CustomerEquipmentFR = FrameRelayCS519Define circuits CE to CE(for given customer: purple)FRFRFRFRFRFRFRCE1CE2CE3CE4CE1CE2CE3CE4CE = CustomerEquipmentFR = FrameRelay243112CS519Customer establishes routing tables (per protocol)FRFRFRFRFRFRFRCE1CE2CE3CE4CE1CE2CE3CE4CE = CustomerEquipmentFR = FrameRelay243112dest circuitCE2 24CE3 12CE4 31CS519Provider provisions underlying networkFRFRFRFRFRFRFRCE1CE2CE3CE4CE1CE2CE3CE4CE = CustomerEquipmentFR = FrameRelayProvider does queuing analysis of load through each link, determines, throughput characteristics, gives service guarantees to customers accordingly.CS519How has the world changed?| Everything is IP nowz Some old stuff still around, but most data networks are just IP| So, why do we still care about VPNs???CS519IP VPN benefits| IP not really global (private addresses)z VPN makes separated IP sites look like one private IP network| Security| Bandwidth guarantees across ISPz QoS, SLAs| Simplified network operationz ISP can do the routing for youCS519Client VPNsVPNClientNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secureCS519Client VPNs| Solves problem of how to connect remote hosts to a firewalled networkz Security and private addresses benefits onlyz Not simplicity or QoS benefitsCS519Client VPNs| Solves problem of how to connect remote hosts to a firewalled networkSite (private network)InternetRemoteHostRemoteHostFW/VPNSiteHostSiteHostIPsecTunnelsCS519Client VPNs:ConfigurationRemoteHostFW/VPNSiteHostSiteHostVPN IP addr: 20.1.1.1User name: joePassword: Rtu44!+3wyZ20.1.1.1joe: Rtu44!+3wyZsally: 5Yee#34hB!2CS519Client VPNsVPNClientNetworkProvider-basedCustomer-basedProvider-basedCustomer-basedCompulsory VoluntarySecureNon-secureL3L2ATMFrame RelayLANVirtual Router BGP/MPLSSecureNon-secureCS519Client VPNs:ConfigurationRemoteHostFW/VPNSiteHostSiteHostVPN IP addr: 20.1.1.1User name: joePassword: Rtu44!+3wyZjoe: Rtu44!+3wyZsally: 5Yee#34hB!220.1.1.1AAAMore likely AAA or LDAPbackend has the passwordsCS519Client VPNs:Host gets local IP addressRemoteHostFW/VPNSiteHostSiteHostDHCPRouter20.1.1.130.1.1.1AAACS519RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1Client VPNs:Host connects to VPNIPsecRADIUSVPN authenticates remote host through backend database (RADIUS or LDAP)AAACS519RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1Client VPNs:VPN assigns site addressIPsecAAARADIUS10.1.1.110.1.1.1As proprietary enhancement to IPsec,or with PPP (over IPsec)CS519RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1Client VPNs:Packets tunneled over IPsecIPsecAAARADIUS10.1.1.110.1.1.210.1.1.110.1.1.210.1.1.110.1.1.230.1.1.120.1.1.230.1.1.120.1.1.2IPsec TunnelCS519RemoteHostFW/VPNSiteHostSiteHost20.1.1.130.1.1.1Client VPNs:Packets tunneled over IPsecIPsecAAARADIUS10.1.1.110.1.1.2PublicHostSome VPN clients smart enough to avoid sending non-VPN traffic through the VPN tunnelNot thisThisCS519IPsec| Two parts: Session Establishment (key exchange) and Payload| IKE/ISAKMP is session establishmentz Negotiate encryption algorithmsz Negotiate payload headers (AH, ESP)z Negotiate policies| Keying can be either:z Symmetric shared keysz Public keys (in certificates)| Either way, a session key is negotiated by IKECS519IPsec Payloads| AH: Authentication Headerz Authenticates each packet but doesn’t encryptz Has fallen out of favor (redundant and no more efficient)| ESP: Encapsulating Security Payloadz Encrypts (with authentication as side effect)CS519IPsec transmission modes:Transport or Tunnel modeESP or AHTCP/UDPIPIPsecTransportTransport mode. Used when IPsec tunnel is end-to-end. Operates over some of the IP fields, and doesn’t work with NAT!ESP or AHTCP/UDPIPIPsecTunnel mode. Used when IPsec tunnel not end-to-end. Hides the IP identity of endpoints. Operates over inner IP fields…can work with NAT.IPTransportCS519AH header format0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Security Parameters Index (SPI) |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| | + Authentication Data