Virtual Private Networks (VPN)OutlineWhat is VPN?Different Types of VPNsEncrypted vs Nonencrypted VPNsVPNs at different OSI layersSlide 7Slide 8Other Classification of VPNs ?Generic Routing Encapsulation (GRE)Generic Routing EncapsulationSlide 12Slide 13Layer 2 Tunneling Protocol (L2TP)Layer 2 Tunneling ProtocolSlide 16Slide 17Slide 18L2TP OperationsSlide 20Slide 21Virtual Private Networks(VPN)Chapters 10, 11, 12http://sce.uhcl.edu/yang/teaching/.../VPN.ppt2Outline•The Concept of VPNs: ch. 10–VPNs defined–Types•Generic Routing Encapsulation (GRE): ch. 11•Layer 2 Tunneling Protocol (L2TP): ch. 12•IPsec VPNs: ch. 13•Other types of VPNs?http://sce.uhcl.edu/yang/teaching/.../VPN.ppt3What is VPN?•A VPN is a means of carrying private traffic over a public network.•Often used to connect two private networks, over a public network, to form a virtual network•The word virtual means that, to the users on either end, the two private networks seem to be seamlessly connected to each other.•That is, they are part of a single virtual private network (although physically they are two separate networks). implication? connectivity, security, privacyThe VPN should provide the same connectivity and privacy you would find on a typical local private network.http://sce.uhcl.edu/yang/teaching/.../VPN.ppt4Different Types of VPNs•Based on encryption:–Encrypted VPNs–Nonencrypted VPNs•Based on OSI model:–Data link layer VPNs–Network layer VPNs–Application layer VPNs•Based on business functionality:–Intranet VPNs–Extranet VPNs•Question: How do we classify ‘SSL VPNs’ and ‘IPsec VPNs’? –see OpenVPN and SSL VPN Revolution (or local copy)http://sce.uhcl.edu/yang/teaching/.../VPN.ppt5Encrypted vs Nonencrypted VPNs•In encrypted VPNs, encryption mechanisms are used to secure the traffic across the public network.–Example: IPsec VPNs•In nonencrypted VPNs, either data security is not ensured at all, or is ensured by other means (including encryption at higher layers).–Examples: MPLS VPNs (Multiprotocol Label Switching)–cisco white paperGRE-based VPNs (ch. 11)–Uses higher layer encryption for confidentialityhttp://sce.uhcl.edu/yang/teaching/.../VPN.ppt6VPNs at different OSI layers•The layer where VPN is constructed affects its functionality.–Example: In encrypted VPNs, the layer where encryption occurs determines (i) how much traffic gets encrypted(ii) the level of transparency for the end users•Data link layer VPNs (Layer-2)–Example protocols: Frame Relay, ATM–Drawbacks: •Expensive - Requires dedicated Layer 2 pathways•may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection–Q: Is L2TP a layer 2 VPN?http://sce.uhcl.edu/yang/teaching/.../VPN.ppt7VPNs at different OSI layers•Network layer VPNs (Layer-3)–Created using layer 3 tunneling and/or encryptionQ: difference between encapsulation and tunneling ? See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol –Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by using the IP layer to do that)–Advantages: •A ‘proper’ layer–Low enough: transparency–High enough: IP addressing•Cisco focuses on this layer for its VPNs.http://sce.uhcl.edu/yang/teaching/.../VPN.ppt8VPNs at different OSI layers•Application layer VPNs–Created to “work” specifically with certain applications–Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL)SSH (encrypted and secure login sessions to network devices)–Drawbacks: •May not be seamless (transparency issue)–Counter-argument: OpenVPN and SSL VPN Revolution (Hosner, 2004) “The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … A VPN is a site-to-site tunnel. …There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. …A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. …A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …”http://sce.uhcl.edu/yang/teaching/.../VPN.ppt9Other Classification of VPNs ?•Intranet VPNs vs Extranet VPNs•Remote Access VPNs vs Site-to-site VPNshttp://sce.uhcl.edu/yang/teaching/.../VPN.ppt10Generic Routing Encapsulation(GRE)•Provides low overhead tunneling (often between two private networks)•Does not provide encryption•Used to encapsulate an arbitrary layer protocol over another arbitrary layer protocol: delivery header + GRE header + payload packet•Mostly IPv4 is the delivery mechanism for GRE with any arbitrary protocol nested insidee.g., IP protocol type 47: GRE packets using IPv4 headers•RFCs:•RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci, P. Traina, October 1994 (INFORMATIONAL)•RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD)•RFC2890 Key and Sequence Number Extensions to GRE G. Dommety, September 2000 (PROPOSED STANDARD)http://sce.uhcl.edu/yang/teaching/.../VPN.ppt11Generic Routing Encapsulation•GRE Header (based on RFC1701, deprecated): Figure 11-2•GRE Header (based on RFC 2784 & 2890): Figure 11-4•C = 1, checksum present•Checksum: to ensure the integrity of the GRE header and the payload packet; contains a checksum of the GRE header and the payload packet•Key: –contains a number to prevent misconfiguration of packets; –may be used to identify individual traffic flow within a tunnel–Not the same as a cryptographic keyhttp://sce.uhcl.edu/yang/teaching/.../VPN.ppt12Generic Routing Encapsulation•Summary:-GRE mainly perform ‘tunneling’.-Does not provide a means to securely encrypt its payload-Often relies on application layer to provide encryption-May be used together with a network layer encryption (such as IPsec)Example 1: use GRE to encapsulate non-IP traffic and then encrypt the GRE packet using