network access for remote users
play

Network Access for Remote Users Dr John S. Graham ULCC - PowerPoint PPT Presentation

Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk Review of Technologies Remote Site Private Leased Lines Kilostream or Megastream Circuits LES ISDN EPS9 ISP Remote User


  1. Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk

  2. Review of Technologies • Remote Site – Private Leased Lines • Kilostream or Megastream Circuits • LES – ISDN – EPS9 – ISP • Remote User – Private Dialup Service – ISP

  3. Site-to-Site Private Infrastructure

  4. Traditional Dialup Service � High Costs � Security Guaranteed � Support Burden � Limited to 56K Analogue Dialup � Limited Service

  5. Virtual Private Network � Highly Flexible Solution � Complex Security Issues � Uses Existing Infrastructure

  6. VPN Roadmap VPN Tunnelling Encryption Authentication IP Framework Symmetric Asymmetric Endpoints Data User

  7. Tunnelling Methods • Layer III – GRE – IPSec • Layer II – L2F – PPTP – L2TP

  8. Layer 3 Tunnelling (GRE) IP TCP Data GRE IP GRE IP TCP Data passenger protocol encapsulating protocol carrier protocol

  9. Tunnelling In Action IP TCP Data IP GRE IP GRE IP TCP Data Source 62.49.38.138 Destination 194.82.103.186 192.168.17.26 192.168.17.26

  10. Layer 2 Tunnelling (L2TP) PPP IP TCP Data L2TP IP UDP L2TP PPP IP TCP Data L2TP + IPSec IP ESP UDP L2TP PPP IP TCP Data ESP

  11. Layer 2 Tunnelling Modes Compulsory L2 Tunnelling Voluntary L2 Tunnelling

  12. Authentication • Peer Identity – Shared Secret – Digital Certificate • Data Integrity – Digital Signatures • User Identity – Kerberos – RADIUS

  13. IP Security (IPSec) • Protocols – Authentication Header – Encapsulating Security Payload – Internet Key Exchange • Modes – Tunnel – Transport

  14. IPSec Protocols Next Payload Reserved SPI Header Length SPI Sequence Number Sequence Number IV Authentication Data Data Pad Next Pad Length Header Authentication Data Authentication Header (51) Encapsulating Security Protocol (50)

  15. IPSec Modes Tunnel Mode IP AH/ESP IP TCP Data Transport Mode IP AH/ESP TCP Data

  16. Equipment at Remote Site • ‘Wires Only’ ADSL Connection – One Static IP Address • Splitter • Cisco 827H Router – Ethernet hub (4 ports) plus ATM port

  17. Customer Installation

  18. Router Configuration Ethernet B1 Routing Table Tunnel A1 B2 NAT IPSec A2 B3 Dialer

  19. IPSec Followed by NAT • Immutable fields of outer IP header included in AH protocol’s ICV data. • Transport mode IPSec renders TCP/UDP checksums invalid. • Multiple incompatibilities between SA parameters and NAT. http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt

  20. Fragmentation Hell

  21. http://www.ja.net/documents/

Recommend


More recommend