Overview L2/L3/L4 VPN Other tunneling technologies Routerlab: Tunneling Thorben Kr¨ uger original slides by Philipp S. Tiesel and Franziska Lichtblau June 1, 2016 1 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Overview 1 L2/L3/L4 VPN 2 IPSec OpenVPN Other tunneling technologies 3 2 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Overview 3 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Tunneling: Use cases • Secure communication (encryption and authentification) • Connecting discontiguous network segments • Enabling telecommuting • Bypass restrictive firewalls and proxies • Transition technology (IPv6 over IPv4) • Traffic engineering 4 / 27
Overview L2/L3/L4 VPN Other tunneling technologies What is tunneling? • Embed one protocol inside of another protocol • Establishing of logical layers through the network • V irtual P rivate N etwork • What can be tunneled. . . through what. . . – IP over IP – IP over UDP – TCP over SSH – See RFC 1217 for escalation of this idea. . . 5 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies L2/L3/L4 VPN 6 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Overview • MPLS establishes layer 2 tunnels based on labels assigned to packets • IPSec provides encryption and authentication in IP packet level • OpenVPN is a point-to-point tunneling technology which can be used in bridged or routed networks • PPPoE is a link layer protocol for encapsulating PPP frames inside ethernet frames 7 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IPSec 8 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Basics • Encryption and authentication of IP packets on layer 3 • Usually used as a tunneling technology even if an established connection is not strictly necessary • Initially designed to enable opportunistic encryption between Internet nodes • Implementations: strongswan , openswan/libreswan, freeswan 9 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Authentication Header • Ensures integrity and authenticity of IP packets • Inserts a header into the IP packet including a cryptographic checksum of the packet’s contents. • Protects the non mutable fields of an IP datagram • Caution: Trying to use AH through NAT needs extra consideration as NAT makes changes to authenticated header fields • IPSec in AH mode without encryption is possible, but rarely used (on purpose) 10 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encapsualted Security Payload • Responsible for encryption of IP packets • Provides authenticity as well, but src- and dst IP are not part of the checksum • Prevention from IP spoofing through authentication of communication end points when the tunnel is established 11 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Tunnel mode • Entire IP packet is protected by IPSec • New IP header is wrapped ”around” the old packet • Original IP header not visible • Commonly used between gateways with ESP enabled Singed by ESP Auth Trailer Encrypted with ESP Header New ESP TCP/ ESP ESP AUTH IP IP Data Header UDP Trailer Trailer Header Header Original IP Packet 12 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Transport mode • Original IP header used for encapsulation (not encrypted) • Usually used for end-to-end security • IPSec is running on the end hosts Singed by ESP Auth Trailer Encrypted with ESP Header Original ESP ��� ��� TCP/ ESP ESP AUTH IP Data ��� ��� Header UDP Trailer Trailer ��� ��� Header IP ��� ��� Header ��� ��� ��� ��� ��� ��� Original IP Packet Original IP Header moved to the front 13 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IKE - Internet Key Exchange • Security Associations: Security policies for communication between entities need to be defined • Key management protocol: Exchange of keys for encryption and authentication over unsecured channels • Manages Security Associations (SAs) for IPSec • IKE for IPSec is not mandatory, but widely used – Automatic negotiation of specific parameters – CA support – Ability to change encryption keys during an IPSec session 14 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies OpenVPN 15 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies OpenVPN: Basics • SSL/TLS based user-space VPN: Works on various devices/platform • Works based on virtual network interfaces • Layer 2 (TAP mode) & Layer 3 (TUN Mode) • Encapsulation in UDP or TCP 16 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Layer 3: TUN Mode • Virtual point-to-point link • End points have tunX interface • TUN interfaces get IP adresses out of the same subnet • Communication routed through this interfaces 17 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Layer 2: TAP Mode • Use case: Merge two ethernet broadcast domains • Bridging mode: Packet forwarding based on layer 2 adresses • Forwarding between virtual TAP devices and bridge to the local LAN • Used when applications running over the VPN rely on network broadcast (like online games) 18 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encapsulation • OpenVPN traffic is wrapped in UDP connection (TCP possible as well) • Usage of arbitrary ports for easy bypass of firewalls • Nearly no problems with NATs 19 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encryption and Authentication • Based on OpenSSL - for encryption, key exchange, . . . • PSK (pre shared key), SSL/TSL certificates, username/password • Authentication based on SSL certificate chain 20 / 27
Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IPSec vs. OpenVPN • Traditionally: OpenVPN easier to deploy - works ”out of the box” • Today: Modern IPSec implementations are up to the task as well • Virtual interfaces of OpenVPN make routing possible • IPSec works based on SAs and corresponding policies 21 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Other tunneling technologies 22 / 27
Overview L2/L3/L4 VPN Other tunneling technologies IPv6 Transition technologies • Problem: You want to adopt IPv6 as a future technology, but nobody is using IPv6 yet. . . • Possible solution: Wrap your new IPv6 packets in IPv4 packets and send them through the existing Internet – 6to4 : No explicit tunnel setup, but communication via relay routers – Teredo : IPv6 traffic encapsulated in IPv4 based UDP datagrams – . . . 23 / 27
Overview L2/L3/L4 VPN Other tunneling technologies IPv6 Transition technologies • Problem: You have migrated your access provider network to IPv6, but many endpoints in the internet only have IPv4. . . • Possible solution: Use tunneling and NAT to allow host in a IPv6 network to use IPv4 (DS-Lite (RFC 6333)) – Let the CPE assigns IPv4 RFC1918 addresses to end hosts and announce itself as default gateway. – The CPE/B4 then encapsulates all IPv4 packets in IPv6 and sends them to the Address Family Transition Router (AFTR) – The AFTR decapsulates the IPv4 Packets and NATs them to a global unicast IPv4 address – This way, providers can use IPv6 in the backbone while still offering IPv4 services to customers 24 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Layer 2 tunneling: MPLS • MPLS: Establishes tunnels on layer 2 level between different network segments • Layer 2 packets get a 32 bit label - forwarding decision only based on assigned labels • Each label corresponds to virtual link (similar to VLANs) • Avoids complexity of IP based routing • Is used through the Internet (not only in local LANs like VLANs) 25 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Cellular Backhaul: GTP • GPRS Tunneling Protocol (GTP): used for many different purposes in an GPRS / EPC backbone. • Used to encapsulate cellular data traffic and control traffic • Basic building block to allow mobility • Based on UDP 26 / 27
Overview L2/L3/L4 VPN Other tunneling technologies Thank you Any Questions? 27 / 27
Recommend
More recommend
