8/7/2019 9_VPN

1/44

Unit 9

Private Virtual Interconnection

1

8/7/2019 9_VPN

2/44

Topics to be covered

Private networks Intranet

Extranet

Addressing VPN

VPN-addressing and routing

NAT

table creation

Multi-address NAT

Port-address NAT

2

8/7/2019 9_VPN

3/44

Private networks

A private network is designed to be used only inside

organization.

It allow access to shared resources and, at the same time

provide privacy.

Intranet: An Intranet is a private network (LAN) that uses the TCP/IP

protocol suit.

Access to the network is limited to only the user inside the

organization.

The network uses application program defined for the globalInternet, such as HTTP , and may have Web server, Print server,

file server and so on

3

8/7/2019 9_VPN

4/44

Extranet :

An extranet is the same as an intranet with one majordifference.

Some resources may be accessed by specific group of

user outside the organization under the control of the

network administrator. For Example: An organization may allow authorized

customers access to product specification availability,

and on-line ordering.

A university or a college can allow distance learningstudents access to the computer lab after password

have been checked.

4

8/7/2019 9_VPN

5/44

Addressing : A private network that uses the TCP/IP protocolsuit must use IP Addresses.

Three Choices are available: The network can apply for a set of addresses from

the Internet authorities and use them without beingconnected to the internet. This strategy has anadvantage if in the future the organization desiresInternet connection, it can do so with relative ease.However, there is also a disadvantage: The addressspace is wasted.

The network can use any set of addresses withoutregistering with the internet authorities. Because thenetwork is isolated, the addresses do not have to beunique. However, this strategy has a seriousdrawback : Users might mistakenly confuse theaddresses as a part of the global Internet.

To overcome the problem associated with the firstand second strategies, the internet authorities havereserved three set of addresses

5

8/7/2019 9_VPN

6/44

Addresses for private networks

Any organization can use an address out of this setwithout permission from the Internet authorities.

Everybody knows that these reserved addresses are for

private networks. They are unique inside the

organization, but they are not unique globally. No router

will forward a packet that has one of these addresses as

destination address.

Range Total

10.0.0.0 to 10.255.255.255 224

172.16.0.0 to 172.31.255.255 220

192.168.0.0 to 192.168.255.255 216

6

8/7/2019 9_VPN

7/44

Achieving Privacy: To achieve privacy, organizations can use one of three

strategies:

1. Private networks

2. Hybrid network3. Virtual private network

7

8/7/2019 9_VPN

8/44

Private networks

An organization that needs privacy when routinginformation inside in the organization can use a privatenetwork.

A small organization with one single site can use anisolated LAN.

People inside the organization can send data to oneanother that totally remain inside the organization,secure from the outsiders.

A large organization with several sites can create a privateinternet.

The LANs at different sites can be connected to eachother using routers and leased lines.

An internet can be made out of private LANs and privateWANs.

8

8/7/2019 9_VPN

9/44

In fig. the LANs are connected to each other using routers and oneleased line.

The organization has created a private internet that is totally isolatedfrom the global internet.

For end-to-end communication between stations at different sites,the organization can use the TCP/IP protocol suit

However ,there is no need for the organization to apply for IP addresswith the internet authorities.

It can use private IP addresses.

The organization can use any IP class and assign network and hostaddresses internally. Because the internet is private, duplication ofaddresses by another organization in the global internet is not aproblem.

9

8/7/2019 9_VPN

10/44

Hybrid networks Today, most organizations need to have privacy in intra-

organization data exchange, but at the same time, they need tobe connected to the global internet for data exchange withother organization. One solution is the use of a hybridnetwork.

A hybrid network allows an organization to have its own

private internet and at the same time access to the globalinternet.

Intra-organization data is routed through the private internet;Inter-organization data is routed through the global internet

In fig. it is shown that organization uses router R3 and R4 toconnect the two sites to the rest of the world.

10

8/7/2019 9_VPN

11/44

Hybrid networks An organization with two sites uses routers R1 and R2 to connect the two sites privately

through a leased line; it uses routers R3 and R4 to connect the two sites to the rest of the

world.

The organization uses global IP addresses for both types of communication.

However, Packets destined for internal recipients are routed only through routers R1 and

R2.Routers R3 and R4 route the packets destined for outsiders.

11

8/7/2019 9_VPN

12/44

Virtual private networks Both Private and hybrid networks have a major drawback:

Cost. Private wide area networks are expensive.

To connect several sites, an organization needs several leased line,which can lead to high monthly cost.

One solution is to use the global Internet for both private and public

communication.

A technology called virtual private network (VPN) allowsorganizations to use global internet for both purposes.

VPN is a network that is private but virtual.

It is private because guarantees privacy inside the organization. It isvirtual because it does not use real private WANs; the network isphysically public but virtually private.

12

8/7/2019 9_VPN

13/44

Virtual private networks

Following figure shows the idea of a virtual private network. RoutersR1 and R2 use VPN technology to guarantee privacy for the

organization.

13

8/7/2019 9_VPN

14/44

VPN technology

VPN technology uses two simultaneoustechnique to guarantee privacy for an

organization:

1. IPSec

2. Tunneling

14

8/7/2019 9_VPN

15/44

IPsec

IP Security (IPSec) is a collection of protocols designed by IETF

(Internet Engineering task force) to provide security for a packet at

the IP level.

IPSec does not define the use of any specific encryption or

authentication method.

Instead, it provides a framework and a mechanism; it leaves the

selection of the encryption, authentication, and hashing methods to

the entity.

15

8/7/2019 9_VPN

16/44

Security association IPSec requires a logical connection between two hosts using a

signaling protocol, called Security Association (SA). In other words, IPSec needs the connectionless IP protocol changed

to a connection-oriented protocol before security can be applied.

An SA connection is a simplex (unidirectional) connection between asource and destination.

If a duplex (bidirectional) connection is needed, two SA connection is

uniquely defined by three elements :

A 32-bit security parameters index (SPI), which acts as a virtualcircuit identifier in connection-oriented protocols such as FrameRelay or ATM

The type of protocol used for security: AH and ESP

The source IP address.

16

8/7/2019 9_VPN

17/44

Two modes

IPSec operates at two different modes: transport modeand tunnel mode. The mode defines where the IPSec

header is added to the IP packet.

Transport Mode:

In this mode, the IPSec header is added between the IP header and

the rest of the packet.

Tunnel Mode:

In this mode, the IPSec header isplaced in frontof the original IP

header.

A new IP header is added in front. The IPSec header, the preserved

IP header, and the rest of the packet are treated as a payload.

17

8/7/2019 9_VPN

18/44

Transport mode

Tunnel mode

18

8/7/2019 9_VPN

19/44

Two security protocols

IPSec defines two protocols: authentication header (AH) protocol andencapsulating Security Payload (ESP) protocol.

Authentication Header (AH) protocol the authentication header(AH) protocol is designed to authenticate the source host and to

ensure the integrityof the payload carried by the IP packets. The protocols calculates a message digest, using a hashing functionand a symmetric key, and inserts the digest in the authenticationheader.

The AH is put in the appropriate location based on the mode(transport or tunnel)

19

8/7/2019 9_VPN

20/44

Figure shows the fields and the position of the authentication header

in the transport mode.

20

8/7/2019 9_VPN

21/44

When an IP datagram carries an authentication header, theoriginal value in the protocol field of the IP header is replaced bythe value 51, A field inside the authentication header (nextheader field) defines the original value of the protocol field (thetype of payload being carried by the IP datagram).

Addition of an authentication header follows these steps:

An authentication header is added to the payload with theauthentication data field set to zero

Padding may be added to make the total length even for aparticular hashing algorithm

Hashing is based on the total packets. However, only those fieldsof the IP header that do not change during the transmission areincluded in the calculation of the message digest (authentication

data) The authentication data are included in the authentication header.

The IP header is added after changing the value of the protocolfield to 51.

21

8/7/2019 9_VPN

22/44

Next Header:

the 8-bit next header field defines the type of payload carried by theIP datagram (TCP,UDP,ICMP,OSPF, and so on). It has the samefunction as the protocol field in the IP header before encapsulation.

In other words, the process copies the values of the protocol field inthe IP datagram to this field. The value of the protocol field in the IPdatagram is changed to 51 to show that the packets carries anauthentication header.

Payload length:

the name of this 8-bit payload-length field is misleading. It does notdefine the length of the payload; it defines the length of theauthentication header in 4-byte multiples, but it does not includethe first 8 bytes.

22

8/7/2019 9_VPN

23/44

Security parameters index:

The 32-bit security parameters index (SPI) field plays the importantrole of a virtual circuit identifier and is constant for all packets sentduring a security Associate Connection.

Sequence number:

A 32-bit sequence number provides ordering information for asequence of datagram.

The sequence number prevent playback. The sequence number is not repeated even if a packet is

retransmitted. A sequence number does not wrap around after itreaches 2^32 ; a new connection must be established.

Authentication data:

Finally, the authentication data field is the result of applying a hash

function to the entire IP datagram except for the fields that arechanged during the transit.

23

8/7/2019 9_VPN

24/44

Encapsulating Security Payload:

The AH protocol does not provide privacy, only messageauthentication and integrity.

IPSec later defined an alternative protocol that providesmessage authentication, integrity, and privacy calledEncapsulating Security payload (ESP).

ESP adds a header and trailer. Note that ESPs authentication data are added at the end

of packets which makes its calculation easier.

When an IP datagram carries an ESP header and trailer,the value of the protocol field in the IP header changes to

50. A field inside the ESP trailer (the next-header field) holds

the original value of the protocol field (the type of payloadbeing carried by the IP datagram, such as TCP or UDP).

24

8/7/2019 9_VPN

25/44

25

8/7/2019 9_VPN

26/44

The ESP procedure follows these steps:

An ESP trailer is added to the payload

The payload and the trailer are encrypted.

The ESP header is added.

The ESP header, payload and ESP trailer are used to create theauthentication data.

The authentication data are added at the end of the ESP trailer.

The IP header is added after changing the protocol value to 50.

26

8/7/2019 9_VPN

27/44

The fields for the trailer are as follows:

Security parameter index:The 32-bit security parameter index fieldis similar to that defined for the AH protocol.

Sequence index:The 32-bit sequence number field is similar to thatdefined for the AH protocol.

Padding:This variable length field (0 to 255 bytes) of 0s as padding.

Pad length:The 8-bit pad length field defines the number of paddingbytes.

The value between 0 and 255; the maximum value is rare.

27

8/7/2019 9_VPN

28/44

Nextheader:The 8-bit next header field is similar to that defined inthe AH protocol. It serves the same purpose as the protocol field inthe IP header before encapsulation.

Authentication data: Finally, the authentication data field is theresult of applying an authentication scheme to part of the datagram.Note the difference between the authentication data in AH and ESP.

In AH, part of the IP header is include In the calculation of theauthentication data; in ESP, it is not

IPv4 and IPv6:IPSec support both IPv4 and IPv6. In IPv6, however,AH and ESP are part of the extension header

28

8/7/2019 9_VPN

29/44

Tunneling

To guarantee privacy for an organization, VPN specifies that each IPdatagram destined for private use in the organization must be

encapsulated in another datagram

29

8/7/2019 9_VPN

30/44

Tunneling

This is called Tunneling because the original datagram is hidden

inside the outer datagram after exiting R1 in figure and is visible until

it reaches R2. It appears that the original datagram has gone through

a tunnel spanning R1 and R2.

30

8/7/2019 9_VPN

31/44

Tunneling The entire IP datagram (including the header) it first encrypted and then

encapsulated in another datagram with a new header.

The inner datagram here carries the actual source and destinationaddress of the packet (two station inside the organization)

The outer datagram header carries the source and destination of the tworouters at the boundary of the private public networks.

The public network (Internet) is responsible for the carrying the packetsfrom R1 to R2.

Outsider cannot decipher the content of the packets or the source anddestination addresses

Deciphering take place at R2, which finds the destination address of thepackets and deliver it.

31

8/7/2019 9_VPN

32/44

Network address translation (NAT)

A technology that is related to private networks andvirtual private networks is Network address translation(NAT)

The technology allows a site to use a set of privateaddresses for internal communication

and a set of global internet addresses (at least one) forcommunication with another site.

The site must have only one single connection to theglobal Internet through a router that runs NAT software.

32

8/7/2019 9_VPN

33/44

Implementation of NAT

As the figure shows the private networks uses private addresses.

The router that connects the network to the global address uses oneprivate address and one global address

The private network is transparent to the rest of the internet; therest of the Internet sees only the NAT router with the address200.24.5.8

33

8/7/2019 9_VPN

34/44

Translation table

Translating the source address for an outgoing packets is

straightforward.

But how does the NAT router know the destination

address of the packet coming from the internet.

There may be tens or hundred of private addresses, each

belongs to one specific host.

The problem is solved if the NAT router has a translation

table.

34

8/7/2019 9_VPN

35/44

Address translation

All of the outgoing packets go through the NAT

routers, which replacethe source address in the packets with the global NAT address.

All incoming packets also pass through the NAT router, which replacethe destination address in the packets (the NAT router globaladdress) with the appropriate private address.

35

8/7/2019 9_VPN

36/44

Using one IP address

In its simplest form, a translation table has only twocolumns : the private address and the external address(destination address of the packets).

When the router translate the source address of the

outgoing packets, it also makes note of the destinationaddress- where the packets is going.

When the response comes back from the destination, therouter uses the source address of the packets (as the

external address) to find the private address of thepackets

36

8/7/2019 9_VPN

37/44

Translation

37

8/7/2019 9_VPN

38/44

Using one IP address

In this strategy, communication must always be initiated by the

private network The NAT mechanism described requires that private network start

the communication.

NAT is used mostly by ISPs which assign one single address to amany private addresses.

In this case communication with the internet is always initiated

from the customer site, using a client program such asHTTP,TELNET or FTP to access the corresponding server program.

For Example:

When email that originates from a noncustomer site is receivedby the ISP email server it is stored in the mailbox of the customeruntil retrieved with a protocol such as POP.

A private network cannot run a server program for client outsideof its network if it is using NAT technology.

38

8/7/2019 9_VPN

39/44

Using a pool of IP addresses

Using only one global address by the NAT router allows

only one private network host to access the same

External host.

To remove this restriction, the NAT router can use a pool

of global addresses.

For Example: instead of using only one global address

(200.24.5.8), the NAT router can use four addresses

(200.24.5.8, 200.24.5.9, 200.24.5.10, and 200.24.5.11). Inthis case four private

39

8/7/2019 9_VPN

40/44

Networks hosts can communicate with the same external

host at the same time because eachpair of addresses defines a connection. However, thereare still some drawbacks.

No more than four connection can be made to the samedestination. No private network host can access twoexternal server program (e.g. HTTP and TELNET) at thesame time,

And likewise, two private-network hosts cannot accessthe sane external server program (e.g. ,HTTP or TELNET)at the same time.

40

8/7/2019 9_VPN

41/44

Using both IP addresses and port addresses

To allow a many-to-many relationship between private-networks hosts and external server program, we needmore information in the translation table.

For example: suppose two hosts inside as private network

with address 172.18.3.1 and 172.18.3.2 need to accessthe HTTP server on external host 25.8.3.2.

If the translation table has five column instead of two,that include the source and destination port address and

the transport layer protocol the ambiguity is eliminated.

41

8/7/2019 9_VPN

42/44

Using both IP addresses and port addresses

When the response from HTTP comes back, the combination of source

address

(25.8.3.2) and destination port address (1400) defines the private network

host to which response should be directed. For this translation to work the ephemeral port addresses (1400 and 1401)

must be unique.

Privateaddress

Private port ExternalAddress

Externalport

Transportprotocol

172.18.3.1 1400 25.8.3.2 80 TCP

172.18.3.2 1401 25.8.3.2 80 TCP

42

8/7/2019 9_VPN

43/44

NAT and ISP

An ISP that serves dial-up customers can use NATtechnology to conserve addresses.

For example, imagine an ISP is granted 100 addresses, buthas 100,000 customers.

Each Of the customers is assigned a private networkaddress. The ISP translates each of the 100,000 sourceaddresses in outgoing packets to one of the 1000 globaladdresses;

It translate the global destination address in the incomingpackets to the corresponding private address.

43

8/7/2019 9_VPN

44/44

An ISP and NAT

44