9_VPN
-
Upload
rishabh-kumar -
Category
Documents
-
view
215 -
download
0
Transcript of 9_VPN
-
8/7/2019 9_VPN
1/44
Unit 9
Private Virtual Interconnection
1
-
8/7/2019 9_VPN
2/44
Topics to be covered
Private networks Intranet
Extranet
Addressing VPN
VPN-addressing and routing
NAT
table creation
Multi-address NAT
Port-address NAT
2
-
8/7/2019 9_VPN
3/44
Private networks
A private network is designed to be used only inside
organization.
It allow access to shared resources and, at the same time
provide privacy.
Intranet: An Intranet is a private network (LAN) that uses the TCP/IP
protocol suit.
Access to the network is limited to only the user inside the
organization.
The network uses application program defined for the globalInternet, such as HTTP , and may have Web server, Print server,
file server and so on
3
-
8/7/2019 9_VPN
4/44
Extranet :
An extranet is the same as an intranet with one majordifference.
Some resources may be accessed by specific group of
user outside the organization under the control of the
network administrator. For Example: An organization may allow authorized
customers access to product specification availability,
and on-line ordering.
A university or a college can allow distance learningstudents access to the computer lab after password
have been checked.
4
-
8/7/2019 9_VPN
5/44
Addressing : A private network that uses the TCP/IP protocolsuit must use IP Addresses.
Three Choices are available: The network can apply for a set of addresses from
the Internet authorities and use them without beingconnected to the internet. This strategy has anadvantage if in the future the organization desiresInternet connection, it can do so with relative ease.However, there is also a disadvantage: The addressspace is wasted.
The network can use any set of addresses withoutregistering with the internet authorities. Because thenetwork is isolated, the addresses do not have to beunique. However, this strategy has a seriousdrawback : Users might mistakenly confuse theaddresses as a part of the global Internet.
To overcome the problem associated with the firstand second strategies, the internet authorities havereserved three set of addresses
5
-
8/7/2019 9_VPN
6/44
Addresses for private networks
Any organization can use an address out of this setwithout permission from the Internet authorities.
Everybody knows that these reserved addresses are for
private networks. They are unique inside the
organization, but they are not unique globally. No router
will forward a packet that has one of these addresses as
destination address.
Range Total
10.0.0.0 to 10.255.255.255 224
172.16.0.0 to 172.31.255.255 220
192.168.0.0 to 192.168.255.255 216
6
-
8/7/2019 9_VPN
7/44
Achieving Privacy: To achieve privacy, organizations can use one of three
strategies:
1. Private networks
2. Hybrid network3. Virtual private network
7
-
8/7/2019 9_VPN
8/44
Private networks
An organization that needs privacy when routinginformation inside in the organization can use a privatenetwork.
A small organization with one single site can use anisolated LAN.
People inside the organization can send data to oneanother that totally remain inside the organization,secure from the outsiders.
A large organization with several sites can create a privateinternet.
The LANs at different sites can be connected to eachother using routers and leased lines.
An internet can be made out of private LANs and privateWANs.
8
-
8/7/2019 9_VPN
9/44
In fig. the LANs are connected to each other using routers and oneleased line.
The organization has created a private internet that is totally isolatedfrom the global internet.
For end-to-end communication between stations at different sites,the organization can use the TCP/IP protocol suit
However ,there is no need for the organization to apply for IP addresswith the internet authorities.
It can use private IP addresses.
The organization can use any IP class and assign network and hostaddresses internally. Because the internet is private, duplication ofaddresses by another organization in the global internet is not aproblem.
9
-
8/7/2019 9_VPN
10/44
Hybrid networks Today, most organizations need to have privacy in intra-
organization data exchange, but at the same time, they need tobe connected to the global internet for data exchange withother organization. One solution is the use of a hybridnetwork.
A hybrid network allows an organization to have its own
private internet and at the same time access to the globalinternet.
Intra-organization data is routed through the private internet;Inter-organization data is routed through the global internet
In fig. it is shown that organization uses router R3 and R4 toconnect the two sites to the rest of the world.
10
-
8/7/2019 9_VPN
11/44
Hybrid networks An organization with two sites uses routers R1 and R2 to connect the two sites privately
through a leased line; it uses routers R3 and R4 to connect the two sites to the rest of the
world.
The organization uses global IP addresses for both types of communication.
However, Packets destined for internal recipients are routed only through routers R1 and
R2.Routers R3 and R4 route the packets destined for outsiders.
11
-
8/7/2019 9_VPN
12/44
Virtual private networks Both Private and hybrid networks have a major drawback:
Cost. Private wide area networks are expensive.
To connect several sites, an organization needs several leased line,which can lead to high monthly cost.
One solution is to use the global Internet for both private and public
communication.
A technology called virtual private network (VPN) allowsorganizations to use global internet for both purposes.
VPN is a network that is private but virtual.
It is private because guarantees privacy inside the organization. It isvirtual because it does not use real private WANs; the network isphysically public but virtually private.
12
-
8/7/2019 9_VPN
13/44
Virtual private networks
Following figure shows the idea of a virtual private network. RoutersR1 and R2 use VPN technology to guarantee privacy for the
organization.
13
-
8/7/2019 9_VPN
14/44
VPN technology
VPN technology uses two simultaneoustechnique to guarantee privacy for an
organization:
1. IPSec
2. Tunneling
14
-
8/7/2019 9_VPN
15/44
IPsec
IP Security (IPSec) is a collection of protocols designed by IETF
(Internet Engineering task force) to provide security for a packet at
the IP level.
IPSec does not define the use of any specific encryption or
authentication method.
Instead, it provides a framework and a mechanism; it leaves the
selection of the encryption, authentication, and hashing methods to
the entity.
15
-
8/7/2019 9_VPN
16/44
Security association IPSec requires a logical connection between two hosts using a
signaling protocol, called Security Association (SA). In other words, IPSec needs the connectionless IP protocol changed
to a connection-oriented protocol before security can be applied.
An SA connection is a simplex (unidirectional) connection between asource and destination.
If a duplex (bidirectional) connection is needed, two SA connection is
uniquely defined by three elements :
A 32-bit security parameters index (SPI), which acts as a virtualcircuit identifier in connection-oriented protocols such as FrameRelay or ATM
The type of protocol used for security: AH and ESP
The source IP address.
16
-
8/7/2019 9_VPN
17/44
Two modes
IPSec operates at two different modes: transport modeand tunnel mode. The mode defines where the IPSec
header is added to the IP packet.
Transport Mode:
In this mode, the IPSec header is added between the IP header and
the rest of the packet.
Tunnel Mode:
In this mode, the IPSec header isplaced in frontof the original IP
header.
A new IP header is added in front. The IPSec header, the preserved
IP header, and the rest of the packet are treated as a payload.
17
-
8/7/2019 9_VPN
18/44
Transport mode
Tunnel mode
18
-
8/7/2019 9_VPN
19/44
Two security protocols
IPSec defines two protocols: authentication header (AH) protocol andencapsulating Security Payload (ESP) protocol.
Authentication Header (AH) protocol the authentication header(AH) protocol is designed to authenticate the source host and to
ensure the integrityof the payload carried by the IP packets. The protocols calculates a message digest, using a hashing functionand a symmetric key, and inserts the digest in the authenticationheader.
The AH is put in the appropriate location based on the mode(transport or tunnel)
19
-
8/7/2019 9_VPN
20/44
Figure shows the fields and the position of the authentication header
in the transport mode.
20
-
8/7/2019 9_VPN
21/44
When an IP datagram carries an authentication header, theoriginal value in the protocol field of the IP header is replaced bythe value 51, A field inside the authentication header (nextheader field) defines the original value of the protocol field (thetype of payload being carried by the IP datagram).
Addition of an authentication header follows these steps:
An authentication header is added to the payload with theauthentication data field set to zero
Padding may be added to make the total length even for aparticular hashing algorithm
Hashing is based on the total packets. However, only those fieldsof the IP header that do not change during the transmission areincluded in the calculation of the message digest (authentication
data) The authentication data are included in the authentication header.
The IP header is added after changing the value of the protocolfield to 51.
21
-
8/7/2019 9_VPN
22/44
Next Header:
the 8-bit next header field defines the type of payload carried by theIP datagram (TCP,UDP,ICMP,OSPF, and so on). It has the samefunction as the protocol field in the IP header before encapsulation.
In other words, the process copies the values of the protocol field inthe IP datagram to this field. The value of the protocol field in the IPdatagram is changed to 51 to show that the packets carries anauthentication header.
Payload length:
the name of this 8-bit payload-length field is misleading. It does notdefine the length of the payload; it defines the length of theauthentication header in 4-byte multiples, but it does not includethe first 8 bytes.
22
-
8/7/2019 9_VPN
23/44
Security parameters index:
The 32-bit security parameters index (SPI) field plays the importantrole of a virtual circuit identifier and is constant for all packets sentduring a security Associate Connection.
Sequence number:
A 32-bit sequence number provides ordering information for asequence of datagram.
The sequence number prevent playback. The sequence number is not repeated even if a packet is
retransmitted. A sequence number does not wrap around after itreaches 2^32 ; a new connection must be established.
Authentication data:
Finally, the authentication data field is the result of applying a hash
function to the entire IP datagram except for the fields that arechanged during the transit.
23
-
8/7/2019 9_VPN
24/44
Encapsulating Security Payload:
The AH protocol does not provide privacy, only messageauthentication and integrity.
IPSec later defined an alternative protocol that providesmessage authentication, integrity, and privacy calledEncapsulating Security payload (ESP).
ESP adds a header and trailer. Note that ESPs authentication data are added at the end
of packets which makes its calculation easier.
When an IP datagram carries an ESP header and trailer,the value of the protocol field in the IP header changes to
50. A field inside the ESP trailer (the next-header field) holds
the original value of the protocol field (the type of payloadbeing carried by the IP datagram, such as TCP or UDP).
24
-
8/7/2019 9_VPN
25/44
25
-
8/7/2019 9_VPN
26/44
The ESP procedure follows these steps:
An ESP trailer is added to the payload
The payload and the trailer are encrypted.
The ESP header is added.
The ESP header, payload and ESP trailer are used to create theauthentication data.
The authentication data are added at the end of the ESP trailer.
The IP header is added after changing the protocol value to 50.
26
-
8/7/2019 9_VPN
27/44
The fields for the trailer are as follows:
Security parameter index:The 32-bit security parameter index fieldis similar to that defined for the AH protocol.
Sequence index:The 32-bit sequence number field is similar to thatdefined for the AH protocol.
Padding:This variable length field (0 to 255 bytes) of 0s as padding.
Pad length:The 8-bit pad length field defines the number of paddingbytes.
The value between 0 and 255; the maximum value is rare.
27
-
8/7/2019 9_VPN
28/44
Nextheader:The 8-bit next header field is similar to that defined inthe AH protocol. It serves the same purpose as the protocol field inthe IP header before encapsulation.
Authentication data: Finally, the authentication data field is theresult of applying an authentication scheme to part of the datagram.Note the difference between the authentication data in AH and ESP.
In AH, part of the IP header is include In the calculation of theauthentication data; in ESP, it is not
IPv4 and IPv6:IPSec support both IPv4 and IPv6. In IPv6, however,AH and ESP are part of the extension header
28
-
8/7/2019 9_VPN
29/44
Tunneling
To guarantee privacy for an organization, VPN specifies that each IPdatagram destined for private use in the organization must be
encapsulated in another datagram
29
-
8/7/2019 9_VPN
30/44
Tunneling
This is called Tunneling because the original datagram is hidden
inside the outer datagram after exiting R1 in figure and is visible until
it reaches R2. It appears that the original datagram has gone through
a tunnel spanning R1 and R2.
30
-
8/7/2019 9_VPN
31/44
Tunneling The entire IP datagram (including the header) it first encrypted and then
encapsulated in another datagram with a new header.
The inner datagram here carries the actual source and destinationaddress of the packet (two station inside the organization)
The outer datagram header carries the source and destination of the tworouters at the boundary of the private public networks.
The public network (Internet) is responsible for the carrying the packetsfrom R1 to R2.
Outsider cannot decipher the content of the packets or the source anddestination addresses
Deciphering take place at R2, which finds the destination address of thepackets and deliver it.
31
-
8/7/2019 9_VPN
32/44
Network address translation (NAT)
A technology that is related to private networks andvirtual private networks is Network address translation(NAT)
The technology allows a site to use a set of privateaddresses for internal communication
and a set of global internet addresses (at least one) forcommunication with another site.
The site must have only one single connection to theglobal Internet through a router that runs NAT software.
32
-
8/7/2019 9_VPN
33/44
Implementation of NAT
As the figure shows the private networks uses private addresses.
The router that connects the network to the global address uses oneprivate address and one global address
The private network is transparent to the rest of the internet; therest of the Internet sees only the NAT router with the address200.24.5.8
33
-
8/7/2019 9_VPN
34/44
Translation table
Translating the source address for an outgoing packets is
straightforward.
But how does the NAT router know the destination
address of the packet coming from the internet.
There may be tens or hundred of private addresses, each
belongs to one specific host.
The problem is solved if the NAT router has a translation
table.
34
-
8/7/2019 9_VPN
35/44
Address translation
All of the outgoing packets go through the NAT
routers, which replacethe source address in the packets with the global NAT address.
All incoming packets also pass through the NAT router, which replacethe destination address in the packets (the NAT router globaladdress) with the appropriate private address.
35
-
8/7/2019 9_VPN
36/44
Using one IP address
In its simplest form, a translation table has only twocolumns : the private address and the external address(destination address of the packets).
When the router translate the source address of the
outgoing packets, it also makes note of the destinationaddress- where the packets is going.
When the response comes back from the destination, therouter uses the source address of the packets (as the
external address) to find the private address of thepackets
36
-
8/7/2019 9_VPN
37/44
Translation
37
-
8/7/2019 9_VPN
38/44
Using one IP address
In this strategy, communication must always be initiated by the
private network The NAT mechanism described requires that private network start
the communication.
NAT is used mostly by ISPs which assign one single address to amany private addresses.
In this case communication with the internet is always initiated
from the customer site, using a client program such asHTTP,TELNET or FTP to access the corresponding server program.
For Example:
When email that originates from a noncustomer site is receivedby the ISP email server it is stored in the mailbox of the customeruntil retrieved with a protocol such as POP.
A private network cannot run a server program for client outsideof its network if it is using NAT technology.
38
-
8/7/2019 9_VPN
39/44
Using a pool of IP addresses
Using only one global address by the NAT router allows
only one private network host to access the same
External host.
To remove this restriction, the NAT router can use a pool
of global addresses.
For Example: instead of using only one global address
(200.24.5.8), the NAT router can use four addresses
(200.24.5.8, 200.24.5.9, 200.24.5.10, and 200.24.5.11). Inthis case four private
39
-
8/7/2019 9_VPN
40/44
Networks hosts can communicate with the same external
host at the same time because eachpair of addresses defines a connection. However, thereare still some drawbacks.
No more than four connection can be made to the samedestination. No private network host can access twoexternal server program (e.g. HTTP and TELNET) at thesame time,
And likewise, two private-network hosts cannot accessthe sane external server program (e.g. ,HTTP or TELNET)at the same time.
40
-
8/7/2019 9_VPN
41/44
Using both IP addresses and port addresses
To allow a many-to-many relationship between private-networks hosts and external server program, we needmore information in the translation table.
For example: suppose two hosts inside as private network
with address 172.18.3.1 and 172.18.3.2 need to accessthe HTTP server on external host 25.8.3.2.
If the translation table has five column instead of two,that include the source and destination port address and
the transport layer protocol the ambiguity is eliminated.
41
-
8/7/2019 9_VPN
42/44
Using both IP addresses and port addresses
When the response from HTTP comes back, the combination of source
address
(25.8.3.2) and destination port address (1400) defines the private network
host to which response should be directed. For this translation to work the ephemeral port addresses (1400 and 1401)
must be unique.
Privateaddress
Private port ExternalAddress
Externalport
Transportprotocol
172.18.3.1 1400 25.8.3.2 80 TCP
172.18.3.2 1401 25.8.3.2 80 TCP
42
-
8/7/2019 9_VPN
43/44
NAT and ISP
An ISP that serves dial-up customers can use NATtechnology to conserve addresses.
For example, imagine an ISP is granted 100 addresses, buthas 100,000 customers.
Each Of the customers is assigned a private networkaddress. The ISP translates each of the 100,000 sourceaddresses in outgoing packets to one of the 1000 globaladdresses;
It translate the global destination address in the incomingpackets to the corresponding private address.
43
-
8/7/2019 9_VPN
44/44
An ISP and NAT
44