Tunneling is the network layer 3 technology that is used to route otherwise unroutable packets. Packets that have had some security function performed on them, such as encryption, can’t be routed, because their packet headers have been changed. In the case of encryption, the packet is no longer readable to routers. In the case of other types of security, the packet header is changed to provide security such as authentication.
This is an example of the way many, if not most, networks are constructed today. We have a headquarters site located in Los Angeles. Branch offices in New York and Boston connect to the HQ with leased T1 lines. Remote clients dialing into the network do so by calling into a remote access server in Los Angeles or New York. Things to note: The company is paying for the leased T1 lines by the mile. (Think about how far it is from Los Angeles to New York and Los Angeles to Boston.) The company must install new modems, remote access servers, and dial-in analog lines (or PRI lines for ISDN/Analog combinations) constantly to meet the needs of a growing, more mobile workforce. How long do you think it would take to add a new office in New Jersey to this network? How about a new office in Tokyo? How much would these cost for hardware, installation, and monthly leased line fees? How likely is it that a small two-person office would be added to this network? Although there are firewalls shown in this network, not all security requirements are being met. How would you add new business partners or customers to this network? Because of these issues and questions, there are opportunities to evolve this paradigm to include some new communications options!
This illustration shows a packet generated by workstation X on a LAN on the left, which is to be sent over the Internet to workstation Y on the right. Hypothetically, this packet isn’t routable over the Internet for some reason (for example, because of illegal addressing). Workstation X forwards its packet to Router A to be routed across the Internet. Router A then encapsulates the original packet in a routable packet, which it then sends over the Internet. A tunnel consists of these encapsulated packets traversing a public network like the Internet. Router B on the right receives the packet, then strips off the encapsulating packet header that was used for routing across the Internet. This yields the original packet, which it then forwards to Workstation Y.
PPTP, as a “voluntary” tunneling model, on the other hand, allows end-systems (e.g. desktop computers) to configure and establish individual discrete point-to-point tunnels to arbitrarily located PPTP servers, without the intermediate NAS participating in the PPTP negotiation and tunnel establishment. In this scenario, a dial-in subscriber dials into a NAS, however, the PPP session is terminated on the NAS as in the traditional PPP model. The subsequent PPTP session is then established between the client end-system and any arbitrary upstream PPTP server that the client desires to connect to, given that it can reached via traditional routing information, and that the user has been granted the appropriate privileges on the PPTP server [Figure 9].
L2TP, as a “compulsory” tunneling model, is essentially a mechanism to “off load” a dial-up subscriber to another point in the network, or to another network altogether. In this scenario, a dial-up subscriber dials into a NAS (Network Access Server), and based on a locally configured profile (or a NAS negotiation with a policy server) and successful authentication, a L2TP tunnel is dynamically established to a predetermined end-point, where the subscriber’s PPP session is terminated [Figure 8].
RADIUS protects the boundary of the private network at the point in which outsiders connect to it via dial-up networking. The username and password and possibly other security elements are used to authenticate the outsider to see if they are allowed to cross the boundary into the private network.
L2TP is the “standards track” effort to combine L2F and PPTP. It lacks everything that the proprietary protocols lack in terms of security and flexibility. Since both PPTP and L2F camps have invested so much marketing and sales efforts in their proprietary versions, and L2TP can be promised as a “standards based upgrade path”, not much effort is going into L2TP at this point. When you boil layer two forwarding protocols such as PPTP, L2F, or L2TP, they have no security, no flexibility, and apparently no interoperability. They aren’t good for VPNs for this reason, so what are they good for? They’re ideally designed for carrying multiple protocols such as IP, IPX, Appletalk, Decnet, etc. across the Internet in IP packets. However, most VPN customers will be IP centric, so its highly questionable whether these protocols will have any real utility at all. They’re basically marketing technologies--not real standards based solutions.
4 vpn s
Virtual Private Networks (VPNs) <ul><li>Tunneling, VPNs and Roaming </li></ul>
Defining Some Terms Intranet Internal corporate applications using Web and Internet technology Extranet Extends an Intranet to include customers, suppliers and partners Remote Access Uses the Internet to link telecommuters and mobile workers to the company Intranet
Tunneling Defined <ul><li>Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices. </li></ul>
Tunneling Explained <ul><li>Tunneling is encapsulating one protocol in another </li></ul><ul><li>Tunnels provide routable transport for unroutable packets </li></ul><ul><ul><li>encrypted, illegal addressing, non-supported </li></ul></ul><ul><li>Tunneling itself provides no security </li></ul>
One way to communicate… Router CSU/DSU LAN LAN Firewall LAN Web Sites Los Angeles HQ New York Boston CSU/DSU Router Firewall CSU/DSU Router PSTN Remote Access Server Internet CSU/DSU Firewall Remote Access Server
Another view of network possibilities... A Virtual Private Network Internet Router VSU-1000 CSU/DSU LAN LAN Firewall LAN Web Sites Los Angeles New York Boston Remote Clients (VPNremote) CSU/DSU VSU-1000 Router Firewall CSU/DSU VSU-1000 Router VPNmanager VSU-1000
Tunneling Illustrated Router A Workstation X Router B Workstation Y Original IP packet dest Y Step 1. Original, unroutable IP Packet sent to router Step 2 Original IP packet encapsulated in another IP packet Original IP packet New IP Packet Tunnel Step 3 Original packet extracted, sent to destination Original IP packet dest Y Tunnel
Types of Tunnels (with thanks to Bernard Aboba) <ul><li>Two basic types of tunnels </li></ul><ul><ul><li>Voluntary tunnels </li></ul></ul><ul><ul><ul><li>Tunneling initiated by the end-user (Requires client software on remote computer) </li></ul></ul></ul><ul><ul><li>Compulsory tunnels </li></ul></ul><ul><ul><ul><li>Tunnel is created by NAS or router (Tunneling support required on NAS or Router) </li></ul></ul></ul>
Voluntary Tunnels <ul><li>Will work with any network device </li></ul><ul><ul><li>Tunneling transparent to leaf and intermediate devices </li></ul></ul><ul><li>But user must have a tunneling client compatible with tunnel server </li></ul><ul><ul><li>PPTP, L2TP, L2F, IPSEC, IP-IP, etc. </li></ul></ul><ul><li>Simultaneous access to Intranet (via tunnel) and Internet possible </li></ul><ul><ul><li>Employees can use personal accounts for corporate access </li></ul></ul><ul><ul><li>Remote office applications </li></ul></ul><ul><ul><ul><li>Dial-up VPN’s for low traffic volumes </li></ul></ul></ul>
Compulsory Tunnels <ul><li>Will work with any client </li></ul><ul><li>But NAS must support same tunnel method </li></ul><ul><ul><li>But… Tunneling transparent to intermediate routers </li></ul></ul><ul><li>Network access controlled by tunnel server </li></ul><ul><ul><li>User traffic can only travel through tunnel </li></ul></ul><ul><ul><li>Internet access possible </li></ul></ul><ul><ul><ul><li>Must be by pre-defined facilities </li></ul></ul></ul><ul><ul><ul><li>Greater control </li></ul></ul></ul><ul><ul><ul><li>Can be monitored </li></ul></ul></ul>
Compulsory Tunnels <ul><li>Static Tunnels </li></ul><ul><ul><li>All calls from a given NAS/Router tunneled to a given server </li></ul></ul><ul><li>Realm-based tunnels </li></ul><ul><ul><li>Each tunnel based on information in NAI (I.e. user@realm) </li></ul></ul><ul><li>User-based tunnels </li></ul><ul><ul><li>Calls tunneled based on userID data stored in authentication system </li></ul></ul>
RADIUS Support for Tunnels <ul><li>Can define tunnel type </li></ul><ul><li>Can define/limit tunnel end points </li></ul><ul><li>Allows tunnel configuration to be based on Calling-Station-ID or Called-Station-ID </li></ul><ul><li>Additional accounting information </li></ul><ul><ul><li>Tunnel end points </li></ul></ul><ul><ul><li>Tunnel ID, etc. </li></ul></ul>
RADIUS Dial Up Security <ul><ul><li>Remote User </li></ul></ul>User Login Private Network Authenticates dial in users at boundary of private network RADIUS Protocol Boundary <ul><ul><li>Hacker </li></ul></ul>RADIUS Server RAS
Protocol Comparison PPTP L2TP IPSEC Authenticated Tunnels X X Compression X X X Smart Cards X X Address Allocation X X Multiprotocol X X Encryption X Flow Control X Requires Server X X
Layer 2 Tunneling Protocol (L2TP) Mobile Employee Shared Dial Network L2TP Tunnel Private Network LAC Telecommuter LAC LNS RADIUS L2TP Access Concentrator (LAC) tunnels PPP frames in IP PPP L2TP Network Server de-tunnels PPP, authenticates via RADIUS and performs address assignment
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.