Virtual Private Networks (VPNs) allow private network traffic to be sent over a public network like the internet. VPNs encrypt the traffic before entering the public internet to maintain privacy and logically separate it from other traffic. IPsec is the common security protocol used that establishes security associations between devices to provide data confidentiality, integrity, authentication, and replay attack prevention for the VPN tunnel. It uses protocols like ESP and AH with security parameters to encrypt and authenticate traffic sent between routers creating the private network extension over the public internet.

1. Virtual Private Networks(VPNs)
Sohel Rana
(1104046)

2. Objectives
 Virtual Private Networks (VPNs)
 Why?
 How?

3. Motivation
 institutions often want private networks for security.
 VPN: institution’s inter-office traffic is sent over public Internet instead

4. Virtual Private Networks(VPNs)
 encrypted before entering public
Internet
 logically separate from other traffic

5. Four Critical Functions
 data integrity
 origin authentication
 replay attack prevention
 confidentiality

6. IPsec Datagram Packet Form
 Tunnel Mode
 Transport Mode
The tunnel mode, being more
appropriate for VPNs

7. IPsec Protocol
 Authentication Header (AH) protocol
 provides source authentication &
data integrity but not confidentiality
 Encapsulation Security Protocol (ESP)
 provides source authentication, data
integrity, and confidentiality
 more widely used than AH

8. Security Associations (SAs)
 before sending data, “security association (SA)” established from
sending to receiving entity
 ending, receiving entitles maintain state information about SA

9. Example SA from R1 to R2
R1 stores for SA:
 32-bit SA identifier: Security Parameter Index (SPI)
 origin SA interface (200.168.1.100)
 destination SA interface (193.68.2.23)
 type of encryption used (e.g., 3DES with CBC)
 encryption key
 type of integrity check used (e.g., HMAC with MD5)
 authentication key
193.68.2.23200.168.1.100
172.16.1/24
172.16.2/24
security association
Internetheadquarters branch office
R1 R2

10. IPsec datagram
193.68.2.23200.168.1.100
172.16.1/24
172.16.2/24
security association
Internetheadquarters
branch office
R1
R2
new IP
header
ESP
hdr
original
IP hdr
Original IP
datagram payload
ESP
trl
ESP
auth
encrypted
“enchilada” authenticated
padding
pad
length
next
header
SPI
Seq
#

11. Conclusion
• Learn about and reason behind using Virtual Private Networks
• Learn How it works
• Learn what services does IPsec provide

12. Thank You
Any Question?