Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download VPNs
Document related concepts
Wireless security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Network tap wikipedia , lookup
Computer network wikipedia , lookup
Distributed firewall wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Transcript
CS514: Intermediate Course in Computer Systems Lecture 21: Nov 5, 2003 “VPNs and other network-level security concepts” VPN Taxonomy CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure 1 What is a VPN? CS514 | | Making a shared network look like a private network Why do this? z Private networks have all kinds of advantages • (we’ll get to that) z But building a private network is expensive • (cheaper to have shared resources rather than dedicated) History of VPNs CS514 | Originally a telephone network concept z | Separated offices could have a phone system that looked like one internal phone system Benefits? z z Fewer digits to dial Could have different tariffs • Company didn’t have to pay for individual long distance calls z Came with own blocking probabilities, etc. • Service guarantees better (or worse) than public phone service 2 Original data VPNs CS514 | Lots of different network technologies in those days z z z | Providers offer virtual circuits between customer sites z z | | Decnet, Appletalk, SNA, XNS, IPX, … None of these were meant to scale to global proportions Virtually always used in corporate settings Frame Relay or ATM A lot cheaper than dedicated leased lines Customer runs whatever network technology over these These still exist (but being replaced by IP VPNs) VPN Taxonomy CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure 3 Advantages of original data VPNs CS514 | Repeat: a lot cheaper than dedicated leased lines z z | | Fine-grained bandwidth tariffs Bandwidth guarantees z | Corporate users had no other choice This was the whole business behind framerelay and ATM services Service Level Agreements (SLA) “Multi-protocol” Frame Relay VPN Example CS514 CE CE CE FR CE FR FR FR CE FR FR FR CE CE CE CE = Customer Equipment FR = Frame Relay 4 Define circuits CE to CE (for given customer: purple) CS514 CE3 CE1 CE1 24 FR 12 FR 31 CE3 FR FR CE4 FR FR FR CE2 CE4 CE2 CE = Customer Equipment FR = Frame Relay Customer establishes routing tables (per protocol) CS514 CE3 CE1 dest CE2 CE3 CE4 circuit 24 12 31 CE1 24 FR FR 12 31 CE3 FR FR CE4 FR FR FR CE2 CE2 CE4 CE = Customer Equipment FR = Frame Relay 5 Provider provisions underlying network CS514 CE3 CE1 CE1 FR CE3 FR FR Provider does queueing analysis of load through each link, determines, throughput characteristics, gives service guarantees to customers accordingly. FR FR FR CE4 FR CE2 CE2 CE4 How has the world changed? | CS514 Everything is IP now z | CE = Customer Equipment FR = Frame Relay Some old stuff still around, but most data networks are just IP So, why do we still care about VPNs??? 6 IP VPN benefits CS514 | IP not really global (private addresses) z | | Security Bandwidth guarantees across ISP z | VPN makes separated IP sites look like one private IP network QoS, SLAs Simplified network operation z ISP can do the routing for you End-to-end VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure 7 End-to-end VPNs CS514 | Solves problem of how to connect remote hosts to a firewalled network Security and private addresses benefits only z Not simplicity or QoS benefits z End-to-end VPNs CS514 | Solves problem of how to connect remote hosts to a firewalled network FW/ VPN Internet IPsec Tunnels Remote Host Site (private network) Site Host Site Host Remote Host 8 End-to-end VPNs: Configuration CS514 VPN IP addr: 20.1.1.1 User name: joe Password: Rtu44!+3wyZ 20.1.1.1 Site Host FW/ VPN Site joe: Rtu44!+3wyZ Host sally: 5Yee#34hB!2 Remote Host End-to-end VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure 9 End-to-end VPNs: Configuration CS514 More likely AAA or LDAP backend has the passwords VPN IP addr: 20.1.1.1 User name: joe Password: Rtu44!+3wyZ AAA 20.1.1.1 Site joe: Rtu44!+3wyZ Host sally: 5Yee#34hB!2 Remote Host End-to-end VPNs: Host gets local IP address DHCP AAA 20.1.1.1 30.1.1.1 Remote Host Site Host FW/ VPN Router FW/ VPN CS514 Site Host Site Host 10 End-to-end VPNs: Host connects to VPN CS514 VPN authenticates remote host through backend database (RADIUS or LDAP) AAA 20.1.1.1 Remote Host FW/ VPN RADIUS IPsec Site Host Site Host 30.1.1.1 End-to-end VPNs: VPN assigns site address CS514 As proprietary enhancement to IPsec, or with PPP (over IPsec) 10.1.1.1 20.1.1.1 10.1.1.1 Remote Host IPsec 30.1.1.1 FW/ VPN AAA RADIUS Site Host Site Host 11 End-to-end VPNs: Packets tunneled over IPsec CS514 AAA 20.1.1.1 10.1.1.1 Remote Host 10.1.1.1 10.1.1.2 30.1.1.1 20.1.1.2 FW/ VPN Site Host RADIUS 10.1.1.2 IPsec Site Host 30.1.1.1 10.1.1.1 10.1.1.2 30.1.1.1 20.1.1.2 IPsec Tunnel End-to-end VPNs: Packets tunneled over IPsec CS514 Some VPN clients smart enough to avoid sending non-VPN traffic through the VPN tunnel Not this This Public Host AAA 20.1.1.1 10.1.1.1 Remote Host IPsec 30.1.1.1 FW/ VPN RADIUS Site Host 10.1.1.2 Site Host 12 IPsec CS514 | | Two parts: Session Establishment (key exchange) and Payload IKE/ISAKMP is session establishment z z z | Negotiate encryption algorithms Negotiate payload headers (AH, ESP) Negotiate policies Payloads z AH: Authentication Header • Authenticates each packet but doesn’t encrypt • Has fallen out of favor (redundant and no more efficient, and doesn’t work with NAT) z ESP: Encapsulating Security Payload • Encrypts (with authentication as side effect) IPsec transmission modes: Transport or Tunnel mode CS514 Transport TCP/UDP IPsec ESP or AH Transport mode. Used when IPsec tunnel is end-to-end. IP Transport TCP/UDP IP IPsec ESP or AH Tunnel mode. Used when IPsec tunnel not end-to-end. Hides the IP identity of endpoints. IP 13 New IPsec transmission modes CS514 Transport TCP/UDP IPsec ESP or AH NAT UDP Extra layer of UDP allows IPsec to work over NAT. IP Transport TCP/UDP IP IPsec ESP or AH NAT UDP IP End-to-end VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure 14 End-to-end VPNs: Host gets local IP address 2. If PPP, AAA tells Access Router to tunnel user to VPN. (If not PPP, Access Router uses local configuration.) 3. CS514 Tunnel pre-established (or packets forwarded over preestablished tunnel) AAA Site Host FW/ VPN 30.1.1.1 Remote Host 1. Access Router Remote host connects to Internet (dialup-PPP or PPPoE (cable) or DSL) IPsec or GRE or L2TP Site Host Compulsory if Access Router forces tunnel, voluntary if user requests it (through certain NAI). NAI = “user@domain” Provider-based end-to-end VPNs CS514 | Used for instance when enterprise pays for employee access, wants it to go through enterprise network z z I know Cisco did this But never used that much • Business model didn’t take off z Used even less now • In part because VPN client comes with windows OS??? | The tunneling technology commonly used for roaming dialup though 15 Network VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure Reiterate network VPN benefits CS514 Makes separated IP sites look like one private IP network | Security | QoS guarantees | Simplified network operation | 16 Customer-based Network VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based L3 L2 Voluntary Secure Non-secure ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure Customer-based Network VPNs CS514 Site Site CE CE Internet CE Site CE Site Customer buys own equipment, configures IPsec tunnels over the global internet, manages addressing and routing. ISP plays no role. 17 Customer-based Network VPNs | Great for enterprises that have the resources and skills to do it z | CS514 Large companies More control, better security model Doesn’t require trust in ISP ability and intentions z Can use different ISPs at different sites z | But not all enterprises have this skill Provider-based Network VPNs (aka Provider Provisioned: PPVPN) CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure 18 Provider-based Network VPNs Site CS514 Site CE CE PE PE ISP PE PE CE Site CE Site Provider manages all the complexity of the VPN. Customer simply connects to the provider equipment. Same provider equipment used for multiple customers CS514 Site Site CE CE PE Site PE ISP CE PE PE Site CE Site CE CE Site CE Site 19 Model for customer CS514 Attach to ISP router (PE) as though it was one of your routers | Run routing algorithm with it | z | OSPF, RIP, BGP PE will advertise prefixes from other sites of same customer Various PPVPN issues CS514 | Tunnel type? z z | How to discover which customer is at which PE? z | IPsec (more secure, more expensive) GRE etc. Don’t want PEs without given customer to participate in routing for that customer How to distinguish overlapping private address spaces 20 BGP/MPLS VPNs (RFC2547) CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary L3 L2 Secure Non-secure ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure BGP/MPLS VPNs (RFC2547) CS514 | Cisco invention z | Leverage Cisco’s investment in both BGP and MPLS (Multi-Protocol Label Switching) What is MPLS? z Link-layer technology • Tags like circuit switching • But with some IP awareness z z z How Cisco killed Epsilon Initially marketed as high performance switching Later became “traffic engineering” and VPN 21 Why is MPLS needed for IP traffic engineering? CS514 | | | Good question---not everybody agrees with this Traffic engineering means to manipulate which links traffic goes over to meet SLAs To do this with routers requires looking at both source and dest IP z z | Routers don’t do this (they could, but they don’t) Complex to manage But one (reasonable) school of thought says just over-provision and forget about (micro) traffic engineering How BGP/MPLS VPNs work CS514 | | BGP updates normally carry a set of IP prefixes in the routing path With MPLS VPN, they carry a VPN identifier, and an MPLS tag z z | | VPN identifier distinguishes overlapping address MPLS tag says how to encapsulate customer’s IP over MPLS Within MPLS, the tag both routes the packet and identifies the customer Tunnels are typically not secure z Customer assumes provider links are physically secure 22 Virtual Router based L3 VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure Virtual Router based L3 VPNs CS514 | BGP/MPLS gave Cisco a huge advantage z | Because Cisco was the BGP and MPLS expert Competitors’ counter argument: No need to couple routing technology with tunneling technology…they are separate issues z Simpler to use virtual routers z 23 What is a virtual router (VR)? | z z | Runs its own routing algorithm Has its own FIB (Forwarding Information Base) Basic idea: Incoming tunnel identifies which VR is intended z z z | CS514 Separate logical router within a single physical router If GRE, then GRE key field If IPsec, then IPsec SPI field If L2TP, then L2TP key field This is how overlapping addresses are distinguished VR approach has discovery issues CS514 | No standard way to configure tunnels and discover which PEs attach to which customers z | All manually configured (via management system) Various proposals exist z Via BGP, OSPF, DNS, an LDAP database, and even IP multicast 24 Layer 2 LAN VPNs CS514 VPN Network End-to-end Provider-based Provider-based Compulsory Customer-based Customer-based Voluntary Secure Non-secure L3 L2 ATM Frame Relay LAN Virtual Router BGP/MPLS Secure Non-secure Layer 2 LAN VPNs CS514 | | | Current IETF project Model is for PE to look like LAN to CE CE broadcast over LAN reaches only other CEs of the same customer z z z | | Thus customer can run OSPF over LAN in standard way Supports multicast Multi-protocol Probably uses VLAN (Virtual LAN) tags to distinguish customers Advantages over FR and ATM are: z z Ethernet is more common interface Supports broadcast/multicast 25
