Overview L2/L3/L4 VPN Other tunneling technologies
Routerlab: Tunneling
Thorben Kr¨uger
original slides by Philipp S. Tiesel and Franziska Lichtblau
June 1, 2016
1 / 27 Overview L2/L3/L4 VPN Other tunneling technologies
1 Overview
2 L2/L3/L4 VPN IPSec OpenVPN
3 Other tunneling technologies
2 / 27 Overview L2/L3/L4 VPN Other tunneling technologies
Overview
3 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Tunneling: Use cases
• Secure communication (encryption and authentification)
• Connecting discontiguous network segments
• Enabling telecommuting
• Bypass restrictive firewalls and proxies
• Transition technology (IPv6 over IPv4)
• Traffic engineering
4 / 27 Overview L2/L3/L4 VPN Other tunneling technologies What is tunneling?
• Embed one protocol inside of another protocol
• Establishing of logical layers through the network
• What can be tunneled. . . through what. . . – IP over IP – IP over UDP – TCP over SSH – See RFC 1217 for escalation of this idea. . .
5 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies
L2/L3/L4 VPN
6 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Overview
• MPLS establishes layer 2 tunnels based on labels assigned to packets
• IPSec provides encryption and authentication in IP packet level
• OpenVPN is a point-to-point tunneling technology which can be used in bridged or routed networks
• PPPoE is a link layer protocol for encapsulating PPP frames inside ethernet frames
7 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies
IPSec
8 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Basics
• Encryption and authentication of IP packets on layer 3
• Usually used as a tunneling technology even if an established connection is not strictly necessary
• Initially designed to enable opportunistic encryption between Internet nodes
• Implementations: strongswan, openswan/libreswan, freeswan
9 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Authentication Header
• Ensures integrity and authenticity of IP packets
• Inserts a header into the IP packet including a cryptographic checksum of the packet’s contents.
• Protects the non mutable fields of an IP datagram
• Caution: Trying to use AH through NAT needs extra consideration as NAT makes changes to authenticated header fields
• IPSec in AH mode without encryption is possible, but rarely used (on purpose)
10 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encapsualted Security Payload
• Responsible for encryption of IP packets
• Provides authenticity as well, but src- and dst IP are not part of the checksum
• Prevention from IP spoofing through authentication of communication end points when the tunnel is established
11 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Tunnel mode
• Entire IP packet is protected by IPSec
• New IP header is wrapped ”around” the old packet
• Original IP header not visible
• Commonly used between gateways with ESP enabled
Singed by ESP Auth Trailer
Encrypted with ESP Header
New ESP IP TCP/ ESP ESP AUTH IP Data Header UDP Trailer Trailer Header Header
Original IP Packet
12 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Transport mode
• Original IP header used for encapsulation (not encrypted)
• Usually used for end-to-end security
• IPSec is running on the end hosts
Singed by ESP Auth Trailer
Encrypted with ESP Header
Original ESP TCP/ ESP ESP AUTH IP Data Header UDP Trailer Trailer Header IP Header
Original IP Packet Original IP Header moved to the front
13 / 27 v Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IKE - Internet Key Exchange
• Security Associations: Security policies for communication between entities need to be defined
• Key management protocol: Exchange of keys for encryption and authentication over unsecured channels
• Manages Security Associations (SAs) for IPSec
• IKE for IPSec is not mandatory, but widely used – Automatic negotiation of specific parameters – CA support – Ability to change encryption keys during an IPSec session
14 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies
OpenVPN
15 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies OpenVPN: Basics
• SSL/TLS based user-space VPN: Works on various devices/platform
• Works based on virtual network interfaces
• Layer 2 (TAP mode) & Layer 3 (TUN Mode)
• Encapsulation in UDP or TCP
16 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Layer 3: TUN Mode
• Virtual point-to-point link
• End points have tunX interface
• TUN interfaces get IP adresses out of the same subnet
• Communication routed through this interfaces
17 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Layer 2: TAP Mode
• Use case: Merge two ethernet broadcast domains
• Bridging mode: Packet forwarding based on layer 2 adresses
• Forwarding between virtual TAP devices and bridge to the local LAN
• Used when applications running over the VPN rely on network broadcast (like online games)
18 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encapsulation
• OpenVPN traffic is wrapped in UDP connection (TCP possible as well)
• Usage of arbitrary ports for easy bypass of firewalls
• Nearly no problems with NATs
19 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encryption and Authentication
• Based on OpenSSL - for encryption, key exchange, . . .
• PSK (pre shared key), SSL/TSL certificates, username/password
• Authentication based on SSL certificate chain
20 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IPSec vs. OpenVPN
• Traditionally: OpenVPN easier to deploy - works ”out of the box”
• Today: Modern IPSec implementations are up to the task as well
• Virtual interfaces of OpenVPN make routing possible
• IPSec works based on SAs and corresponding policies
21 / 27 Overview L2/L3/L4 VPN Other tunneling technologies
Other tunneling technologies
22 / 27 Overview L2/L3/L4 VPN Other tunneling technologies IPv6 Transition technologies
• Problem: You want to adopt IPv6 as a future technology, but nobody is using IPv6 yet. . .
• Possible solution: Wrap your new IPv6 packets in IPv4 packets and send them through the existing Internet – 6to4: No explicit tunnel setup, but communication via relay routers – Teredo: IPv6 traffic encapsulated in IPv4 based UDP datagrams – ...
23 / 27 Overview L2/L3/L4 VPN Other tunneling technologies IPv6 Transition technologies
• Problem: You have migrated your access provider network to IPv6, but many endpoints in the internet only have IPv4. . .
• Possible solution: Use tunneling and NAT to allow host in a IPv6 network to use IPv4 (DS-Lite (RFC 6333)) – Let the CPE assigns IPv4 RFC1918 addresses to end hosts and announce itself as default gateway. – The CPE/B4 then encapsulates all IPv4 packets in IPv6 and sends them to the Address Family Transition Router (AFTR) – The AFTR decapsulates the IPv4 Packets and NATs them to a global unicast IPv4 address – This way, providers can use IPv6 in the backbone while still offering IPv4 services to customers
24 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Layer 2 tunneling: MPLS
• MPLS: Establishes tunnels on layer 2 level between different network segments
• Layer 2 packets get a 32 bit label - forwarding decision only based on assigned labels
• Each label corresponds to virtual link (similar to VLANs)
• Avoids complexity of IP based routing
• Is used through the Internet (not only in local LANs like VLANs)
25 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Cellular Backhaul: GTP
• GPRS Tunneling Protocol (GTP): used for many different purposes in an GPRS / EPC backbone.
• Used to encapsulate cellular data traffic and control traffic
• Basic building block to allow mobility
• Based on UDP
26 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Thank you
Any Questions?
27 / 27