Overview L2/L3/L4 VPN Other tunneling technologies

Routerlab: Tunneling

Thorben Kr¨uger

original slides by Philipp S. Tiesel and Franziska Lichtblau

June 1, 2016

1 / 27 Overview L2/L3/L4 VPN Other tunneling technologies

1 Overview

2 L2/L3/L4 VPN IPSec OpenVPN

3 Other tunneling technologies

2 / 27 Overview L2/L3/L4 VPN Other tunneling technologies

Overview

3 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Tunneling: Use cases

• Secure communication (encryption and authentification)

• Connecting discontiguous network segments

• Enabling telecommuting

• Bypass restrictive firewalls and proxies

• Transition technology (IPv6 over IPv4)

• Traffic engineering

4 / 27 Overview L2/L3/L4 VPN Other tunneling technologies What is tunneling?

• Embed one protocol inside of another protocol

• Establishing of logical layers through the network

• Virtual Private Network

• What can be tunneled. . . through what. . . – IP over IP – IP over UDP – TCP over SSH – See RFC 1217 for escalation of this idea. . .

5 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies

L2/L3/L4 VPN

6 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Overview

• MPLS establishes layer 2 tunnels based on labels assigned to packets

• IPSec provides encryption and authentication in IP packet level

• OpenVPN is a point-to-point tunneling technology which can be used in bridged or routed networks

• PPPoE is a link layer protocol for encapsulating PPP frames inside ethernet frames

7 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies

IPSec

8 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Basics

• Encryption and authentication of IP packets on layer 3

• Usually used as a tunneling technology even if an established connection is not strictly necessary

• Initially designed to enable opportunistic encryption between Internet nodes

• Implementations: strongswan, openswan/libreswan, freeswan

9 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Authentication Header

• Ensures integrity and authenticity of IP packets

• Inserts a header into the IP packet including a cryptographic checksum of the packet’s contents.

• Protects the non mutable fields of an IP datagram

• Caution: Trying to use AH through NAT needs extra consideration as NAT makes changes to authenticated header fields

• IPSec in AH mode without encryption is possible, but rarely used (on purpose)

10 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encapsualted Security Payload

• Responsible for encryption of IP packets

• Provides authenticity as well, but src- and dst IP are not part of the checksum

• Prevention from IP spoofing through authentication of communication end points when the tunnel is established

11 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Tunnel mode

• Entire IP packet is protected by IPSec

• New IP header is wrapped ”around” the old packet

• Original IP header not visible

• Commonly used between gateways with ESP enabled

Singed by ESP Auth Trailer

Encrypted with ESP Header

New ESP IP TCP/ ESP ESP AUTH IP Data Header UDP Trailer Trailer Header Header

Original IP Packet

12 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Transport mode

• Original IP header used for encapsulation (not encrypted)

• Usually used for end-to-end security

• IPSec is running on the end hosts

Singed by ESP Auth Trailer

Encrypted with ESP Header

Original ESP


TCP/ ESP ESP AUTH IP Data Header


UDP Trailer Trailer Header


IP


Header

Original IP Packet Original IP Header moved to the front

13 / 27 v Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IKE - Internet Key Exchange

• Security Associations: Security policies for communication between entities need to be defined

• Key management protocol: Exchange of keys for encryption and authentication over unsecured channels

• Manages Security Associations (SAs) for IPSec

• IKE for IPSec is not mandatory, but widely used – Automatic negotiation of specific parameters – CA support – Ability to change encryption keys during an IPSec session

14 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies

OpenVPN

15 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies OpenVPN: Basics

• SSL/TLS based user-space VPN: Works on various devices/platform

• Works based on virtual network interfaces

• Layer 2 (TAP mode) & Layer 3 (TUN Mode)

• Encapsulation in UDP or TCP

16 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Layer 3: TUN Mode

• Virtual point-to-point link

• End points have tunX interface

• TUN interfaces get IP adresses out of the same subnet

• Communication routed through this interfaces

17 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Layer 2: TAP Mode

• Use case: Merge two ethernet broadcast domains

• Bridging mode: Packet forwarding based on layer 2 adresses

• Forwarding between virtual TAP devices and bridge to the local LAN

• Used when applications running over the VPN rely on network broadcast (like online games)

18 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encapsulation

• OpenVPN traffic is wrapped in UDP connection (TCP possible as well)

• Usage of arbitrary ports for easy bypass of firewalls

• Nearly no problems with NATs

19 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies Encryption and Authentication

• Based on OpenSSL - for encryption, key exchange, . . .

• PSK (pre shared key), SSL/TSL certificates, username/password

• Authentication based on SSL certificate chain

20 / 27 Overview IPSec L2/L3/L4 VPN OpenVPN Other tunneling technologies IPSec vs. OpenVPN

• Traditionally: OpenVPN easier to deploy - works ”out of the box”

• Today: Modern IPSec implementations are up to the task as well

• Virtual interfaces of OpenVPN make routing possible

• IPSec works based on SAs and corresponding policies

21 / 27 Overview L2/L3/L4 VPN Other tunneling technologies

Other tunneling technologies

22 / 27 Overview L2/L3/L4 VPN Other tunneling technologies IPv6 Transition technologies

• Problem: You want to adopt IPv6 as a future technology, but nobody is using IPv6 yet. . .

• Possible solution: Wrap your new IPv6 packets in IPv4 packets and send them through the existing Internet – 6to4: No explicit tunnel setup, but communication via relay routers – Teredo: IPv6 traffic encapsulated in IPv4 based UDP datagrams – ...

23 / 27 Overview L2/L3/L4 VPN Other tunneling technologies IPv6 Transition technologies

• Problem: You have migrated your access provider network to IPv6, but many endpoints in the internet only have IPv4. . .

• Possible solution: Use tunneling and NAT to allow host in a IPv6 network to use IPv4 (DS-Lite (RFC 6333)) – Let the CPE assigns IPv4 RFC1918 addresses to end hosts and announce itself as default gateway. – The CPE/B4 then encapsulates all IPv4 packets in IPv6 and sends them to the Address Family Transition Router (AFTR) – The AFTR decapsulates the IPv4 Packets and NATs them to a global unicast IPv4 address – This way, providers can use IPv6 in the backbone while still offering IPv4 services to customers

24 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Layer 2 tunneling: MPLS

• MPLS: Establishes tunnels on layer 2 level between different network segments

• Layer 2 packets get a 32 bit label - forwarding decision only based on assigned labels

• Each label corresponds to virtual link (similar to VLANs)

• Avoids complexity of IP based routing

• Is used through the Internet (not only in local LANs like VLANs)

25 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Cellular Backhaul: GTP

• GPRS Tunneling Protocol (GTP): used for many different purposes in an GPRS / EPC backbone.

• Used to encapsulate cellular data traffic and control traffic

• Basic building block to allow mobility

• Based on UDP

26 / 27 Overview L2/L3/L4 VPN Other tunneling technologies Thank you

Any Questions?

27 / 27