VPN

1.1       Definition

The definition below come from [1].

Perhaps the simplest method of attempting to arrive at a simple definition for VPN’s is to look at each word in the acronym individually, and then subsequently tie each of them together in a simple, common sense, and meaningful fashion.

Let’s start by examining the word “network” This is perhaps the least difficult term for us to define and understand, since the commonly accepted definition is fairly uncontroversial and generally accepted throughout the industry. A network consists of any number of devices which can communicate through some arbitrary method. Devices of this nature include computers, printers, routers, and so forth, and may reside in geographically diverse locations. The methods in which they may communicate are numerous, since there are countless electronic signaling specifications, and data-link, transport, and application layer protocols. For the purposes of simplicity, let’s just agree that a “network” is a collection of devices that can communicate in some fashion, and can successfully transmit and receive data amongst themselves.

The term “private” is fairly straightforward, and is intricately related to the concept of “virtualization” insofar as VPN’s are concerned, as we’ll discuss in a moment. In the simplest of definitions, “private” means that communications between two (or more) devices is, in some fashion, secret – that the devices which are not participating in the “private” nature of communications are not privy to the communicated content, and that they are indeed completely unaware of the private relationship altogether. Accordingly, data privacy and security (data integrity) are also important aspects of a VPN which need to taken into consideration when considering any particular VPN implementation.

Another means of expressing this definition of "private" is through its antonym, "public." A “public” facility is one which is openly accessible, and is managed within the terms and constraints of a common public resource, often via a public administrative entity. By contrast, a “private” facility is one where access is restricted to a defined set of entities, and third parties cannot gain access. Typically, the private resource is managed by the entities who have exclusive right of access. Examples of this type of private network can be found in any organizational network which is not connected to the Internet, or to any other external organizational network, for that matter. With this definition the current GTS is a private network

These networks are private due to the fact that there is no external connectivity, and thus no external network communications. Another important aspect of “privacy” in a VPN is through its technical definition, as describing the privacy of addressing and routing system, meaning that the addressing used within a VPN community of interest is separate and discrete from that of the underlying shared network, and from that of other VPN communities. The same holds true for the routing system used within the VPN and that of the underlying shared network. The routing and addressing scheme within a VPN should, for all intents and purposes, be self-contained, but this degenerates into a philosophical discussion on the context of the term “VPN.” 

“Virtual” is a concept that is slightly more complicated. The New Hacker’s Dictionary [2] defines virtual as –

virtual /adj./ [via the technical term “virtual memory”, prob. from the term “virtual image” in optics] 1. Common alternative to {logical}; often used to refer to the artificial objects (like addressable virtual memory larger than physical memory) simulated by a computer system as a convenient way to manage access to shared resources. 2. Simulated; performing the functions of something that isn’t really there. An imaginative child’s doll may be a virtual playmate. Oppose {real}.

Insofar as VPN’s are concerned, the definition in 2. above is perhaps the most appropriate comparison for virtual networks. The “virtualization” aspect is one that is similar to what we briefly described above as “private,” however, the scenario is slightly modified – the private communication is now conducted across a network infrastructure that is shared by more than a single organization. Thus, the private resource is actually constructed by using the foundation of a logical partitioning of some underlying common shared resource, rather than by using a foundation of discrete and dedicated physical circuits and communications services. Accordingly, the “private” network has no corresponding “private” physical communications system. Instead, the “private” network is a virtual creation which has no physical counterpart. The virtual communications between two (or more) devices is due to the fact that the devices which are not participating in the virtual communications are not privy to the content of the data, and that they are also altogether unaware of the private relationship between the virtual peers. The shared network infrastructure could, for example, be the global Internet and the number of organizations or other users not participating in the virtual network may literally number into the thousands, hundreds of thousands, or millions.

A VPN can also said to be a discrete network [3] –

discrete \dis*crete"\, a. [L. discretus, p. p. of discernere. See Discreet.] 1. Separate; distinct; disjunct.

The discrete nature of VPN’s allow both privacy and virtualization. While VPN’s are not completely separate, per se, the distinction is that they operate in a discrete fashion across a shared infrastructure, providing exclusive communications environments which do not share any points of interconnection.

The combination of these terms produces VPN – a private network , where the privacy is introduced by some method of virtualization. A VPN could be built between two end-systems or between two organizations, between several end-systems within a single organization or between multiple organizations across the global Internet, between individual applications, or any combination of the above.

The common and somewhat formal characterization of the VPN, and perhaps the most straightforward and strict definition, is:

This definition introduces a concept, the VPN, not related to any technical implementation.

There are quite a lot of technical implementations of VPNs…

1.2       Types of VPNs

A simplified version of the TCP/IP layer model is shown on left.

The technical implementation of the VPNs are related to this model :

-          On the link layer one can find :

o    ATM and Frame Relay connection

o    MPLS (Multi Protocol Label Switching)

o    Link-Layer Encryption (L2TP or PPTP)

-          On the network layer :

o    IPSEC

-          On the transport and application layer

o    SSL (Secure Socket Layer) is a protocol proposed by Netscape mainly for http traffic encryption

o    TSL (Transport Secure Layer) is a proposed standard by IETF (Internet Engineering Task Force) based on SSL

o    SOCKS

o    SSH

1.2.1    The Link Layer solutions

1.2.1.1    ATM and Frame Relay

Following the definition of VPNs gave on 1. ATM and Frame Relay solution must be considered as VPNs. By construction a Frame Relay (and ATM) network, like the RMDCN is a VPNs. The telco Equant has a network, which is securely divided among all the customers. Therefore, on a global telecommunication system, coexist multiple isolated “sub-“networks. In this case, the VPNs rely on the operator.

1.2.1.2    MPLS

Nowadays, as IP is becoming the base protocol, most of the telco offers are moving to MPLS. Multi Protocol Layer Switching is a protocol originated by Cisco (the Tag Switching initiative), but now widely adopted.

The chart below briefly summarized the main concepts of MPLS.

In the traditional IP world, every router must route every packet on the network. Routing is rather complex and by the way slow. MPLS introduce (or use) the concepts of tags. Packets are “tagged” at the “entrance” of the WAN. Inside the WAN packets are switched (not routed) based on the tag. Tags are removed at the network exit.

This solution is now widely offered by operators.

The last link layers VPN solution described in this document are L2TP and PPTP. L2TP (Layer 2 Tunnelling Protocol ) and PPTP (Point to Point Tunnelling Protocol) are two solutions mainly dedicated to remote access. In the “normal” situation a remote user who wants to connect to the intranet use a PPP connection to a Remote Access Server. In this case, username and password (and also data) are transferred in plain text and therefore might be “sniffed” by potential intruders. L2TP and PPTP permit to encrypt traffic between peers leading to better security

1.2.1.3    PPTP and L2TP

1.2.1.3.1      Point-to-Point Tunneling Protocol (PPTP)

PPTP is a Layer 2 protocol that encapsulates PPP frames in IP datagrams for transmission over an IP internetwork, such as the Internet. PPTP can be used for remote access and router-to-router VPN connections. PPTP is documented in RFC 2637.

The Point-to-Point Tunneling Protocol (PPTP) uses a TCP connection for tunnel maintenance and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted and/or compressed. Figure 6 shows the structure of a PPTP packet containing user data.

1.2.1.3.2      Layer Two Tunneling Protocol (L2TP)

L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F. L2TP encapsulates PPP frames to be sent over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM) networks. When configured to use IP as its datagram transport, L2TP can be used as a tunneling protocol over the Internet. L2TP is documented in RFC 2661.

L2TP over IP internetworks uses UDP and a series of L2TP messages for tunnel maintenance. L2TP also uses UDP to send L2TP-encapsulated PPP frames as the tunneled data. The payloads of encapsulated PPP frames can be encrypted and/or compressed.

In Windows 2000, IPSec Encapsulating Security Payload (ESP) is used to encrypt the L2TP packet. This is known as L2TP/IPSec. The result after applying ESP is shown below

1.2.2    Transport and application Layer

These layers covers mainly host based solution.

1.2.2.1    SSL and TSL

Netscape, few years ago, created the protocol SSL (Secure Socket Layer). In the TCP/IP layering model it is on top of the TCP layer.

Therefore, it could be use for adding security  (that is strong authentication and encryption) for all TCP-based application (Telnet FTP…).

Some implementations exist for these protocols but the success story of SSL is HTTPS. HTTPS is used in e-commerce application to allow secure information exchanges between client and servers. TSL is the IETF proposed standard equivalent to SSL.

1.2.2.2    SSH

SSH (Secure Shell) is another application layer authentication and encryption protocol. The SSH FAQ (Frequently Asked Question) give the following definition of SSH :

Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for telnet, rlogin, rsh, and rcp. For SSH2, there is a replacement for FTP: sftp.

Therefore, the main use of SSH is within organizations. In theory to manage security based devices (firewalls…), or to gain root access on hosts the network/system administrator should avoid to connect remotely using telnet to the box. If telnet is used, it is very easy, with a sniffer, to capture and to analyze the packets to gain administrative access on the firewall/system. With a direct access no clear user/password will be exchange on the LAN. But, network administrators are often lazy… SSH is the answer in this case !

SSH among other things includes an encrypted replacement tool for telnet.

SSH is becoming very popular for secure remote management.

1.2.2.3    SOCKS

SOCKSv5 is an IETF (Internet Engineering Task Force) approved standard (RFC 1928) generic, proxy protocol for TCP/IP-based networking applications. The SOCKS protocol provides a flexible framework for developing secure communications by easily integrating other security technologies.

SOCKS includes two components, the SOCKS server and the SOCKS client. The SOCKS server is implemented at the application layer, while the SOCKS client is implemented between the application and transport layers. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server, without requiring direct IP-reachability.

Socks and the OSI layer model

If SSH is mainly use for secure remote connection, SOCKS is primarily used as a way to provide a secure tunnel between to points and to hide network topology. But, they are both mainly related to client-server exchanges.

1.2.3    So, why IPSEC ?

In the “Guide on the use of TCP/IP on the GTS”, WMO presents two solutions to exchange traffic between MSS using the IP protocol. One is based on FTP and the other on sockets.

This guide does not cover the WAN infrastructure. The current GTS is a mixed of leased lines, peer-to-peer Frame Relay links, global Frame Relay services  (like RMDCN in RA VI). For economical reasons, and in regards the overall good quality of service of the Internet, it might be a good opportunity to study the potential use of the Internet to complement the GTS.

However, if reliable (but no real SLA –Service Level Agreement-) the Internet is by nature an insecure network. Various documents within WMO shown how NMCs should connect to the Internet (firewalls…).

In order to allow a smooth introduction of the Internet to complement the GTS the following rules should apply :

-          Permit the use of the current protocols (FTP and socket) on the Internet

-          Avoid any impact on the MSS

-          Guarantee an acceptable level of trust for members

The two first point means that the proposed solution should be transparent to the application and the hosts. Among the protocols describe above, IPSec is the only one completely application independent.

To offer a minimum level of trust, authentication (who wants to talk to me) and encryption (no one except me can understand the data) are both needed. IPSec offers these two services.