Title: Internet Security Protocols
1Internet Security Protocols
Chapters 5
2Outline
- Security protocols at various layers (esp., L2TP)
- IP Security protocol (IPsec)
3Security protocolsfor the TCP/IP networks
- To provide security over a network connection,
typically cryptographical mechanisms are applied. - When data (d) is sent from the sender (S) to the
receiver (R), the following must be provided - Confidentiality
- Data integrity
- Data origin integrity
4Security protocolsfor the TCP/IP networks
- Security services may be provided at one or more
layers - Application layer security protocols
- Transport layer
- Network layer
- Data link layer (aka. network access layer)
- Corresponding layers at both the sender and the
receiver must implement compatible security
protocols.
5Tunneling vs Encapsulation
- Encapsulation
- A higher layer packet is encapsulated into a
lower layer packet, with a new lower layer header
added. - HTTP is encapsulated into the TCP layer.
- TCP is encapsulated into the IP.
- Etc.
- Tunneling
- a packet at a certain layer, L1, is encapsulated
into another layer, L2, which is either the same
or higher than L1.
6VPNs at different OSI layers
- The layer where VPN is constructed affects its
functionality. - Example In encrypted VPNs, the layer where
encryption occurs determines - how much traffic gets encrypted
- the level of transparency for the end users
- Data link layer VPNs (Layer-2)
- Example protocols Frame Relay, ATM
- Drawbacks
- Expensive - Requires dedicated Layer 2 pathways
- may not have complete security mainly
segregation of the traffic, based on types of
Layer 2 connection - Q Is L2TP a layer 2 VPN?
7VPNs at different OSI layers
- Network layer VPNs (Layer-3)
- Created using layer 3 tunneling and/or encryption
- Q difference between encapsulation and tunneling
? - See http//computing-dictionary.thefreedictionary.
com/tunneling20protocol - Example IPsec, GRE, L2TP (tunneling layer 2
traffic by using the IP layer to do that) - Advantages
- A proper layer
- Low enough transparency
- High enough IP addressing
- Cisco focuses on this layer for its VPNs.
8VPNs at different OSI layers
- Application layer VPNs
- Created to work specifically with certain
applications - Example
- SSL-based VPNs (providing encryption between web
browsers and servers running SSL) - SSH (encrypted and secure login sessions to
network devices) - Drawbacks
- May not be seamless (transparency issue)
- Counter-argument OpenVPN and SSL VPN Revolution
(Hosner, 2004) - The myth that Secure Socket Layer (SSL) Virtual
Private Network devices (VPNs) are used to
connect applications together is not true. - A VPN is a site-to-site tunnel.
- There is a terrible misunderstanding in the
industry right now that pigeon-holes SSL VPNs
into the same category with SSL enabled web
servers and proxy servers. - A VPN, or Virtual Private Network, refers to
simulating a private network over the public
Internet by encrypting communications between the
two private end-points. - A VPN device is used to create an encrypted,
non-application oriented tunnel between two
machines that allows these machines or the
networks they service to exchange a wide range of
traffic regardless of application or protocol.
This exchange is not done on an application by
application basis. It is done on the entire link
between the two machines or networks and
arbitrary traffic may be passed over it.
9Other Classification of VPNs ?
- Intranet VPNs vs Extranet VPNs
- Remote Access VPNs vs Site-to-site VPNs
10Layer 2 Tunneling Protocol
- An example of network layer VPN use IP packets
to encapsulate Layer 2 frames - Previous RFC (v2)
- RFC2661 Layer Two Tunneling Protocol L2TP W.
Townsley, A. Valencia, A. Rubens, G. Pall, G.
Zorn, B. Palter. August 1999 (PROPOSED STANDARD) - A standard method for tunneling Point-to-Point
Protocol (PPP) RFC1661 sessions - Note L2TP has since been adopted for tunneling a
number of other L2 protocols (e.g., Ethernet,
Frame Relay, etc). ? L2TPv3 RFC3931
11Point-to-Point Protocol (PPP RFC1661)
- PPP defines an encapsulation mechanism for
transporting multiprotocol packets across layer 2
(L2) point-to-point links. - PPP relies on the Link Control Protocol (LCP) for
establishing, configuring, and testing the
data-link connection. - It has a family of Network Control Protocols
(NCPs) for establishing and configuring different
network-layer protocols. - Typically, a user obtains a L2 connection to a
Network Access Server (NAS) using one of a number
of techniques (e.g., dialup POTS, ISDN, ADSL,
etc.) and then runs PPP over that connection. - Example A customer uses a dialup modem or a DSL
line to connect to the ISP or the companys modem
pool. - Dial client (PPP peer) ? PPP ? NAS (e.g., ISP)
- In such a configuration, the L2 termination point
and PPP session endpoint reside on the same
physical device (i.e., the NAS).
12Layer 2 Tunneling Protocol
- Types of L2TP Tunnels
- Compulsory L2TP Tunneling
- The client is completely unaware of the presence
of an L2TP connection. - The L2TP Access Concentrator (LAC) is aware of
L2TP. - Figure 12-3 (client) ? PPP Data ? (LAC) ?
L2TP Data ? (LNS)
13Layer 2 Tunneling Protocol
- Types of L2TP Tunnels (cont.)
- Voluntary L2TP Tunneling
- The client is aware of the presence of an L2TP
connection. - The LAC is unaware of L2TP.
- Figure 12-4 (client) ? PPP L2TP Data ? (LAC)
? L2TP Data ? (LNS)
14Layer 2 Tunneling Protocol (cont.)
- L2TP
- L2TP extends the PPP model by allowing the L2 and
PPP endpoints to reside on different devices
interconnected by a packet-switched network. - With L2TP, a user has an L2 connection to an L2TP
access concentrator (LAC, e.g., modem bank, ADSL
DSLAM, etc.), and the concentrator then tunnels
individual PPP frames to the L2TP Network Server
(LNS). (See Fig. 12-1) - Dial client (PPP peer) ? PPP ? LAC ? L2TP tunnel
? LNS - This allows the actual processing of PPP packets
to be divorced from the termination of the L2
circuit.
15Layer 2 Tunneling Protocol (cont.)
- A typical L2TP scenario (from RFC2661)
16Layer 2 Tunneling Protocol (cont.)
- RFC3931 Layer Two Tunneling Protocol - Version 3
(L2TPv3) J. Lau, Ed., M. Townsley, Ed., I.
Goyret, Ed. March 2005 (PROPOSED STANDARD) - L2TPv3 defines the base control protocol and
encapsulation for tunneling multiple Layer 2
connections between two IP nodes. - L2TPv3 consists of
- the control protocol for dynamic creation,
maintenance, and teardown of L2TP sessions, and - the L2TP data encapsulation to multiplex and
demultiplex L2 data streams between two L2TP
nodes across an IP network.
17Layer 2 Tunneling Protocol (cont.)
- L2TP (according to TheFreeDictionary,
http//computing-dictionary.thefreedictionary.com/
L2TP) - A protocol from the IETF that allows a PPP
session to travel over multiple links and
networks. (Note a limitation of L2TPv2) - L2TP is used to allow remote users access to the
corporate network. - PPP is used to encapsulate IP packets from the
user's PC to the ISP, and L2TP extends that
session across the Internet. - L2TP was derived from Microsoft's Point-to-Point
Tunneling Protocol (PPTP) and Cisco's Layer 2
Forwarding (L2F) technology.
18Layer 2 Tunneling Protocol (cont.)
- From Access Concentrator to Network Server
- The "L2TP Access Concentrator" (LAC) encapsulates
PPP frames with L2TP headers and sends them over
the Internet as UDP packets (or over an ATM,
frame relay or X.25 network). - At the other end, the "L2TP Network Server" (LNS)
terminates the PPP session and hands the IP
packets to the LAN. L2TP software can also be run
in the user's PC. - Carriers also use L2TP to offer remote points of
presence (POPs) to smaller ISPs. Users in remote
locations dial into the carrier's local modem
pool, and the carrier's LAC forwards L2TP traffic
to the ISP's LNS. - user ? original IP packet (p) ? PPPp ? LAC ?
L2TPPPPp ? LNS - L2TP and IPsec
- L2TP does not include encryption (as does PPTP),
but is often used with IPsec in order to provide
virtual private network (VPN) connections from
remote users to the corporate LAN.
19L2TP Operations
- Assumptions Compulsory tunneling
- The Procedure
- The Client initiates a PPP connection to the LAC.
- The LAC does LCP negotiation with the client, and
challenges the client for authentication
credentials. - The client supplies the credentials (such as user
name, domain name, password). - The LAC uses the domain name to ascertain which
LNS it needs to contact (in the case of multiple
domains). - The LAC begins establishing an L2TP tunnel with
the LNS. - Two Stages of L2TP Tunnel Setup
- Set up a control session between the LAC and the
LNS. - Set up the actual L2TP tunnel for passing the
data (aka. creating the session) - Notes
- Between a pair of LAC and LNS, there may exist
multiple tunnels. - Across a single L2TP tunnel, there may exist
multiple sessions.
20L2TP Tunnel Setup (from RFC2661)
21L2TP Operations
- Control Connection Establishment
- Securing the peers identity, identifying the
peers L2TP version, framing, etc. - Figure 12-5
- LAC ? SCCRQ (start-control-connection-request) ?
LNS - LAC ? SCCRP (start-control-connection-reply ? LNS
- LAC ? SCCN (start-control-connection-connected ?
LNS - --------------------------------------------------
------------------------------------ - LAC ? ZLB ACK ? LNS
- The ZLB ACK is sent if there are no further
messages waiting in queue for that peer.
22L2TP Operations
- Session Establishment
- A session may be created after successful control
connection is established. - Each session corresponds to a single PPP stream
between the LAC and the LNS. - Session establishment is directional
- Incoming call The LAC asks the LNS to accept a
session - Outgoing call The LNS asks the LAC to accept a
session - Figure 12-6 (Incoming Call Establishment)
- LAC ? ICRQ (Incoming-Call-Request) ? LNS
- LAC ? ICRP (Incoming-Call-Reply ? LNS
- LAC ? ICCN (Incoming-Call-Connected ? LNS
- --------------------------------------------------
------------------------------------ - LAC ? ZLB ACK ? LNS
- The ZLB ACK is sent if there are no further
messages waiting in queue for that peer.
23(No Transcript)
24L2TP Message Header
25L2TP Control Messages (from RFC2661)
26L2TP Authentication(from RFC2661)
- Authentication, Authorization and Accounting may
be provided by the Home LAN's Management Domain,
which is behind the LNS. - In that case, the LAC performs proxy
authentication, by passing authentication
information back and forth between the user and
the LNS.
27L2TP Operations
- Case Studies
- Setting up compulsory L2TP Tunneling
- Figure 12-10
28L2TP Operations
- Case Studies (cont.)
- Protecting L2TP Traffic using IPsec in a
compulsory tunneling setup - Figure 12-11
- NOTE L2TP encapsulation occurs before IPSec
processing.
29L2TPv3 Topology(from RFC3931)
- L2TP operates between two L2TP Control Connection
Endpoints (LCCEs), tunneling traffic across a
packet network. - There are three predominant tunneling models in
which L2TP operates - LAC-LNS (or vice versa),
- LAC-LAC, and
- LNS-LNS.
30L2TPv3 Topology (from RFC3931)
31L2TPv3 Topology (from RFC3931)
32L2TPv3 Topology (from RFC3931)