Upload
sibyl-heath
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
VPN construction withVPN construction with independence of client environmentindependence of client environment
25 January25 January 2007
Shin Takeuchi (University of Tsukuba)Shin Takeuchi (University of Tsukuba)
2
University of TsukubaUniversity of Tsukuba
AgendaAgenda
1. VPN ~Site-to-Site connection~ ~Remote-to-Site connection~ IP security protocol SSL-VPN
2. Solution
3. Experiment
4. Implementation
5. Conclusion
4
University of TsukubaUniversity of Tsukuba
Internet
VPN
Site A Site B
We typically use “IPsec” in Site-to-Site VPN connection Many devices support “IPsec”
VPN VPN ~~Site-to-Site connection~Site-to-Site connection~
5
University of TsukubaUniversity of Tsukuba
Internet
VPN VPN ~Remote-to-Site connection~~Remote-to-Site connection~
VPN
Site Remote User
We usually use “SSL-VPN” in Remote Access PPTP is also common
6
University of TsukubaUniversity of Tsukuba
IP security protocol IP security protocol (( IPsecIPsec ) ) (( 1/31/3 ))
IP Header
ESP Header
ESP Auth
ESP
Trailer
Original IP packet
TCP Header
ESP Header
ESP Auth
ESP
Trailer TCP
Header
IP Header
AH Header
TCP Header
payloadIP
HeaderTCP
Header
IP Header
TunnelIP Header
AH Header
TCP Header
IP Header
Transport
Tunnel
ESP
AH
ESP
AH
TunnelIP Header
payload
payload
payload
payload
7
University of TsukubaUniversity of Tsukuba
payload
payload
IPsec IPsec (( 2/32/3 )) ~Authentication~~Authentication~
IP Header
ESP Header
ESP Auth
ESP
Trailer TCP
Header
ESP Header
ESP Auth
ESP
Trailer TCP
Header
IP Header
AH Header
TCP Header
IP Header
TCP Header
IP Header
TunnelIP Header
AH Header
TCP Header
IP Header
Transport
Tunnel
ESP
AH
ESP
AH
TunnelIP Header
authentication
authentication
Original IP packet payload
payload
payload
authentication
authentication
8
University of TsukubaUniversity of Tsukuba
IPsec IPsec (( 3/33/3 )) ~Encryption~~Encryption~
IP Header
ESP Header
ESP Auth
ESP
Trailer TCP
Header
ESP Header
ESP Auth
ESP
Trailer TCP
Header
IP Header
AH Header
TCP Header
IP Header
TCP Header
IP Header
TunnelIP Header
AH Header
TCP Header
IP Header
Transport
Tunnel
ESP
AH
ESP
AH
TunnelIP Header
Original IP packet payload
payload
payload
payload
payload
encryption
encryption
9
University of TsukubaUniversity of Tsukuba
SSL-VPN SSL-VPN (( 1/31/3 ))
IP Header
RecordHeader
TCP Header
Reverse Proxy
MAC
IP Header
RecordHeader
TCP Header
MACIP
HeaderTCP
Header
IP Header
RecordHeader
TCP Header
MACIP
HeaderTCP
HeaderEthernet Header
CRC
Port Forwarding
L2-Tunneling
IP Header
TCP HeaderOriginal IP packet payload
payload
payload
payload
10
University of TsukubaUniversity of Tsukuba
SSL-VPN SSL-VPN (( 2/32/3 ) ) ~Authentication~~Authentication~
IP Header
RecordHeader
TCP Header
Reverse Proxy
MAC
IP Header
RecordHeader
TCP Header
MACIP
HeaderTCP
Header
IP Header
RecordHeader
TCP Header
MACIP
HeaderTCP
HeaderEthernet Header
CRC
Port Forwarding
L2-Tunneling
Original IP packetIP
HeaderTCP
Headerpayload
payload
payload
payloadauthentication
authentication
authentication
11
University of TsukubaUniversity of Tsukuba
SSL-VPN SSL-VPN (( 3/33/3 ) ) ~Encryption~~Encryption~
IP Header
RecordHeader
TCP Header
Reverse Proxy
MAC
IP Header
RecordHeader
TCP Header
MACIP
HeaderTCP
Header
IP Header
RecordHeader
TCP Header
MACIP
HeaderTCP
HeaderEthernet Header
CRC
Port Forwarding
L2-Tunneling
Original IP packetIP
HeaderTCP
Headerpayload
payload
payload
payload
encryption
encryption
encryption
12
University of TsukubaUniversity of Tsukuba
MotivationMotivation
Setup difficulty It is bothering for common users to make VPN configuration
Must be “Static” Each endpoint requires “Static” IP address Site-to-Site : “Static”- “Static” , Remote-to-Site : “Dynamic”-“Static”
more “Simplicity”
more “Flexibility”
13
University of TsukubaUniversity of Tsukuba
IdeaIdea
Implement application Simple VPN configuration for clients “Dynamic” – “Dynamic” connection
Which protocol should we use ?
Introduce the “VPN-Management-Server”VPN-Management-Server handles bothering procedure
15
University of TsukubaUniversity of Tsukuba
EExperiment xperiment withwith selection of protocol selection of protocol
Criterion Connectivity (connect or disconnect)
Target IPsec V.S. SSL-VPN
Experimental Network University of Tsukuba campus network (Univ. Tsukuba) Tsukuba WAN Kyushu GigaPOP Project (QGPOP) Network Organization for Research and Technology in Hokkaido
(NORTH) Japan Science and Technology Agency (JST) Commercial Internet Service Provider (ISP)
16
University of TsukubaUniversity of Tsukuba
Result of the ExperimentResult of the Experiment
Endpoint B IPsec
Endpoint A Univ. Tsukuba Tsukuba WAN QGPOP NORTH JST ISP
Univ. Tsukuba × × × × × ×
Tsukuba WAN × ○ ○ ○ × ○
QGPOP × ○ ‐ ‐ × ‐
NORTH × ○ ‐ ‐ ‐ ‐
JST × × × ‐ ‐ ‐
ISP × ○ ‐ ‐ ‐ ‐
Endpoint B SSL-VPN
Endpoint A Univ. Tsukuba Tsukuba WAN QGPOP NORTH JST ISP
Univ. Tsukuba ○ ○ ○ ○ ○ ○
Tsukuba WAN ○ ○ ○ ○ ○ ○
QGPOP ○ ○ ‐ ‐ ○ ○
NORTH ○ ○ ‐ ‐ ‐ ‐
JST ○ ○ ○ ‐ ‐ ○
ISP ○ ○ ○ ‐ ○ ‐
○:connect , ×: disconnect , - : none
SSL-VPN is more suitable than IPsec !
18
University of TsukubaUniversity of Tsukuba
Implementation of proposal systemImplementation of proposal system
Environments OS : Windows Language : C++ Library : openssl-0.9.8c USB token : iKey 1000
Features When we insert the USB token into a PC, VPN is estab
lished
Example Sharing data in a meeting
19
University of TsukubaUniversity of Tsukuba
SSL connection
SSL authentication
(Client IP address) Request
Send
Register
Request
Verify
Client’s Certificate
VerifyServer’s Certificate
(IP address)
included in IP Header ( source IP address )included in application data ( IP address )
Check
・ ( source IP address ) ・ ( IP address )
Client VPN-Management-Server
・ Client Certificate Serial Number
・ IP Classification Information
Procedure sequenceProcedure sequence
Repository
Registry
VPN module
Certification issue
VPN-management Server
SSL Auth VPN-Server
ClientSSL connect
Client information
・ Client Certification Serial Number・ Header IP・ Payload IP・ IP Classification Information(Global IP, Private IP)
Auth info
・ CA Private / Public key・ Server Private / Public key
SSL Auth
IC chip
USB-token : iKey
storage
Reference
VPN module create
encryption algo Virtual IP
access point IP Connect Port
communication protocol
Client Environment judge
IP address
VPN connection
Virtual IF creation
packet routing
tun / tap device
send packet
Payload IP address
Header IP address
( Global IP,Private IP )
Payload IP address
Registry
Reference
Reference
・ CA Public key・ Client Private / Public key
Client applicationprogram
22
University of TsukubaUniversity of Tsukuba
ConclusionConclusion
VPN IPsec and SSL-VPN
Focus on the following problemsSetup difficultyMust be “Static” IP
My applicationSimple VPN configuration for clientsEnable “Dynamic – Dynamic” connection