Layer 2 Virtual Private Network

righthand

1 2013-07-08

Outline

• Virtual Private Network (VPN)

– Point-to-Point Tunneling Protocol (PPTP)

– Layer Two Tunneling Protocol (L2TP)

• IP Tunnel

– Generic Routing Encapsulation (GRE)

• Experiment

2

Virtual Private Network

• A Virtual Private Network is the extension of a

private network that encompasses links across

shared or public networks like the Internet.

• VPN Technique

– Tunneling – Encryption & Decryption, Key management and Authentication

• VPN Type

– PPTP, L2TP – IPSEC, SSL VPN

3

Point-to-Point Tunneling Protocol(I)

• PPTP is a Layer 2 protocol that encapsulates

PPP frames in IP data grams.

– TCP connection for tunnel maintenance

– GRE to encapsulate PPP frames for tunneled data

4

PNS

PPTP

Network Server Tunnel GRE encapsulated PPP

Control Connection TCP PAC

PPTP

Access Concentrator

Point-to-Point Tunneling Protocol(II)

• Control Connection

– Length: Total length of the PPTP message in bytes

– Message type

• Control Message (1)

• Management Message (2)

– Magic cookie: Always set to 0x1A2B3C4D

5

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Length Message Type

Magic Cookie

MAC header IP header TCP header PPTP header Data:::

Point-to-Point Tunneling Protocol(III)

• Tunnel

– Enhanced GRE header

6

MAC header IP header GRE header PPP header Data:::

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

C R K S s Recur A Flags Ver Protocol Type

Key (HW) || Payload Length Key (LW) || Call ID

Sequence Number (Optional)

Acknowledgment Number (Optional)

Encrypted

Layer Two Tunneling Protocol

• L2TP = PPTP + L2F (Layer 2 Forwarding)

• Control messages

– establish, maintain and close the tunnel

• Data messages

– encapsulate PPP frames over the tunnel

– Can use IPSec to encrypt L2TP packet

7

IP

Header

IPSec ESP

Header

UDP

Header

L2TP

Header

PPP

Header

PPP

Payload

IPSec ESP

Trailer

IPSec Auth

Trailer

Layer Two Tunneling Protocol

• Header format

– Specifies if this is a data or control message.

• Data message (0)

• Control message (1)

8

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

T L x x S x O P x x x x Ver Length

Tunnel ID Session ID

Ns (opt) Nr (opt)

Offset Size (opt) Offset Pad (opt)

MAC header IP header UDP header L2TP header Data:::

IP Tunnel

• Transport another protocol by encapsulation

9

Original IP Header Payload

New IP Header New Payload

Original IP Header Payload

Generic Routing Encapsulation

• Header format

– RFC 2784

– RFC 1701

10

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

C Reserved0 Ver Protocol Type

Checksum (optional) Reserved1 (Optional)

MAC header IP header GRE header Data:::

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

C R K S s Recur Flags Ver Protocol Type

Checksum (optional) Offset (Optional)

Experiment Environment

11

Experiment Result: PPTP

12

Experiment Result: L2TP

13