Helsinki University of Technology
Networking laboratory
Master’s thesis seminar 25.5.2004
Evaluation of an internet protocol security
based virtual private network solution
Thesis written by Arto Laukka at TeliaSonera Finland Oyj
Supervisor
Professor Raimo Kantola
Instructor
M.Sc. Ville Hapuoja
Introduction
IPsec is current best practise solution for implementing virtual
private networks over the public Internet
IPsec solutions are classified in two categories
o
o
GW-to-GW
Client-to-GW (remote access)
Service operators offer IPsec VPN-solutions for corporate customers
Object of the thesis: Evaluate if a new service platform is ready to
be used in commercial service production for IPsec client-to-GW
VPN service.
Methods include a literature study on IPsec service components and
IPsec client-to-GW service architecture. The characteristics of the
new platform are evaluated based on vendor documentation and
example configurations.
Agenda
o
Introduction
o
IPsec client-to-GW VPN service architecture
o
IP service switch concept
o
Concept evaluation
o
Technical evaluation
o
Problem with IPsec and NAT
o
Conclusions
IPsec client-to-GW VPN service
architecture (1/2)
o
The public Internet or other insecure network enables connectivity
o
IPsec client is typically a piece of software installed in a client
machine
o
VPN gateway terminates the IPsec client connections
o
Authentication infrastructure, for example PKI, is required for strong
client authentication
o
Authorisation infrastructure is needed for access control
o
Management infrastructure for all the blocks mentioned above
o
Protected network contains the secured network services offered to
the clients
IPsec client-to-GW VPN service
architecture (2/2)
Authorisation
infrastructure
(security policies)
Security policy
configuration
Authorisation
request
IKE/IPsec connections
VPN GW
Protected
network
VPN Client
Internet
Decrypted
traffic
VPN Client
VPN Client
Authentication
request
Management
infrastructure
Authentication
infrastructure
Authentication
credentials
IP service switch concept (1/2)
o
Traditionally IP services have been implemented with
dedicated CPE appliances
o
The IP service switch concept is combines many of these
services into a single appliance
o
Services are offered in the service provider network
instead of customer premises
o
Reduces the amount of equipment, integrates services
management and makes service provisioning easier
IP service switch concept (2/2)
CPE remote access
serv er
CPE antiv irus
serv er
Operator edge
gateway
CPE Firewall
Customer
Network
Legacy CPE
implementation
Operator
network
CPE router
CPE VPN GW
CPE router A
Customer A
Network
Service switch
implementation
IP
serv ice
switch
Customer B
Network
CPE router B
Operator
network
Customer C
Network
CPE router C
Antiv irus
serv er
VPN GW
Remote
access
serv er
Firewall
Internet
Evaluation of the concept
o
The IP service switch concept introduces an opportunity for
service providers through smaller capital and operational costs
o
The concept offers scalability in amount of served subscribers,
service offering and management
o
Introduces a possible single point of failure
o
The performance of a
multifunctional device
does not achieve the
performance of dedicated
service appliances
Specialiced appliance
Functionality and performance
IP service switch platform
Degree of f unctionality , perf ormance
and security accepted by
specif ic customer segments,
banks, hospitals, IT-companies etc.
Degree of f unctionality , perf ormance
and security accepted by
mass-scale customer segment
Routing
f unctionality
Firewall
f unctionality
VPN
f unctionality
Content
f iltering
f unctionality
Technical evaluation of the new
platform (1/2)
o
The platform under evaluation is CoSine Communications IP
Processing Switch IPSX 3500, a multifunctional IP service switch
o
The characteristics of the IPsec VPN GW functionality of the CoSine
platform are evaluated
o
Starting point is the current service implementation and functionality
o
Integration of the existing authentication, authorisation, management
and network infrastructure should be seamless
o
Performance should be adequate for mass-scale IPsec service
production
Technical evaluation of the new
platform (2/2)
o
The CoSine platform has all the basic IPsec VPN GW functionality
o
Necessary functions and interfaces for integration to the service
operator network and infrastructure exist
o
The CoSine platform offers provider class performance in IPsec
tunnel termination and encryption
o
Main problem in technical implementation is the NAT-Traversal
solution
o
Inconsistent NAT-T solution leads to interoperability problems
Problem with IPsec and NAT (1/2)
o
Network address translation is everywhere in the Internet
o
NAT modifies the IP address and port fields in the IP header and
in some cases in the IP payload
o
NAT cannot modify IPsec protected packet because of the
encryption or checksum calculation.
Encry pted IPsec tunnel
NAT
IPsec
encry pt
213.f .g.h
10.x.y .z
IPsec
encry pt
Internet
NAT GW
VPN GW
VPN Client behind a NAT
IP address 10.x.y .z
Problem with IPsec and NAT (2/2)
o
No existing standard for implementing IPsec NAT Traversal
o
Several vendor specific solutions exist, no guarantee of
interoperability
o
CoSine’s NAT Traversal solution based on early IETF drafts
o
No complete NAT-T implementation in CoSine for pure IPsec
tunnel implementation
o
The NAT Traversal solution has to be the same at both ends of the
IPsec VPN tunnel
o
CoSine is not interoperable with the current IPsec client-to-GW
VPN service
Summary
The IP service switch concept has lots of potential. The
performance, scalability and other characteristics of the
CoSine platform are adequate for mass-scale IP service
delivery.
Interoperability problems exist with NAT-T and IPsec tunnel
mode. Deployment of the CoSine platform would require
rethinking of the other service components and service
functionality.
The standardisation of the IPsec NAT-Traversal is still
unfinished at IETF. As long as this is the case the
interoperability problems will exist.