Helsinki University of Technology Networking laboratory Master’s thesis seminar 25.5.2004 Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj Supervisor Professor Raimo Kantola Instructor M.Sc. Ville Hapuoja Introduction IPsec is current best practise solution for implementing virtual private networks over the public Internet IPsec solutions are classified in two categories o o GW-to-GW Client-to-GW (remote access) Service operators offer IPsec VPN-solutions for corporate customers Object of the thesis: Evaluate if a new service platform is ready to be used in commercial service production for IPsec client-to-GW VPN service. Methods include a literature study on IPsec service components and IPsec client-to-GW service architecture. The characteristics of the new platform are evaluated based on vendor documentation and example configurations. Agenda o Introduction o IPsec client-to-GW VPN service architecture o IP service switch concept o Concept evaluation o Technical evaluation o Problem with IPsec and NAT o Conclusions IPsec client-to-GW VPN service architecture (1/2) o The public Internet or other insecure network enables connectivity o IPsec client is typically a piece of software installed in a client machine o VPN gateway terminates the IPsec client connections o Authentication infrastructure, for example PKI, is required for strong client authentication o Authorisation infrastructure is needed for access control o Management infrastructure for all the blocks mentioned above o Protected network contains the secured network services offered to the clients IPsec client-to-GW VPN service architecture (2/2) Authorisation infrastructure (security policies) Security policy configuration Authorisation request IKE/IPsec connections VPN GW Protected network VPN Client Internet Decrypted traffic VPN Client VPN Client Authentication request Management infrastructure Authentication infrastructure Authentication credentials IP service switch concept (1/2) o Traditionally IP services have been implemented with dedicated CPE appliances o The IP service switch concept is combines many of these services into a single appliance o Services are offered in the service provider network instead of customer premises o Reduces the amount of equipment, integrates services management and makes service provisioning easier IP service switch concept (2/2) CPE remote access serv er CPE antiv irus serv er Operator edge gateway CPE Firewall Customer Network Legacy CPE implementation Operator network CPE router CPE VPN GW CPE router A Customer A Network Service switch implementation IP serv ice switch Customer B Network CPE router B Operator network Customer C Network CPE router C Antiv irus serv er VPN GW Remote access serv er Firewall Internet Evaluation of the concept o The IP service switch concept introduces an opportunity for service providers through smaller capital and operational costs o The concept offers scalability in amount of served subscribers, service offering and management o Introduces a possible single point of failure o The performance of a multifunctional device does not achieve the performance of dedicated service appliances Specialiced appliance Functionality and performance IP service switch platform Degree of f unctionality , perf ormance and security accepted by specif ic customer segments, banks, hospitals, IT-companies etc. Degree of f unctionality , perf ormance and security accepted by mass-scale customer segment Routing f unctionality Firewall f unctionality VPN f unctionality Content f iltering f unctionality Technical evaluation of the new platform (1/2) o The platform under evaluation is CoSine Communications IP Processing Switch IPSX 3500, a multifunctional IP service switch o The characteristics of the IPsec VPN GW functionality of the CoSine platform are evaluated o Starting point is the current service implementation and functionality o Integration of the existing authentication, authorisation, management and network infrastructure should be seamless o Performance should be adequate for mass-scale IPsec service production Technical evaluation of the new platform (2/2) o The CoSine platform has all the basic IPsec VPN GW functionality o Necessary functions and interfaces for integration to the service operator network and infrastructure exist o The CoSine platform offers provider class performance in IPsec tunnel termination and encryption o Main problem in technical implementation is the NAT-Traversal solution o Inconsistent NAT-T solution leads to interoperability problems Problem with IPsec and NAT (1/2) o Network address translation is everywhere in the Internet o NAT modifies the IP address and port fields in the IP header and in some cases in the IP payload o NAT cannot modify IPsec protected packet because of the encryption or checksum calculation. Encry pted IPsec tunnel NAT IPsec encry pt 213.f .g.h 10.x.y .z IPsec encry pt Internet NAT GW VPN GW VPN Client behind a NAT IP address 10.x.y .z Problem with IPsec and NAT (2/2) o No existing standard for implementing IPsec NAT Traversal o Several vendor specific solutions exist, no guarantee of interoperability o CoSine’s NAT Traversal solution based on early IETF drafts o No complete NAT-T implementation in CoSine for pure IPsec tunnel implementation o The NAT Traversal solution has to be the same at both ends of the IPsec VPN tunnel o CoSine is not interoperable with the current IPsec client-to-GW VPN service Summary The IP service switch concept has lots of potential. The performance, scalability and other characteristics of the CoSine platform are adequate for mass-scale IP service delivery. Interoperability problems exist with NAT-T and IPsec tunnel mode. Deployment of the CoSine platform would require rethinking of the other service components and service functionality. The standardisation of the IPsec NAT-Traversal is still unfinished at IETF. As long as this is the case the interoperability problems will exist.