Virtual Networks_Spa..

advertisement
Virtual Private Networks
and
Spawning Networks
Department of Computer Science
Wired Magazine Hype List
Feb 1998
Virtual Private Networks Ranked #1
The wonderful thing about virtual private networks is that its myriad definitions give every
company a fair chance to claim that its existing product is actually a VPN. But no matter
what definition you choose, the networking buzz- phrase doesn't make sense. The idea is
to create a private network via tunneling and/or encryption over the public Internet. Sure,
it's a lot cheaper than using your own frame relay connections, but it works about as well
as sticking cotton in your ears in Times Square and pretending nobody else is around.
Other items on the list
Hacker
Consultants
MiniDisc
Windows
Interior
NT 5.0
Design
http://www.wired.com/wired/archive/6.02/hypelist.html
Overview






What is a VPN ?
Requirements and Motivation
Scenarios
Methods
Practical VPN
Spawning Networks : VPNs on the fly
What is a VPN ?


Network : A Network consists of any number of devices
which can communicate through some arbitrary method
Private:
– Data Privacy and data integrity
– Access is restricted to defined set of entities
– Privacy of addressing and routing system



Addressing used by VPN community is separate and discrete from
underlying shared network
Same for routing
Virtual:
– Private communication over shared network infrastructure e.g.
Internet
One Line Definition
What is a VPN ?


Network : A Network consists of any number of devices
which can communicate through some arbitrary method
Private:
– Data Privacy and data integrity
(encryption and
– Access is restricted to defined set of entities
authentication)
– Privacy of addressing and routing system



Addressing used by VPN community is separate and discrete from
underlying shared network
Same for routing
Virtual:
– Private communication over shared network infrastructure e.g.
Internet
One Line Definition
A VPN is a private network
constructed within a public network
infrastructure, such as the global
internet
One Line Definition
Scenarios


Two end-systems e.g. e-commerce
Remote access network
– E.g. a large firm with hundreds of sales people in the field

Site to Site
– Branch Office connection network – intranet VPN
– Business partner networks – extranet VPN

Combination of above
Motivations

Economics of Communications
– Cheaper than constructing or leasing physical networks
for private communication

Communications Privacy
– Depends on the technology used to construct the VPN


Global Reachability
Scalability ( compared to custom networks )
Requirements

Data Security
– Authentication
– Confidentiality
– Integrity


Tunneling Mechanisms
QoS Guarantees
http://www.howstuffworks.com/vpn5.htm
Methods to construct VPNs


Most common – Tunneling
Tunnel connects two VPN endpoints
– Traffic opaque to underlying IP backbone
– IP backbone used as link-layer technology, where tunnel
forms a virtual point-to-point link

Advantages
– Segregation of common host network from the VPN
– Routing of VPN isolated from common host network
– Encapsulate different protocol families
Methods to construct VPNs


Most common – Tunneling
“tunneling" is a technology that allows a
Tunnel connects two VPN
endpoints
network
transport protocol to carry
information
for other protocols within its
– Traffic opaque to underlying
IP backbone
own packets.
– IP backbone used as link-layer technology, where tunnel
For example, IPX data packets can be
forms a virtual point-to-point
link in IP packets for transport
encapsulated

Advantages
across the Internet, which isn't normally
possible
– Segregation of common host network from the VPN
– Routing of VPN isolated from common host network
– Encapsulate different protocol families
Tunnels

Cons
– Administrative overhead – manual configuration
– Scaling problems – point to point or point to multipoint ?
– QoS Performance issues
Encapsulation overhead
 No control over path on the common network ( e.g. IP )


Three different protocols
– Carrier protocol – e.g. most common is IP
– Encapsulating protocol - (GRE, IPSec, L2F, PPTP,
L2TP)
– Passenger protocol - The original data (IPX, NetBeui,
IP)
Tunnels
Encapsulating Protocols

PPTP vs L2F
– PPTP wraps PPP in IP
– L2F uses Layer Two protocols, such as Frame Relay and
ATM, for tunneling.

L2TP –
– supposed to offer the best of PPTP and L2F
– Supports multiple concurrent tunnels per client

IPSec – broad based open solution for encryption
and authentication on a per packet basis
Two modes – tunnel and transport
 Integrated with L2TP for security ( transport mode )

Tunnels
Encapsulating Protocols



PPTP vs L2F
– PPTP wraps PPP in IP
– L2F uses Layer Two protocols, such as Frame Relay and
The Point-to-Point Protocol (PPP) provides
ATM, for tunneling.
a method for transmitting datagrams over
L2TP –
serial point-to-point links.
– supposed to
offer the best of PPTP and L2F
http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/ppp_auth.htm
– Supports multiple concurrent tunnels per client
IPSec – broad based open solution for encryption
and authentication on a per packet basis
Two modes – tunnel and transport
 Integrated with L2TP for security ( transport mode )

Tunnels
PPTP

Protocol
– Data channel: PPP over IP GRE (Generic Routing
Encapsulation)
– Encapsulates link layer (PPP), communicates at network
layer (IP)
– Call setup handled in a control channel
Tunnels
PPTP Tunneling Example
PPTP Client Computer
SMB Packets
PPP
Encapsulator
PPTP
Interface
SLIP
Interface
IP Packets
PPTP Server Computer
IP Packets
SMB Packets
PPP
Decapsulator
PPTP
Interface
IP GRE Packets ISP Gateway
SLIP
Interface
IP Packets
http://www.ccsi.com/survival-kit/slip-vs-ppp.html
Tunnels
PPTP Tunneling Example
TCP/IP Packet
IP
TCP Payload
Header Header Data
PPP
Encapsulator
PPTP
Interface
SLIP
Interface
PPP
IP
TCP Payload
Header Header Header Data
IP GRE PPP
IP
TCP Payload
Header Header Header Header Data
SLIP IP GRE PPP
IP
TCP Payload
Header Header Header Header Header Data
Modem
IP GRE is not handled by many firewalls
Practical VPN
SSH Example
What is SSH ?

Overview of Secure Shell.



SSH is a secure replacement for the “r” utilities.
Availability: Downloadable & Commercial
versions.
Resources: Both commercial and free are widely
available. SSH is very popular and there’s a lot of
expertise out there
SecureCRT

The SecureCRT client application combines
the secure logon and data transfer
capabilities of Secure Shell (SSH) with the
reliability, usability, and configurability of a
.
proven Windows® terminal emulator
http://www.vandyke.com/products/securecrt/index.html
Simple SSH VPN
Host-to-host IP tunneling
In SecureCRT:


Open session options for a host
Simple SSH VPN (2)
Now select the “Advanced” button
SSH – Port forwarding


Open up the remote connection
Open browser or application to 127.0.0.1:<port>
– 127.0.0.1:8080 in our example

We should now connect to remote service
Simple SSH VPN
Not Just for Hosts
Network to Network
http://www.linuxjournal.com/article.php?sid=3271
VPN on Linux





VPN – HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/VPN
Two Main Ingredients:
– ssh/sshd – for privacy
– pppd
The pppd commands establish a working connection. It's strictly a bilateral
umbilical cord between the VPN servers that extends no mutual connectivity to
workstations on the networks.
Mutual Connectivity between workstations: That is done by the route
commands. Once these commands have been executed, the two networks
have been transparently pooled into a single group of machines, all mutually
visible via Internet addresses.
PPP Interface assigned an IP address
Example
ssh tunnel here
An Interesting challenge


VPN for VM Computing on Grids
Goals
– Security for the VPN

Via ssh
– Static address for VMs undergoing migration
– Different VMs may communicate with each other
– Assume minimum co-operation from the remote host
Spawning Networks
Spawning Networks
Main idea: Automating the process of realizing
distinct network architectures on demand
OS Analogy : “We envision spawning networks as having the capability to
spawn not processes but complex network architectures”
Spawning Networks
•Two child networks are
spawned by the parent
network.
•The first child network is a
Cellular IP virtual network
that supports wireless
extensions to the parent
network.
•The other child network
supports a differentiated
services architecture
operating over the same
network infrastructure.
•An additional level of
nesting is shown where the
Cellular IP network spawns
a child network.
Spawning Networks
Spawning Networks
Genesis kernel has the
capability to spawn child
network architectures that
can support alternative
distributed network algos
and services
Spawning Networks
•Programmable data path
Spawning Networks
•Operate on the same
physical node
•Each routelet
corresponds to a
distinict virtual network
•Network inheritance tree
Ports and engines are dynamically created during the spawning phase from a set of
transport modules, which represent a set of generic routelet plugins
• Encapsulators, which add specific headers (e.g., RTP, IPv4)
to packets at the end systems or routelets
• Forwarders, which execute particular packet forwarding
mechanisms (e.g., IPv6, MPLS, Cellular IP) at routelets
• Classifiers, which separate packets in order to receive special
treatment by routelets
• Processors, which process packets based on architecturally specific
plugins (e.g., police, mark, monitor, shape, filter packets)
• Schedulers, which regulate the use of virtual link capacity based
on a programmable buffer and queue management capability
Child ports and engines can be constructed by directly
Download