Virtual Private Networks and Spawning Networks Department of Computer Science Wired Magazine Hype List Feb 1998 Virtual Private Networks Ranked #1 The wonderful thing about virtual private networks is that its myriad definitions give every company a fair chance to claim that its existing product is actually a VPN. But no matter what definition you choose, the networking buzz- phrase doesn't make sense. The idea is to create a private network via tunneling and/or encryption over the public Internet. Sure, it's a lot cheaper than using your own frame relay connections, but it works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around. Other items on the list Hacker Consultants MiniDisc Windows Interior NT 5.0 Design http://www.wired.com/wired/archive/6.02/hypelist.html Overview What is a VPN ? Requirements and Motivation Scenarios Methods Practical VPN Spawning Networks : VPNs on the fly What is a VPN ? Network : A Network consists of any number of devices which can communicate through some arbitrary method Private: – Data Privacy and data integrity – Access is restricted to defined set of entities – Privacy of addressing and routing system Addressing used by VPN community is separate and discrete from underlying shared network Same for routing Virtual: – Private communication over shared network infrastructure e.g. Internet One Line Definition What is a VPN ? Network : A Network consists of any number of devices which can communicate through some arbitrary method Private: – Data Privacy and data integrity (encryption and – Access is restricted to defined set of entities authentication) – Privacy of addressing and routing system Addressing used by VPN community is separate and discrete from underlying shared network Same for routing Virtual: – Private communication over shared network infrastructure e.g. Internet One Line Definition A VPN is a private network constructed within a public network infrastructure, such as the global internet One Line Definition Scenarios Two end-systems e.g. e-commerce Remote access network – E.g. a large firm with hundreds of sales people in the field Site to Site – Branch Office connection network – intranet VPN – Business partner networks – extranet VPN Combination of above Motivations Economics of Communications – Cheaper than constructing or leasing physical networks for private communication Communications Privacy – Depends on the technology used to construct the VPN Global Reachability Scalability ( compared to custom networks ) Requirements Data Security – Authentication – Confidentiality – Integrity Tunneling Mechanisms QoS Guarantees http://www.howstuffworks.com/vpn5.htm Methods to construct VPNs Most common – Tunneling Tunnel connects two VPN endpoints – Traffic opaque to underlying IP backbone – IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link Advantages – Segregation of common host network from the VPN – Routing of VPN isolated from common host network – Encapsulate different protocol families Methods to construct VPNs Most common – Tunneling “tunneling" is a technology that allows a Tunnel connects two VPN endpoints network transport protocol to carry information for other protocols within its – Traffic opaque to underlying IP backbone own packets. – IP backbone used as link-layer technology, where tunnel For example, IPX data packets can be forms a virtual point-to-point link in IP packets for transport encapsulated Advantages across the Internet, which isn't normally possible – Segregation of common host network from the VPN – Routing of VPN isolated from common host network – Encapsulate different protocol families Tunnels Cons – Administrative overhead – manual configuration – Scaling problems – point to point or point to multipoint ? – QoS Performance issues Encapsulation overhead No control over path on the common network ( e.g. IP ) Three different protocols – Carrier protocol – e.g. most common is IP – Encapsulating protocol - (GRE, IPSec, L2F, PPTP, L2TP) – Passenger protocol - The original data (IPX, NetBeui, IP) Tunnels Encapsulating Protocols PPTP vs L2F – PPTP wraps PPP in IP – L2F uses Layer Two protocols, such as Frame Relay and ATM, for tunneling. L2TP – – supposed to offer the best of PPTP and L2F – Supports multiple concurrent tunnels per client IPSec – broad based open solution for encryption and authentication on a per packet basis Two modes – tunnel and transport Integrated with L2TP for security ( transport mode ) Tunnels Encapsulating Protocols PPTP vs L2F – PPTP wraps PPP in IP – L2F uses Layer Two protocols, such as Frame Relay and The Point-to-Point Protocol (PPP) provides ATM, for tunneling. a method for transmitting datagrams over L2TP – serial point-to-point links. – supposed to offer the best of PPTP and L2F http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/ppp_auth.htm – Supports multiple concurrent tunnels per client IPSec – broad based open solution for encryption and authentication on a per packet basis Two modes – tunnel and transport Integrated with L2TP for security ( transport mode ) Tunnels PPTP Protocol – Data channel: PPP over IP GRE (Generic Routing Encapsulation) – Encapsulates link layer (PPP), communicates at network layer (IP) – Call setup handled in a control channel Tunnels PPTP Tunneling Example PPTP Client Computer SMB Packets PPP Encapsulator PPTP Interface SLIP Interface IP Packets PPTP Server Computer IP Packets SMB Packets PPP Decapsulator PPTP Interface IP GRE Packets ISP Gateway SLIP Interface IP Packets http://www.ccsi.com/survival-kit/slip-vs-ppp.html Tunnels PPTP Tunneling Example TCP/IP Packet IP TCP Payload Header Header Data PPP Encapsulator PPTP Interface SLIP Interface PPP IP TCP Payload Header Header Header Data IP GRE PPP IP TCP Payload Header Header Header Header Data SLIP IP GRE PPP IP TCP Payload Header Header Header Header Header Data Modem IP GRE is not handled by many firewalls Practical VPN SSH Example What is SSH ? Overview of Secure Shell. SSH is a secure replacement for the “r” utilities. Availability: Downloadable & Commercial versions. Resources: Both commercial and free are widely available. SSH is very popular and there’s a lot of expertise out there SecureCRT The SecureCRT client application combines the secure logon and data transfer capabilities of Secure Shell (SSH) with the reliability, usability, and configurability of a . proven Windows® terminal emulator http://www.vandyke.com/products/securecrt/index.html Simple SSH VPN Host-to-host IP tunneling In SecureCRT: Open session options for a host Simple SSH VPN (2) Now select the “Advanced” button SSH – Port forwarding Open up the remote connection Open browser or application to 127.0.0.1:<port> – 127.0.0.1:8080 in our example We should now connect to remote service Simple SSH VPN Not Just for Hosts Network to Network http://www.linuxjournal.com/article.php?sid=3271 VPN on Linux VPN – HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/VPN Two Main Ingredients: – ssh/sshd – for privacy – pppd The pppd commands establish a working connection. It's strictly a bilateral umbilical cord between the VPN servers that extends no mutual connectivity to workstations on the networks. Mutual Connectivity between workstations: That is done by the route commands. Once these commands have been executed, the two networks have been transparently pooled into a single group of machines, all mutually visible via Internet addresses. PPP Interface assigned an IP address Example ssh tunnel here An Interesting challenge VPN for VM Computing on Grids Goals – Security for the VPN Via ssh – Static address for VMs undergoing migration – Different VMs may communicate with each other – Assume minimum co-operation from the remote host Spawning Networks Spawning Networks Main idea: Automating the process of realizing distinct network architectures on demand OS Analogy : “We envision spawning networks as having the capability to spawn not processes but complex network architectures” Spawning Networks •Two child networks are spawned by the parent network. •The first child network is a Cellular IP virtual network that supports wireless extensions to the parent network. •The other child network supports a differentiated services architecture operating over the same network infrastructure. •An additional level of nesting is shown where the Cellular IP network spawns a child network. Spawning Networks Spawning Networks Genesis kernel has the capability to spawn child network architectures that can support alternative distributed network algos and services Spawning Networks •Programmable data path Spawning Networks •Operate on the same physical node •Each routelet corresponds to a distinict virtual network •Network inheritance tree Ports and engines are dynamically created during the spawning phase from a set of transport modules, which represent a set of generic routelet plugins • Encapsulators, which add specific headers (e.g., RTP, IPv4) to packets at the end systems or routelets • Forwarders, which execute particular packet forwarding mechanisms (e.g., IPv6, MPLS, Cellular IP) at routelets • Classifiers, which separate packets in order to receive special treatment by routelets • Processors, which process packets based on architecturally specific plugins (e.g., police, mark, monitor, shape, filter packets) • Schedulers, which regulate the use of virtual link capacity based on a programmable buffer and queue management capability Child ports and engines can be constructed by directly