Virtual Private Network
(VPN)
• A corporation with multiple geographic sites can use one of
two approaches to building a corporate intranet.
– Private network connections The corporation leases serial lines to
connect its sites. Each leased connection extends from a router at
one of the corporation’s sites to a router at another site; data passes
directly from a router at one sit to a router at another site.
– Public Internet connection. Each site contracts with a local ISP for
Internet service. Data sent from one corporate site to another passes
across the global Internet.
• The chief advantage of using leased lines to interconnect sites arises
because the resulting network is completely private.
• The chief advantage of using Internet connections is low cost.
• Unfortunately, the Internet cannot guarantee confindentiality. As it
travels from source to destination, a datagram passes across
intermediate networks that may be shared. As a consequence
outsiders may be able to obtain copies of the datagram and
examine the content.
• VPN: use the global Internet to transfer data among corporate
sites, but take additional steps to ensure that the data cannot be
read by outsiders.
• A VPN is implemented in software. First, the organization
obtains an Internet connection for each of its sites.
•
Second the organization choose a router at each site to run
VPN software (usually the router that connects the site to the
Internet).
• Third, the organization configures the VPN software in each
router to know about the VPN routers at each of others sites
VPN Software
• The VPN software operates like a conventional packet filter.
The next hop for each outgoing datagrams must be a VPN
router at another site of the organization.
• The traffic is restricted to pass directly from one corporate site
to another exactly as the sites had leased lines connecting them
• VPN software encrypts each outgoing datagram before
transmission. All communications remains confidential.
Tunneling
• Should the entire datagram be encrypted for transmission?
• If the datagram header is encrypted, routers in the Internet
will not be able to interpret header fields they neeed to use
when forwarding the datagram.
• If the header is not enctypted, outsiders will know the source
and destination addresses and may be able to deduce
information.
• To keep information completely hidden as datagrams pass
across the Internet from one site to another, VPN software
use an IP-in-IP tunnel
• The sending VPN software encrypts the entire datagram
and places the result inside another datagram for
transmission.
• Suppose that a computer X at site 1 creates a datagram
for a computer Y at site 3. The datagram is forwarded
through site 1 at router R1 (i.e., the router that connects
site 1 to Internet). The VPN software on R1 encrypts the
original datagram and encapsulates it in a new datagram
for transmission to router at site 2.
• When the encapsulated datagram arrives,VPN software
on R2 decrypts the payload to extract the original
datagram and them forwards it to the destination Y.
src=X
dst=Y
original (unencrypted payload)
encrypt
Encrypted Version of Original Datagram
src=R1
dst=R2
Encrypted datagram Encapsulated In IP For Transmission
• The original datagram header has the source and
destination addresses of two computers in the
organization.
• To keep data secure during transmission across the
Internet, the entire original datagram including the
header, is encrypted.
• Thus all datagrams traveling across the Internet from
site 1 to site 2 have a source address of router R1
and a destination address of router R2.
VPN
• VPN “permanent” to connect sites of a corporation.
• VPN “temporary” to remotely connect to the site of the
corporation mobile computers.
•In both cases a software must be installed (in the routers
belonging to the sites and/or in the personal computer of the
user.) called VPN terminator.
• The VPN terminator encrypts the data and sends them to VPN
terminator of the different site
• The keys needed to encrypt and decrypt are known only to the
terminator software.