270 likes | 374 Views
VPN construction with independence of client environment. 25 January 2007 Shin Takeuchi (University of Tsukuba). Agenda. VPN ~Site-to-Site connection~ ~Remote-to-Site connection~ IP security protocol SSL-VPN Solution E xperiment Implementation Conclusion. VPN.
E N D
VPN construction withindependence of client environment 25 January 2007 Shin Takeuchi (University of Tsukuba)
Agenda • VPN • ~Site-to-Site connection~ • ~Remote-to-Site connection~ • IP security protocol • SSL-VPN • Solution • Experiment • Implementation • Conclusion
VPN ~Site-to-Site connection~ VPN Site A Site B Internet • We typically use “IPsec” in Site-to-Site VPN connection • Many devices support “IPsec”
VPN ~Remote-to-Site connection~ VPN Remote User Site Internet • We usually use “SSL-VPN” in Remote Access • PPTP is also common
IP security protocol (IPsec) (1/3) IP Header TCP Header payload Original IPpacket Transport IP Header AH Header TCP Header payload AH IP Header ESP Header TCP Header ESP Trailer ESP Auth payload ESP Tunnel Tunnel IP Header AH Header IP Header TCP Header payload AH Tunnel IP Header ESP Header IP Header TCP Header payload ESP Trailer ESP Auth ESP
IPsec (2/3)~Authentication~ IP Header TCP Header payload Original IPpacket Transport authentication IP Header AH Header TCP Header payload AH IP Header ESP Header TCP Header ESP Trailer ESP Auth authentication payload ESP Tunnel Tunnel IP Header authentication AH Header IP Header TCP Header payload AH Tunnel IP Header ESP Header authentication IP Header TCP Header payload ESP Trailer ESP Auth ESP
IPsec (3/3)~Encryption~ IP Header TCP Header payload Original IPpacket Transport IP Header AH Header TCP Header payload AH IP Header ESP Header TCP Header ESP Trailer ESP Auth encryption payload ESP Tunnel Tunnel IP Header AH Header IP Header TCP Header payload AH Tunnel IP Header ESP Header IP Header encryption TCP Header payload ESP Trailer ESP Auth ESP
SSL-VPN (1/3) IP Header TCP Header payload Original IPpacket Reverse Proxy IP Header TCP Header Record Header payload MAC Port Forwarding IP Header TCP Header Record Header IP Header TCP Header payload MAC L2-Tunneling IP Header TCP Header Record Header Ethernet Header IP Header TCP Header payload CRC MAC
SSL-VPN (2/3) ~Authentication~ IP Header TCP Header payload Original IPpacket Reverse Proxy IP Header TCP Header Record Header authentication payload MAC Port Forwarding authentication payload IP Header TCP Header Record Header IP Header TCP Header MAC L2-Tunneling authentication payload IP Header TCP Header Record Header Ethernet Header IP Header TCP Header CRC MAC
SSL-VPN (3/3) ~Encryption~ IP Header TCP Header payload Original IPpacket Reverse Proxy IP Header TCP Header Record Header encryption payload MAC Port Forwarding encryption payload IP Header TCP Header Record Header IP Header TCP Header MAC L2-Tunneling encryption payload IP Header TCP Header Record Header Ethernet Header IP Header TCP Header CRC MAC
Motivation • Setup difficulty • It is bothering for common users to make VPN configuration • Must be “Static” • Each endpoint requires “Static” IP address • Site-to-Site : “Static”- “Static” , Remote-to-Site : “Dynamic”-“Static” more “Simplicity” more “Flexibility”
Idea • Implement application • Simple VPN configuration for clients • “Dynamic” – “Dynamic” connection Introduce the“VPN-Management-Server” • VPN-Management-Server handles bothering procedure Which protocol should we use ?
Experiment with selection of protocol • Criterion • Connectivity (connect or disconnect) • Target • IPsec V.S. SSL-VPN • Experimental Network • University of Tsukuba campus network (Univ. Tsukuba) • Tsukuba WAN • Kyushu GigaPOP Project (QGPOP) • Network Organization for Research and Technology in Hokkaido (NORTH) • Japan Science and Technology Agency (JST) • Commercial Internet Service Provider (ISP)
Result of the Experiment SSL-VPN is more suitable than IPsec ! ○:connect , ×: disconnect , - : none
Implementation of proposal system • Environments • OS : Windows • Language : C++ • Library : openssl-0.9.8c • USB token : iKey 1000 • Features • When we insert the USB token into a PC, VPN is established • Example • Sharing data in a meeting
Procedure sequence Client VPN-Management-Server Request SSL connection SSL authentication Verify Verify Server’s Certificate Client’s Certificate (Client IP address) Request Send (IP address) Check included in IP Header ( source IP address ) included in application data ( IP address ) Register ・Client Certificate Serial Number ・( source IP address ) ・( IP address ) ・IP Classification Information
Client information ・Client Certification Serial Number ・Header IP ・Payload IP ・IP Classification Information (Global IP, Private IP) VPN-management Server Reference VPN module create Auth info encryption algo Virtual IP ・CA Private / Public key ・Server Private / Public key access point IP Connect Port communication protocol Client Environment judge Registry Reference Repository Header IP address Payload IP address Registry Certification issue SSL Auth VPN-Server (Global IP,Private IP) SSL connect VPN module send packet Client storage SSL Auth IP address Reference Payload IP address VPN connection IC chip tun / tap device ・CA Public key ・Client Private / Public key Client application program Virtual IF creation packet routing USB-token:iKey
Conclusion • VPN • IPsec and SSL-VPN • Focus on the following problems • Setup difficulty • Must be “Static” IP • My application • Simple VPN configuration for clients • Enable “Dynamic – Dynamic” connection
Thank you ! Thanks go to Prof. Kasahara for this session arrangements. I appreciate network supports of Prof. Okamura (Kyushu Univ.). Thanks also to Prof. Okamoto, Researchers Dr. OyamaandDr. Inomata for their supports and guidelines.