400 likes | 685 Views
Virtual Private Networks and Spawning Networks. Department of Computer Science. Wired Magazine Hype List Feb 1998. Virtual Private Networks Ranked #1
E N D
Virtual Private NetworksandSpawning Networks Department of Computer Science
Wired Magazine Hype ListFeb 1998 Virtual Private Networks Ranked #1 The wonderful thing about virtual private networks is that its myriad definitions give every company a fair chance to claim that its existing product is actually a VPN. But no matter what definition you choose, the networking buzz- phrase doesn't make sense. The idea is to create a private network via tunneling and/or encryption over the public Internet. Sure, it's a lot cheaper than using your own frame relay connections, but it works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around. Other items on the list • Hacker Consultants • MiniDisc • Windows NT 5.0 • Interior Design http://www.wired.com/wired/archive/6.02/hypelist.html
Overview • What is a VPN ? • Requirements and Motivation • Scenarios • Methods • Practical VPN • Spawning Networks : VPNs on the fly
What is a VPN ? • Network : A Network consists of any number of devices which can communicate through some arbitrary method • Private: • Data Privacy and data integrity • Access is restricted to defined set of entities • Privacy of addressing and routing system • Addressing used by VPN community is separate and discrete from underlying shared network • Same for routing • Virtual: • Private communication over shared network infrastructure e.g. Internet One Line Definition
What is a VPN ? • Network : A Network consists of any number of devices which can communicate through some arbitrary method • Private: • Data Privacy and data integrity • Access is restricted to defined set of entities • Privacy of addressing and routing system • Addressing used by VPN community is separate and discrete from underlying shared network • Same for routing • Virtual: • Private communication over shared network infrastructure e.g. Internet (encryption and authentication)
One Line Definition A VPN is a private network constructed within a public network infrastructure, such as the global internet One Line Definition
Scenarios • Two end-systems e.g. e-commerce • Remote access network • E.g. a large firm with hundreds of sales people in the field • Site to Site • Branch Office connection network – intranet VPN • Business partner networks – extranet VPN • Combination of above
Motivations • Economics of Communications • Cheaper than constructing or leasing physical networks for private communication • Communications Privacy • Depends on the technology used to construct the VPN • Global Reachability • Scalability ( compared to custom networks )
Requirements • Data Security • Authentication • Confidentiality • Integrity • Tunneling Mechanisms • QoS Guarantees
http://www.howstuffworks.com/vpn5.htm Methods to construct VPNs • Most common – Tunneling • Tunnel connects two VPN endpoints • Traffic opaque to underlying IP backbone • IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link • Advantages • Segregation of common host network from the VPN • Routing of VPN isolated from common host network • Encapsulate different protocol families
“tunneling" is a technology that allows a network transport protocol to carry information for other protocols within its own packets. For example, IPX data packets can be encapsulated in IP packets for transport across the Internet, which isn't normally possible Methods to construct VPNs • Most common – Tunneling • Tunnel connects two VPN endpoints • Traffic opaque to underlying IP backbone • IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link • Advantages • Segregation of common host network from the VPN • Routing of VPN isolated from common host network • Encapsulate different protocol families
Tunnels • Cons • Administrative overhead – manual configuration • Scaling problems – point to point or point to multipoint ? • QoS Performance issues • Encapsulation overhead • No control over path on the common network ( e.g. IP ) • Three different protocols • Carrier protocol – e.g. most common is IP • Encapsulating protocol - (GRE, IPSec, L2F, PPTP, L2TP) • Passenger protocol - The original data (IPX, NetBeui, IP)
Tunnels Encapsulating Protocols • PPTP vs L2F • PPTPwraps PPP in IP • L2Fuses Layer Two protocols, such as Frame Relay and ATM, for tunneling. • L2TP – • supposed to offer the best of PPTP and L2F • Supports multiple concurrent tunnels per client • IPSec – broad based open solution for encryption and authentication on a per packet basis • Two modes – tunnel and transport • Integrated with L2TP for security ( transport mode )
Tunnels Encapsulating Protocols • PPTP vs L2F • PPTPwraps PPP in IP • L2Fuses Layer Two protocols, such as Frame Relay and ATM, for tunneling. • L2TP – • supposed to offer the best of PPTP and L2F • Supports multiple concurrent tunnels per client • IPSec – broad based open solution for encryption and authentication on a per packet basis • Two modes – tunnel and transport • Integrated with L2TP for security ( transport mode ) The Point-to-Point Protocol (PPP) provides a method for transmitting datagrams over serial point-to-point links. http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/ppp_auth.htm
Tunnels PPTP • Protocol • Data channel: PPP over IP GRE (Generic Routing Encapsulation) • Encapsulates link layer (PPP), communicates at network layer (IP) • Call setup handled in a control channel
Tunnels PPTP Tunneling Example PPTP Client Computer SMB Packets PPP Encapsulator PPTP Interface SLIP Interface IP Packets PPTP Server Computer IP Packets PPP Decapsulator PPTP Interface ISP Gateway IP GRE Packets SMB Packets SLIP Interface IP Packets http://www.ccsi.com/survival-kit/slip-vs-ppp.html
Tunnels PPP Encapsulator PPP Header IP Header TCP Header Payload Data PPTP Interface IP GRE Header PPP Header IP Header TCP Header Payload Data SLIP Interface SLIP Header IP GRE Header PPP Header IP Header TCP Header Payload Data Modem PPTP Tunneling Example TCP/IP Packet IP Header TCP Header Payload Data IP GRE is not handled by many firewalls
Practical VPN SSH Example
What is SSH ? • Overview of Secure Shell. • SSH is a secure replacement for the “r” utilities. • Availability: Downloadable & Commercial versions. • Resources: Both commercial and free are widely available. SSH is very popular and there’s a lot of expertise out there
SecureCRT • The SecureCRT client application combines the secure logon and data transfer capabilities of Secure Shell (SSH) with the reliability, usability, and configurability of a proven Windows® terminal emulator. http://www.vandyke.com/products/securecrt/index.html
Simple SSH VPN • Host-to-host IP tunneling • In SecureCRT: • Open session options for a host
Simple SSH VPN (2) Now select the “Advanced” button
SSH – Port forwarding • Open up the remote connection • Open browser or application to 127.0.0.1:<port> • 127.0.0.1:8080 in our example • We should now connect to remote service
Not Just for Hosts Network to Network
http://www.linuxjournal.com/article.php?sid=3271 VPN on Linux • VPN – HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/VPN • Two Main Ingredients: • ssh/sshd – for privacy • pppd • The pppd commands establish a working connection. It's strictly a bilateral umbilical cord between the VPN servers that extends no mutual connectivity to workstations on the networks. • Mutual Connectivity between workstations: That is done by the route commands. Once these commands have been executed, the two networks have been transparently pooled into a single group of machines, all mutually visible via Internet addresses. • PPP Interface assigned an IP address
Example ssh tunnel here
An Interesting challenge • VPN for VM Computing on Grids • Goals • Security for the VPN • Via ssh • Static address for VMs undergoing migration • Different VMs may communicate with each other • Assume minimum co-operation from the remote host
Spawning Networks Main idea: Automating the process of realizing distinct network architectures on demand OS Analogy : “We envision spawning networks as having the capability to spawn not processes but complex network architectures”
Spawning Networks • Two child networks are spawned by the parent network. • The first child network is a Cellular IP virtual network that supports wireless extensions to the parent network. • The other child network supports a differentiated services architecture operating over the same network infrastructure. • An additional level of nesting is shown where the Cellular IP network spawns a child network.
Spawning Networks Genesis kernel has the capability to spawn child network architectures that can support alternative distributed network algos and services
Programmable data path • Operate on the same physical node • Each routelet corresponds to a distinict virtual network • Network inheritance tree Spawning Networks
Ports and engines are dynamically created during the spawning phase from a set of transport modules, which represent a set of generic routelet plugins • Encapsulators, which add specific headers (e.g., RTP, IPv4) to packets at the end systems or routelets • Forwarders, which execute particular packet forwarding mechanisms (e.g., IPv6, MPLS, Cellular IP) at routelets • Classifiers, which separate packets in order to receive special treatment by routelets • Processors, which process packets based on architecturally specific plugins (e.g., police, mark, monitor, shape, filter packets) • Schedulers, which regulate the use of virtual link capacity based on a programmable buffer and queue management capability Child ports and engines can be constructed by directly