1 / 39

Virtual Private Networks and Spawning Networks

Virtual Private Networks and Spawning Networks. Department of Computer Science. Wired Magazine Hype List Feb 1998. Virtual Private Networks Ranked #1

tamar
Download Presentation

Virtual Private Networks and Spawning Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Private NetworksandSpawning Networks Department of Computer Science

  2. Wired Magazine Hype ListFeb 1998 Virtual Private Networks Ranked #1 The wonderful thing about virtual private networks is that its myriad definitions give every company a fair chance to claim that its existing product is actually a VPN. But no matter what definition you choose, the networking buzz- phrase doesn't make sense. The idea is to create a private network via tunneling and/or encryption over the public Internet. Sure, it's a lot cheaper than using your own frame relay connections, but it works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around. Other items on the list • Hacker Consultants • MiniDisc • Windows NT 5.0 • Interior Design http://www.wired.com/wired/archive/6.02/hypelist.html

  3. Overview • What is a VPN ? • Requirements and Motivation • Scenarios • Methods • Practical VPN • Spawning Networks : VPNs on the fly

  4. What is a VPN ? • Network : A Network consists of any number of devices which can communicate through some arbitrary method • Private: • Data Privacy and data integrity • Access is restricted to defined set of entities • Privacy of addressing and routing system • Addressing used by VPN community is separate and discrete from underlying shared network • Same for routing • Virtual: • Private communication over shared network infrastructure e.g. Internet One Line Definition

  5. What is a VPN ? • Network : A Network consists of any number of devices which can communicate through some arbitrary method • Private: • Data Privacy and data integrity • Access is restricted to defined set of entities • Privacy of addressing and routing system • Addressing used by VPN community is separate and discrete from underlying shared network • Same for routing • Virtual: • Private communication over shared network infrastructure e.g. Internet (encryption and authentication)

  6. One Line Definition A VPN is a private network constructed within a public network infrastructure, such as the global internet One Line Definition

  7. Scenarios • Two end-systems e.g. e-commerce • Remote access network • E.g. a large firm with hundreds of sales people in the field • Site to Site • Branch Office connection network – intranet VPN • Business partner networks – extranet VPN • Combination of above

  8. Motivations • Economics of Communications • Cheaper than constructing or leasing physical networks for private communication • Communications Privacy • Depends on the technology used to construct the VPN • Global Reachability • Scalability ( compared to custom networks )

  9. Requirements • Data Security • Authentication • Confidentiality • Integrity • Tunneling Mechanisms • QoS Guarantees

  10. http://www.howstuffworks.com/vpn5.htm Methods to construct VPNs • Most common – Tunneling • Tunnel connects two VPN endpoints • Traffic opaque to underlying IP backbone • IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link • Advantages • Segregation of common host network from the VPN • Routing of VPN isolated from common host network • Encapsulate different protocol families

  11. “tunneling" is a technology that allows a network transport protocol to carry information for other protocols within its own packets. For example, IPX data packets can be encapsulated in IP packets for transport across the Internet, which isn't normally possible Methods to construct VPNs • Most common – Tunneling • Tunnel connects two VPN endpoints • Traffic opaque to underlying IP backbone • IP backbone used as link-layer technology, where tunnel forms a virtual point-to-point link • Advantages • Segregation of common host network from the VPN • Routing of VPN isolated from common host network • Encapsulate different protocol families

  12. Tunnels • Cons • Administrative overhead – manual configuration • Scaling problems – point to point or point to multipoint ? • QoS Performance issues • Encapsulation overhead • No control over path on the common network ( e.g. IP ) • Three different protocols • Carrier protocol – e.g. most common is IP • Encapsulating protocol - (GRE, IPSec, L2F, PPTP, L2TP) • Passenger protocol - The original data (IPX, NetBeui, IP)

  13. Tunnels Encapsulating Protocols • PPTP vs L2F • PPTPwraps PPP in IP • L2Fuses Layer Two protocols, such as Frame Relay and ATM, for tunneling. • L2TP – • supposed to offer the best of PPTP and L2F • Supports multiple concurrent tunnels per client • IPSec – broad based open solution for encryption and authentication on a per packet basis • Two modes – tunnel and transport • Integrated with L2TP for security ( transport mode )

  14. Tunnels Encapsulating Protocols • PPTP vs L2F • PPTPwraps PPP in IP • L2Fuses Layer Two protocols, such as Frame Relay and ATM, for tunneling. • L2TP – • supposed to offer the best of PPTP and L2F • Supports multiple concurrent tunnels per client • IPSec – broad based open solution for encryption and authentication on a per packet basis • Two modes – tunnel and transport • Integrated with L2TP for security ( transport mode ) The Point-to-Point Protocol (PPP) provides a method for transmitting datagrams over serial point-to-point links. http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/ppp_auth.htm

  15. Tunnels PPTP • Protocol • Data channel: PPP over IP GRE (Generic Routing Encapsulation) • Encapsulates link layer (PPP), communicates at network layer (IP) • Call setup handled in a control channel

  16. Tunnels PPTP Tunneling Example PPTP Client Computer SMB Packets PPP Encapsulator PPTP Interface SLIP Interface IP Packets PPTP Server Computer IP Packets PPP Decapsulator PPTP Interface ISP Gateway IP GRE Packets SMB Packets SLIP Interface IP Packets http://www.ccsi.com/survival-kit/slip-vs-ppp.html

  17. Tunnels PPP Encapsulator PPP Header IP Header TCP Header Payload Data PPTP Interface IP GRE Header PPP Header IP Header TCP Header Payload Data SLIP Interface SLIP Header IP GRE Header PPP Header IP Header TCP Header Payload Data Modem PPTP Tunneling Example TCP/IP Packet IP Header TCP Header Payload Data IP GRE is not handled by many firewalls

  18. Practical VPN SSH Example

  19. What is SSH ? • Overview of Secure Shell. • SSH is a secure replacement for the “r” utilities. • Availability: Downloadable & Commercial versions. • Resources: Both commercial and free are widely available. SSH is very popular and there’s a lot of expertise out there

  20. SecureCRT • The SecureCRT client application combines the secure logon and data transfer capabilities of Secure Shell (SSH) with the reliability, usability, and configurability of a proven Windows® terminal emulator. http://www.vandyke.com/products/securecrt/index.html

  21. Simple SSH VPN • Host-to-host IP tunneling • In SecureCRT: • Open session options for a host

  22. Simple SSH VPN (2) Now select the “Advanced” button

  23. SSH – Port forwarding • Open up the remote connection • Open browser or application to 127.0.0.1:<port> • 127.0.0.1:8080 in our example • We should now connect to remote service

  24. Simple SSH VPN

  25. Not Just for Hosts Network to Network

  26. http://www.linuxjournal.com/article.php?sid=3271 VPN on Linux • VPN – HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/VPN • Two Main Ingredients: • ssh/sshd – for privacy • pppd • The pppd commands establish a working connection. It's strictly a bilateral umbilical cord between the VPN servers that extends no mutual connectivity to workstations on the networks. • Mutual Connectivity between workstations: That is done by the route commands. Once these commands have been executed, the two networks have been transparently pooled into a single group of machines, all mutually visible via Internet addresses. • PPP Interface assigned an IP address

  27. Example ssh tunnel here

  28. An Interesting challenge • VPN for VM Computing on Grids • Goals • Security for the VPN • Via ssh • Static address for VMs undergoing migration • Different VMs may communicate with each other • Assume minimum co-operation from the remote host

  29. Spawning Networks

  30. Spawning Networks Main idea: Automating the process of realizing distinct network architectures on demand OS Analogy : “We envision spawning networks as having the capability to spawn not processes but complex network architectures”

  31. Spawning Networks • Two child networks are spawned by the parent network. • The first child network is a Cellular IP virtual network that supports wireless extensions to the parent network. • The other child network supports a differentiated services architecture operating over the same network infrastructure. • An additional level of nesting is shown where the Cellular IP network spawns a child network.

  32. Spawning Networks

  33. Spawning Networks Genesis kernel has the capability to spawn child network architectures that can support alternative distributed network algos and services

  34. Spawning Networks

  35. Programmable data path • Operate on the same physical node • Each routelet corresponds to a distinict virtual network • Network inheritance tree Spawning Networks

  36. Ports and engines are dynamically created during the spawning phase from a set of transport modules, which represent a set of generic routelet plugins • Encapsulators, which add specific headers (e.g., RTP, IPv4) to packets at the end systems or routelets • Forwarders, which execute particular packet forwarding mechanisms (e.g., IPv6, MPLS, Cellular IP) at routelets • Classifiers, which separate packets in order to receive special treatment by routelets • Processors, which process packets based on architecturally specific plugins (e.g., police, mark, monitor, shape, filter packets) • Schedulers, which regulate the use of virtual link capacity based on a programmable buffer and queue management capability Child ports and engines can be constructed by directly

More Related