Virtual Private Networks

(1)

Virtual Private Networks

Petr Gryg

á

rek

Agenda:

VPN Taxonomy

(2)

Basic Terminology and Mechanisms

of Network Security

and Cryptography

(3)

Data Protection

• C

C

onfidentality

•

unauthorized listener cannot understand data meaningunauthorized listener cannot understand data meaning

•

implemented by encryptionimplemented by encryption

• A

A

uthentication

•

verification of data sender identityverification of data sender identity

• Data

Data

integrity

•

verification that data were not modified during transportverification that data were not modified during transport

• N

N

on-repudiation

•

data source cannot repudiate that it sent particular data source cannot repudiate that it sent particular piece of data

piece of data

(4)

Cryptographic Hash Function (1)

• one-way

one-way

fun

ction (algorithm) that converts (arbitrary,

long) block of data to (short) fixed-size hash value

•

easy to computeeasy to compute

•

infeasible to find a message with a given hashinfeasible to find a message with a given hash

•

infeasible to modify a message without changing its hashinfeasible to modify a message without changing its hash

(5)

Cryptographic Hash Function (2)

• often used as Hashed Message Authentication Code

often used as Hashed Message Authentication Code

(HMAC)

•

the hash is computed from [data+secret] blockthe hash is computed from [data+secret] block

• algorithms commonly used as hash function

algorithms commonly used as hash function

•

HMAC-MD5 –– Message Digest 5 HMAC-MD5 –– Message Digest 5

•

(128b message digest)(128b message digest)

•

HMAC-SHA1 – Secure Hash Algorithm HMAC-SHA1 – Secure Hash Algorithm

(6)

Cryptographic System

Implementation options

• Conceal encryption/decryption algorithm

•

If the algorithm is revealed, implementation is useless

• Conceal keys

•

Keys used to parametrize (known) algorithm

•

Enough number of possible keys has to be available

Encryption Decryption

Key plain

text cyper_text plain_text

(7)

Symmetric Cryptosystem

(8)

Properties of Symmetric

Cryptosystem

• Shared secret key

Shared secret key

• Effective algorithm implementations

Effective algorithm implementations

• speed, relative simplicity

speed, relative simplicity

• possible to implement in hardware

possible to implement in hardware

• DES, 3DES, AES, …

DES, 3DES, AES, …

(9)

Authentication in Symmetric Cryptosystem

• Sender encrypts u

Sender encrypts u

sername

using shared key, receiver decrypts

using the same key and tests username validity

•

Requires database of valid usernamesRequires database of valid usernames

• Alternative validity check implementation:

Alternative validity check implementation:

•

Sender appends username hash behind username, then encrypts Sender appends username hash behind username, then encrypts whole block with shared key

whole block with shared key

•

Receiver decrypts [username+hash] with shared key, computes Receiver decrypts [username+hash] with shared key, computes username hash and compares with received hash

username hash and compares with received hash

•

Does not require to maintain username databaseDoes not require to maintain username database Combines authentication with data integrity check

(10)

Data Integrity Check

Implementation

• [

[

message

+

shared secret key

]->hash

• message

message

+hash

is sent

• receiver appends shared secret key behind

receiver appends shared secret key behind

received message, calculates hash by itself and

compares with received hash

Combines origin authentication and data integrity

check

(11)

Asymmetric Cryptosystem

(12)

Public and Private Keys

•

Keys generated as pair – Keys generated as pair – publicpublic and and privateprivate key key

•

One key of pair used for encryption, second one for decryptionOne key of pair used for encryption, second one for decryption

•

no matter which one for whatno matter which one for what

•

uses identical or complementary algorithms for encryption and decryptionuses identical or complementary algorithms for encryption and decryption

Encryption Decryption public key K_B_{_}_P_U_B_L_IC ALICE BOB private key K_B_{_}_P_R_IV_A_T_E K_B_{_}_P_U_B_L_IC K_B_{_}_P_R_IV_A_T_E K_A_{_}_P_U_B_L_IC K_A_{_}_P_R_IV_A_T_E Certification authority K_A_{_}_P_U_B_L_IC K_B_{_}_P_U_B_L_IC

(13)

Features of Asymmetric Cryptosystem

• More calculations comparing to symmetric algorithm

More calculations comparing to symmetric algorithm

=> slower

• RSA, El-Gammal

RSA, El-Gammal

• Problem of secure public key distribution

Problem of secure public key distribution

• no need to conceal them

no need to conceal them

, but we need a mechanism to

protect public keys against modification during transport

• certification authority digitally signs public keys packed

certification authority digitally signs public keys packed

together with owner information

•

(so called “certificates”)(so called “certificates”)

(14)

Usages of

asy

_asy

m

_m

metric sys

_{metric sys}

tem

_tem

• Digital signatures

Digital signatures

• No problem with secret key distribution

No problem with secret key distribution

• Exchange of keys for symmetric system

Exchange of keys for symmetric system

• Often generated dynamically keys with limited

Often generated dynamically keys with limited

lifetime

(15)

Certifi

cation authority (1)

• Trusted entity

Trusted entity

• Digitally signs public keys packed together with owner

Digitally signs public keys packed together with owner

information -

certificates

• First contact with CA must be personal

First contact with CA must be personal

•

obtaining of private+public key pairobtaining of private+public key pair

•

private key + signed certificateprivate key + signed certificate

•

There exist ways how to deliver encrypted private key + certificate There exist ways how to deliver encrypted private key + certificate (containing signed public key) without physical contact

(containing signed public key) without physical contact

•

need to authenticate certificate requestneed to authenticate certificate request

•

uses password prenegotiated between user and CA to encrypt private key and uses password prenegotiated between user and CA to encrypt private key and certificate before sending it to user

certificate before sending it to user

•

usage of LDAP password etc.usage of LDAP password etc.

•

private+public key generation may take place at client OSprivate+public key generation may take place at client OS

(16)

Certifi

cation authority (2)

• Public key of CA needed by communicating parties

Public key of CA needed by communicating parties

to verify certificates of other communicating peers

• Public key of CA has to be inserted into every system

Public key of CA has to be inserted into every system

by some trustworthy manner

• built-in into OS/WWW browser installation files,

built-in into OS/WWW browser installation files,

…

Advantage: only one public key (CA certificate) has to

be preconfigured manually

(17)

Aut

h

_h

enti

_enti

cation

_cation

and Data Integrity

_{and Data Integrity}

Check in

A

_A

sym

_sym

m

_m

etric

_etric

S

_S

yst

_yst

e

_e

m

_m

Data K_{B_PUBLIC} ALICE BOB K_{A_PRIVATE} K_{B_PUBLIC} K_{B_PRIVATE} K_{A_PUBLIC} K_{A_PRIVATE} comparison Hash Data K_{B_PRIVATE} K_{A_PUBLIC} Hash Hash

(18)

Virtual Private Networks

(VPN)

(19)

What is VPN ?

• VPN

VPN

allow to build private WANs using public

shared infrastructure with the same level of

security and configuration options as with private

infrastructure

• Cheaper and flexible method for interconnection

Cheaper and flexible method for interconnection

of geographically dispersed sites

(20)

Advantages of VPNs over Physical

Private WAN Infrastructure

• Lower cost

Lower cost

• Short time of deployment

Short time of deployment

• Flexibility of (virtual) topology

Flexibility of (virtual) topology

• topology defined purely by configuration

topology defined purely by configuration

• No WAN link maintenance and management needed

No WAN link maintenance and management needed

(21)

Some VPN Classification Criteria (1)

• Level of customer trust to the shared infrastructure

Level of customer trust to the shared infrastructure

provider

• trusted/secured (+ level of security)

trusted/secured (+ level of security)

• Protocol/technology applied in the public

Protocol/technology applied in the public

infrastructure provider's network

• Packet-based (IPv4/IPv6)

Packet-based (IPv4/IPv6)

• Virtual-circuit based (Frame Relay, ATM, VLANs)

Virtual-circuit based (Frame Relay, ATM, VLANs)

• IP/MPLS VPN

IP/MPLS VPN

(22)

Some VPN Classification Criteria (2)

• Amount of routing information exchanged between

Amount of routing information exchanged between

provider and customer sites

•

Overlay (CPE-based) modelOverlay (CPE-based) model

•

Peer-to-peer (network-based) modelPeer-to-peer (network-based) model

•

Mixed model (MPLS VPN)Mixed model (MPLS VPN)

• Virtual topology options

Virtual topology options

• Point-to-point (virtual private lines)

Point-to-point (virtual private lines)

•

+ topologies built from virtual P2P links+ topologies built from virtual P2P links

(23)

Some VPN Classification Criteria (3)

• OSI layer of provided connectivity

OSI layer of provided connectivity

•

L2 L2

•

L2-technology dependent L2-technology dependent

•

May support interworking May support interworking

•

L3 protocol transparentL3 protocol transparent

•

L3L3

•

Independent on L2 protocolsIndependent on L2 protocols

•

L3-protocol dependentL3-protocol dependent

• unicast/multicast/both traffic support

unicast/multicast/both traffic support

•

(24)

Some VPN Classification Criteria (4)

• Manual/Automatic configuration

Manual/Automatic configuration

• automatic configuration requires signaling &

automatic configuration requires signaling &

authentication

• automatic configuration is almost inevitable for

automatic configuration is almost inevitable for

interconnection of hundreds of thousands of

customer sites

(25)

Overlay model

•

Uses tunneling methodsUses tunneling methods

•

Encryption and authentication applied in most casesEncryption and authentication applied in most cases

•

Does not utilize underlying infrastructure efficiently in most casesDoes not utilize underlying infrastructure efficiently in most cases

•

Customers have no visibility of provider's network and vice versaCustomers have no visibility of provider's network and vice versa

•

No special contract with infrastructure provider is neededNo special contract with infrastructure provider is needed

(26)

Tunnel

• Virtual point-to-point connection over shared

Virtual point-to-point connection over shared

infrastructure

• often authenticated and encrypted

often authenticated and encrypted

• Carries packets of some protocol encapsulated in

Carries packets of some protocol encapsulated in

another protocol

• sometimes in the same protocol (

sometimes in the same protocol (

IP over IP

)

• tunnel can carry layer 2 frames also

tunnel can carry layer 2 frames also

• allows other protocols to be carried over IP network

allows other protocols to be carried over IP network

(27)

VPN Protocols and Tunneling

Techniques

• IP/IP (v4xv6),

IP/IP (v4xv6),

• GRE

GRE

• L2TP (PPP frames),

L2TP (PPP frames),

• MPLS,

MPLS,

• IPSec

IPSec

• SSL

SSL

• ...

...

(28)

Peer-to-Peer model

• Provider network devices have to carry all

Provider network devices have to carry all

customers' routes

• Problems with overlapping (private) addresses

Problems with overlapping (private) addresses

•

non-unique destination addressesnon-unique destination addresses

• Complicated filtering has to be configured

Complicated filtering has to be configured

•

poor scalability, risk of misconfigurationpoor scalability, risk of misconfiguration

• Optimal routing across provider's shared

Optimal routing across provider's shared

infrastructure

(29)

Most Common VPN Implementation

Options

Internetwork-wide VPNs => tunnels at or above layer 3

• Layer 3 VPN – IPSec

Layer 3 VPN – IPSec

•

media independent (above hop-by-hop L2 security)media independent (above hop-by-hop L2 security)

•

application independentapplication independent

•

connectionless securityconnectionless security

• Layer 4 VPN

Layer 4 VPN

•

SSL/TLS for TCPSSL/TLS for TCP

•

DTLS for UDPDTLS for UDP

(30)

Most Common VPN Implementation

Scenarios

• Router-to-router (

Router-to-router (

firewall

)

• Site-to-site VPNs

Site-to-site VPNs

• Single router may terminate multiple tunnels

Single router may terminate multiple tunnels

• Remote User to VPN concentrator

Remote User to VPN concentrator

• Remote access VPNs

Remote access VPNs

• user has to have special encryption software installed

user has to have special encryption software installed

(

(31)

Common VPN Applications (1)

• Site-to-site VPNs

Site-to-site VPNs

•

RRouterouter to to router router ((firewall to firewallfirewall to firewall))

•

secure interconnection of (multiple) distant LANssecure interconnection of (multiple) distant LANs

•

counterpart with classical WAN networkscounterpart with classical WAN networks

Unsecure public infrastructure

(Internet)

Encryption, Decryption

Site-to-site tunnel

Encryption, Decryption

(32)

Common VPN Applications (2/1)

• Remote access VPNs

Remote access VPNs

• Client-initiated

Client-initiated

•

Remote user to Remote user to VPN VPN cconcentroncentraatortor

•

user has special encryption software installed (user has special encryption software installed (VPN VPN cclientlient))

• NAS-initiated

NAS-initiated

•

Remote user dials in to service provider’s NAS using some Remote user dials in to service provider’s NAS using some connection-oriented telecommunication network (e.g. PSTN,

connection-oriented telecommunication network (e.g. PSTN,

ISDN) considered trustworthy

(33)

Common VPN applications (2/2)

Secure intranet Unsecure public infrastructure (Internet) VPN concentrator PSTN modem User without any special software ISP NAS Encryption Encryption Decryption tunnels NAS-initiated VPN tunnel

(34)

Virtual Private Dial-up Networks

• Provides connection of remote users into private

Provides connection of remote users into private

networks

• Saves customers from maintaining their own physical

Saves customers from maintaining their own physical

RAS solution and interconnection to Telco

• Interoperation between provider's and customers'

Interoperation between provider's and customers'

AAA infrastructures

• L2TP – carries PPP sessions

L2TP – carries PPP sessions

• LAC – L2TP Access Concentrator

LAC – L2TP Access Concentrator

(35)

IPSec

(36)

IPSec

(RFC 2401)

_{(RFC 2401)}

IPSec

IPSec = suite of protocols and algorithms used for data security = suite of protocols and algorithms used for data security implementation at network layer

implementation at network layer

•

Open standards Open standards frameworkframework

•

GeneralGeneral, , independent to actual algorithms usedindependent to actual algorithms used

•

flexible and stable – no need for complete change when particular algorithm is flexible and stable – no need for complete change when particular algorithm is compromised

compromised

•

ProvidesProvides aut authhentienticationcation, , data data integritintegrity and confidentalityy and confidentality

•

using particular preconfigured or negotiated algorithms, not by itselfusing particular preconfigured or negotiated algorithms, not by itself

•

Only for unicast Only for unicast IPIP traffic traffic

•

but other protocols including IP broadcasts/multicasts can be encapsulated into but other protocols including IP broadcasts/multicasts can be encapsulated into IP before transportation over IPSec mechanism

IP before transportation over IPSec mechanism

•

Implemented as additional mechanism for IPv4, natively built-in into Implemented as additional mechanism for IPv4, natively built-in into IPv6

(37)

Basic IPSec terminology

• Security Association

Security Association

• Set of policies and keys for data protection

Set of policies and keys for data protection

• Shared by (two) communicating partners

Shared by (two) communicating partners

• Authentication Header

Authentication Header

• Header appended to IP packet to carry authentication

Header appended to IP packet to carry authentication

system information (HMAC etc.)

• Encapsulating Security Payload Header

Encapsulating Security Payload Header

• Header appended to IP packet to carry security system

Header appended to IP packet to carry security system

information (authentication, confidenitality)

(38)

Security Association

(1)

₍₁₎

• Defines encryption and authentication parameters used

Defines encryption and authentication parameters used

between two partners communicating over IPSec

tunnel

•

encryption and authentication algorithm,encryption and authentication algorithm, key size, key lifetimekey size, key lifetime

•

encryption and authentication key (symmetric)encryption and authentication key (symmetric)

•

IPSec mode (tunnel/transport)IPSec mode (tunnel/transport)

•

encapsulation protocol (AH/ESP)encapsulation protocol (AH/ESP)

•

specification of traffic to be encrypted (/decrypted)specification of traffic to be encrypted (/decrypted)

• Pre-configured or dynamically negotiated between

Pre-configured or dynamically negotiated between

partners during IPSec tunnel establishment

(39)

Security Association

(2)

₍₂₎

• Independent for both traffic directions

Independent for both traffic directions

• Independent SAs for individual security protocols

Independent SAs for individual security protocols

•

i.e. AH, ESP, IKE i.e. AH, ESP, IKE

•

Internet Key Exchange (IKE) provides secure tunnel for Internet Key Exchange (IKE) provides secure tunnel for dynamic SA negotiation

dynamic SA negotiation

• Limited lifetime

Limited lifetime

•

time/bytes transferredtime/bytes transferred

•

new SA is negotiated before lifetime expirationnew SA is negotiated before lifetime expiration

• Stored in Security Association Database (SADB)

Stored in Security Association Database (SADB)

(40)

IPSec modes: Tunnel and Transport

Transport Mode

Tunnel mode

(41)

Transport Mode

• End-to-end security

End-to-end security

•

Needs Needs IPSec IPSec support in end-user stations’ operating systemsupport in end-user stations’ operating system

• AH and ESP inserted between

AH and ESP inserted between

L3 a

nd

L4

headers

•

Impossible to filter traffic according to Impossible to filter traffic according to L4 L4 header in the header in the network (L4 header is encrypted)

network (L4 header is encrypted)

•

Next-header field of AH/ESP header identifies L4 header Next-header field of AH/ESP header identifies L4 header (L4 protocol)

(L4 protocol)

• Original

Original

IP

header

unencrypted

•

But protected by But protected by autauthhentientication/data integrity cation/data integrity =>

(42)

Tunnel Mode

• IPSec tunnel between routers connecting secure LANs to

IPSec tunnel between routers connecting secure LANs to

unsecure shared infrastructure (IPSec gateways)

•

no need for IPSec support in users’ station operating systemsno need for IPSec support in users’ station operating systems

• IP packets encapsulated by another IP packets (tunnel)

IP packets encapsulated by another IP packets (tunnel)

• AH and ESP inserted at the beginning of encapsulating

AH and ESP inserted at the beginning of encapsulating

packet data field, original unchanged (tunneled) packet follows

• Packets encrypted including their IP headers

Packets encrypted including their IP headers

=

> potential spy in insecure network cannot even determine

which stations of secure networks speak together

Used most commonly today.

(43)

Transfer of

IPSec C

_{IPSec C}

ontrol

_ontrol

Information

• Authenti

Authenti

c

ation Header

• Information for authentication and data integrity

Information for authentication and data integrity

• Encapsulating Security Payload

Encapsulating Security Payload

• Information for encryption, authentication and data

Information for encryption, authentication and data

integrity

•

and optionally anti-replayand optionally anti-replay

• May completely supersede authentication header

May completely supersede authentication header

•

AH defined earlier, still maintained for compatibility with AH defined earlier, still maintained for compatibility with older implementations

(44)

Authentication header

• Assures authentication and (connectionless) data

Assures authentication and (connectionless) data

integrity

• Protects

Protects

IP h

eader

(

unchanging fields

)

and

IP

packet

dat

a

•

carries authentication information (HMAC)carries authentication information (HMAC)

•

carries Security Parameters Index (SPI) to identify particular carries Security Parameters Index (SPI) to identify particular security association

security association used for current packetused for current packet

•

if multiple SAs used concurrentlyif multiple SAs used concurrently

• Optional support for

Optional support for

anti-replay

•

Sender inserts sequence numbers into packets, receiver may Sender inserts sequence numbers into packets, receiver may optionally verify them

optionally verify them

• Protects transport IP header

Protects transport IP header

=

(45)

AH – transport mode

(46)

AH – tunnel mode

(47)

Encapsulating Security Payload-ESP

• Carries control information for data encryption

Carries control information for data encryption

(and authentication)

• encapsulates protected data

encapsulates protected data

• Optional data authentication and integrity check

Optional data authentication and integrity check

(only user data)

• Optional

Optional

anti-replay

check

• May provide all functions of authentication

May provide all functions of authentication

header

(48)

ESP – transport mode

(49)

ESP – tunnel mode

(50)

Dynamic SA negotiation

• Manual configuration of SAs at multiple stations is

Manual configuration of SAs at multiple stations is

tedious and error-prone task

• Need for reoccurring reconfiguration - periodic change

Need for reoccurring reconfiguration - periodic change

of authentication/encryption keys is necessary

(51)

Dynamic SA Negotiation

Frameworks

•

Internet Security Association and Key Management Protocol Internet Security Association and Key Management Protocol (ISAKMP)

(ISAKMP)

•

framework for secure (dynamic) key exchange and negotiation of security framework for secure (dynamic) key exchange and negotiation of security associations

associations

•

does not define any particular algorithms, provides only mechanics of does not define any particular algorithms, provides only mechanics of parameter negotiation and key exchange protocols

parameter negotiation and key exchange protocols

•

payload formats etc.payload formats etc.

•

Internet Key Interchange (IKE)Internet Key Interchange (IKE)

•

operates within ISAKMP frameworkoperates within ISAKMP framework

•

key exchange protocol (Oakley Key Exchange + Skeme Key Exchange)key exchange protocol (Oakley Key Exchange + Skeme Key Exchange)

•

used to negotiate IPSec SAsused to negotiate IPSec SAs

•

SA negotiation protected by tunnel encrypted with dynamically negotiated SA negotiation protected by tunnel encrypted with dynamically negotiated keys (

(52)

Diffie-Hellman algorithm

• Used to negotiate shared secret key between two parties

Used to negotiate shared secret key between two parties

over unsecure channel

•

Key value never sent over unsecure channelKey value never sent over unsecure channel

•

Based on public/private key pair generation on both sides, public Based on public/private key pair generation on both sides, public key interchange and calculations with big prime numbers

key interchange and calculations with big prime numbers

• communicating parties have to be authenticated by some

communicating parties have to be authenticated by some

external mechanism

•

prevents man-in-the-middle attackprevents man-in-the-middle attack

(53)

Practical IPSec Operation

1.

Interesting traffic detectedInteresting traffic detected

•

i.e. traffic whose encryption is requiredi.e. traffic whose encryption is required

2.

IKE Phase 1IKE Phase 1

•

IPSec peer authentication (pre-shared keys, RSA signatures (X.509))IPSec peer authentication (pre-shared keys, RSA signatures (X.509))

•

Negotiation of IKE SAs (Diffie-Hellman)Negotiation of IKE SAs (Diffie-Hellman)

•

Encryption algorithm, hash algorithm, keys, key lifetime, …Encryption algorithm, hash algorithm, keys, key lifetime, …

•

Establishes secure channel for IPSec SA negotiationEstablishes secure channel for IPSec SA negotiation

3.

IKE Phase 2IKE Phase 2

•

Negotiation of IPSec SAs (for both directions)Negotiation of IPSec SAs (for both directions)

•

According to policies supported by peersAccording to policies supported by peers

•

Multiple priorized policies may be definedMultiple priorized policies may be defined

4.

Secure data exchange using IPSecSecure data exchange using IPSec

•

SAs renegotiated by IKE if lifetime expiresSAs renegotiated by IKE if lifetime expires