• No results found

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)

Virtual Private Network – VPN

IPSec Testing:

Functionality、Interoperability and Performance

Johnnie Chen

(2)

Outline

n What is VPN ? Why we need VPN ? n IPSec Background

n Why IPSec VPN ? =>Functionalitliy

n What’re the critical issues in IPSec VPN

=>Interoperability and Performance

(3)

What is VPN ? Why we need VPN ?

n Network: a way to communicate with others

n Private Network: a way to communicate with others

in private (privacy and authenticity)

n Virtual Private Network: a way to set up private

networks over shared infrastructure

(4)

IP Security (IPSec) Background

(5)

Protocols in IPSec: ESP and AH

n ESP: Encapsulating Security Payload ¡ Privacy (Encryption: AES/3DES/DES) ¡ Authenticity (Hash: SHA1/MD5)

Authentication Data (variable)

Next Header: 8 bits Pad Length: 8 bits

Padding (0-255 bytes) Payload Data (variable)

Sequence Number: 32 bits

(6)

n AH: Authentication Header

¡ Authenticity only (Hash: SHA1/MD5)

Authentication Data (variable) Sequence Number Field: 32 bits Security Parameters Index (SPI): 32 bits

RESERVED: 16 bits Payload Len: 8 bits

(7)

Operation modes in IPSec:

Tunnel mode and Transport mode

n Tunnel mode: secure channel for two regions

¡ BC1 and BC2 can talk to each other through the IPSec secure channel

¡ SG1 and SG2 can NOT do that

n Transport mode: secure channel for two points. ¡ SG1 and SG2 can talk to each other through the IPSec

secure channel

¡ BC1 and BC2 can NOT do that

(8)

Security Association (SA) and Security

Policy (SP) in IPSec

n SA: define what kinds of mechanisms to

used to secure those packets

¡ Encryption/Hash algorithms

¡ Session keys for encryption/hash algorithms ¡ Security Parameter Index (SPI)

n SP: define what kinds of packets to be secured ¡ Source IP range/Destination IP range

¡ ESP or AH

(9)

Internet Key Exchange (IKE)

n

Automatically install SA in both side of SG.

n

Automatically change session keys in a

certain time.

n

Peer authentication method

¡ Certificate

(10)

IPSec VPN Scenario

n Before IPSec Setup

n Assume Pc1 in BC1, Pc2 in BC2

n Pc1 “ping” Pc2 => trigger IKE negotiation => SG1 is initiator, SG2 is

responder

n If IKE negotiation successfully => SAs are installed in both SG1 and SG2.

n After IPSec Setup

(11)

Why IPSec VPN

n

Why VPN

(12)

What’re the critical issues in IPSec

VPN

n

Interoperability (IKE):

¡ Too many variables to configure IPSec ¡ No “standard” configuration

n

Performance

¡ Without ASIC, Encryption will greatly slow

(13)
(14)

IPSec Functionality Testing

n Setup two D-Link DFL-900

¡ Do NOT enable Firewall function

n ADVANCED SETTINGS->Firewall-> uncheck

“Enable Stateful Inspection Firewall->Apply

¡ Enable IPSec VPN

n ADVANCED SETTINGS->VPN Settings->

IPSec->check Enable IPSec”->Apply

n Click “IKE” -> Add a proper IPSec rule (Tunnel mode,

ESP)

n Use “ping” and “ftp” to setup and pass through the

IPSec tunnel

n Collect the Log data

(15)

IPSec Interoperability Testing

n Setup one D-Link DFL-900 and another vendor’s

device ¡ NetScreen 5GT ¡ Fortinet Fortigate-50 ¡ Soniwall SOHO-3 ¡ WatchGuard SOHO-6 ¡ D-Link DFL-100

n Use “ping” and “ftp” to setup and pass through the

IPSec tunnel (Tunnel mode, ESP)

n Collect the IPSec logs which you have done and

write a table to describe the Interoperability

(16)

IPSec Performance Testing

n Use Smartflow/Smartbits to test the throughput of

DFL-900 IPSec

n Variables affecting throughput

¡ Null/SHA1, 3DES/SHA1, AES/SHA1

¡ Frame size: 64, 512, 1450, 1518 bytes n Collect the test result from smartflow

(17)

SmartFlow Setting (reference only)

255.255.255.0 Subnet Mask (SMB6000 2A2)

192.168.2.254 Gateway (SMB6000 2A2)

192.168.2.0 Network (SMB6000 2A2)

192.168.2.1 Port IP Address (SMB6000 2A2)

255.255.255.0 Subnet Mask (SMB6000 2A1)

192.168.1.254 Gateway (SMB6000 2A1)

192.168.1.0 Network (SMB6000 2A1)

192.168.1.1 Port IP Address (SMB6000 2A1)

IPv4 Networks

Full Duplex (SMB6000 2A1, 2A2)

100M Speed (SMB6000 2A1, 2A2)

Force Auto Negotiation (SMB6000 2A1, 2A2)

LAN-6101A/3101A Model (SMB6000 2A1, 2A2)

(18)

50 Back off (%)

100 Traffic Maximum rate (%)

1 Traffic Minimum rate (%)

10 Traffic initial rate (%)

Binary Traffic test mode

10 Duration (Sec)

64/512/1024/1518 Frame size with CRC (bytes)

Test Setup 192.168.1.3 IP Destination 192.168.2.3 IP Source NONE/UDP/TCP IP’s next protocol

References

Download now ( PDF - 18 Page - 198.34 KB )

Related documents

Kotler Mm13e Tif 06

Answer: False Page: 152 Difficulty: Medium AACSB: Reflective Thinking 64.. One of the characteristics of social classes is that those within each class

PhoCA: An extensible service-oriented tool for Photo Clustering Analysis

This tool features: public access through web services; extracting metadata of photos from Flickr or local photo repositories; clustering photos using

Quarterly report. 2nd quarter 2013

The share of the profit in Nordic Group after tax is included in the financial profits as income from investments in associated companies, and amounted in the second quarter to

e-brc Bank Realisation Certificate Message Exchange with Banks Version: 1.2.4

Bank IFSC code + file creation Date + Running Sequence number (3 character) File type: XML file.. Sample I: Where IFSC code is

HCS412. KEELOQ Code Hopping Encoder and Transponder FEATURES PACKAGE TYPES BLOCK DIAGRAM. Security. Operating. Other. Typical Applications PDIP, SOIC

The seed code-word also consist of 69 bits, but the 32 bits of code hopping data and the 28 bits of fixed data is replaced by a 60 bit seed value stored in the EEPROM.. The

Competencies for Nurse Practitioners in Manitoba

Nurse practitioners integrate their in-depth evidence-informed knowledge of advanced nursing practice and theory, health management, health promotion, disease/injury prevention,

A PPENDIX L TCP/IP and OSI

The Option Data field of this option is 32 bits long and gives the length of the packet in octets, excluding the IPv6 header. For such packets, the Payload Length field in the

Impact of organizations on healthcare-associated infections

Recently published essential structural components and indicators of infection prevention and control programmes stress the need for comprehensive ap- proaches that integrate