With the increasing popularity of networks, network security has become a hot topic. This article analyzes the tunneling technology, focuses on the security field, and provides suggestions on using tunneling technology to implement virtual private networks in Linux.
VPN is a networking method on the surface, which has many advantages over a leased line network. In VPN, a so-called "Tunnel" technology can be used to transmit data groups through public routing networks, such as Internet networks or other commercial networks.
Here, the proprietary "Tunnel" is similar to a point-to-point connection. This method enables network traffic from many sources to pass through a separate tunnel from the same infrastructure. This tunneling technology uses the point-to-point communication protocol instead of the exchange connection, and uses the routing network to connect the data address. Tunnel technology allows authorized mobile users or authorized users to access the enterprise network anytime and anywhere.
By establishing tunnel, you can implement the following functions:
Forces data traffic to a specific destination
Hide private network addresses
Transmit non-IP protocol data packets over the IP Network
Provides data security support
Assists in AAA-based user management.
Tunnel Technology Basics
Tunneling is a way to transmit data between networks by using the infrastructure of an interconnected network. The data (or load) transmitted by tunnel can be the data volume (which is incorrect) or package of different protocols. The tunnel protocol re-encapsulates the data packages or packages of these other protocols in the new header for sending. The new header provides routing information so that encapsulated load data can be transmitted through the interconnected network.
The encapsulated data packets are routed between the two endpoints of the tunnel through the public network. The logical path of the encapsulated data packet transmitted over the public network is called a tunnel. Once the network endpoint is reached, the data will be unwrapped and forwarded to the final destination. Note: tunneling refers to the entire process, including data encapsulation, transmission, and settlement.
The transmission network used by the tunnel can be any type of public interconnected network. This article mainly uses the Internet as an example to describe. In addition, you can create tunnels in the enterprise network. After a period of development and improvement, tunnel technology is currently mature, including:
1. SNA tunneling technology on IP Networks
When SNA data streams are transmitted over an enterprise IP network, SNA data packets are encapsulated in UDP and IP headers.
2. novellnetwareipx tunneling technology on an IP Network
When an IPX packet is sent to the NetWare server or IPX router, the server or router encapsulates IPX packets with UDP and IP headers and then sends the packets over the IP network. The IP-TO-IPX router at the other end forwards packets to the IPX destination after UDP and IP headers are removed.
Some new tunneling technologies have emerged in recent years. This article will mainly introduce these new technologies. Including:
1. Point-to-Point Tunneling Protocol (PPTP)
The PPTP protocol allows encryption of IP, IPX, or netbeui data streams, which are encapsulated in IP headers and sent through enterprise IP addresses or public networks.
2. layer-3 Tunneling Protocol (L2TP)
The L2TP protocol allows encryption of IP, IPX, or netbeui data streams, and then transmission over any network that supports point-to-point data transmission, such as IP, X.25, RST relay, or ATM.
3. Secure IP (IPSec) tunnel mode
The IPSec tunneling mode allows you to encrypt IP load data and encapsulate the data in IP headers to be sent over an enterprise IP network or a public IP network such as the Internet.
Tunnel Protocol
To create a tunnel, both the client and server must use the same tunnel protocol.
The tunnel technology can be based on the tunnel protocol of Layer 3 or layer 2nd respectively. The above layers are divided by reference models of Open Systems Interconnection (OSI. The layer-3 tunnel protocol corresponds to the data link layer in the OSI model and uses the token as the data exchange unit. Both PPTP, L2TP, and l2f (layer-3 forwarding) are layer-3 tunnel protocols that encapsulate data in Point-to-Point Protocol (PPP) routers and send data over the interconnected network. The layer-3 tunnel protocol corresponds to the network layer in the OSI model and uses packets as data exchange units. Both the IP overIP and the IPsec tunneling mode belong to the layer-3 Tunneling Protocol, which encapsulates the IP packet in the additional IP header and transmits it through the IP network.
Provides encrypted communication between the PPTP client and the PPTP server. A PPTP client is a PC that runs the protocol, such as Windows95/98, or a PPTP Server is a server that runs the protocol, such as a WindowsNT server. PPTP is an extension of the PPP protocol. It provides a multi-protocol secure virtual private network (VPN) communication method on the Internet. Remote users can access the company's private network through any ISP that supports PPTP.
Through PPTP, the customer can access the public IP network by dialing. A dial-up user first dials the ISP's Access Server (NAS) in the conventional way to establish a PPP connection. On this basis, the user performs a secondary dial-up to establish a connection to the PPTP server. This connection is called the PPTP tunnel, in essence, it is another PPP connection based on the IP protocol. The IP package can encapsulate Multiple protocol data, including TCP/IP, IPX, and netbeui. PPTP adopts the Data Encryption Method Based on RSA RC4 to ensure the security of the virtual connection channel. For users directly connected to the internet, no PPP dial-up connection is required, and a virtual channel can be directly established with the PPTP server. PPTP handed over the initiative to build a tunnel to the user, but the user needs to configure PPTP on his/her PC. This not only increases the user's workload, but also brings risks to the network. In addition, PPTP only supports IP addresses as the transmission protocol.
Layer-2 Forwarding (l2f)
L2f is a tunneling Technology proposed by Cisco. As a transmission protocol, l2f supports dial-up access servers to encapsulate dial-up data streams in a PPP region and transmit them to the l2f server (router) over a WAN link ). The l2f server unpacks data packets and reinjects them into the (inject) network. Unlike PPTP and L2TP, l2f does not have a definite customer. Note that l2f is only valid in the forced tunnel. (For more information about voluntary and forced tunnels, see "Tunnel Type ").
Layer-3 Tunneling Protocol (L2TP)
The L2TP tunnel protocol is a typical passive tunnel protocol. It combines the advantages of l2f and PPTP to allow users to initiate VPN connections from the client or the access server. L2TP is an encapsulation protocol that encapsulates the link layer PPP frames in public network facilities such as IP, ATM, and frame relay for tunnel transmission.
L2TP is mainly composed of L2TP Access Concentrator and LNS (L2TP network server). The LAC supports the L2TP of the client, which is used to initiate a call, receive a call, and establish a tunnel; lNS is the end of all tunnels, and LNS terminates all PPP streams. In a traditional PPP connection, the end of the user's dial-up connection is lac, and L2TP extends the end of the PPP protocol to lNS.
The benefit of L2TP is that it supports multiple protocols. You can retain the original IPX, appletalk, and other protocols or the company's original IP addresses. L2TP also solves the issue of binding multiple PPP links. The PPP link binding requires all its members to point to the same NAS (Network Access Server ), l2TP enables physical connections to PPP links of different NAS, and the end point in logic is the same physical device. L2TP also supports channel authentication and provides error and traffic control.
L2TP uses ipsec to enhance security and supports data packet authentication, encryption, and key management. Therefore, L2TP/IPSec can provide remote users with well-designed and interoperable secure tunnel connections. This is a good solution for secure remote access and secure gateway connection. Therefore, secure vpn must solve two different problems: L2TP and IPSec. The L2TP protocol solves the conversion problem of different user protocols through the IP network. The IPSec protocol (encryption/decryption protocol) solves the problem of confidentiality of information transmitted through the public network.
L2TP on the IP network maintains the tunnel using UDP and a series of L2TP messages. L2TP also uses UDP to send PPP tokens encapsulated by L2TP through tunnels. You can encrypt or compress the load data in the encapsulated PPP scheme. PPTP and L2TP
Both PPTP and L2TP use the PPP protocol to encapsulate data, and then add additional headers for data transmission over the Internet. Although the two protocols are very similar, there are still some differences:
PPTP requires the Internet to be an IP network. L2TP only requires the tunneling media to provide packet-oriented point-to-point connections. L2TP can be used on IP (using UDP), RST relay permanent virtual circuit (PVCs), X.25 virtual circuit (VCS), or ATM VCs networks.
PPTP can only establish a single tunnel between two points. L2TP supports multiple tunnels between two points. With L2TP, you can create different tunnels for different service quality.
L2TP can provide header compression. When the header is compressed, the overhead occupies 4 bytes, while the PPTP protocol occupies 6 bytes.
L2TP can provide tunnel verification, while PPTP does not. However, when both L2TP or PPTP and IPSec are used together, IPSec can provide tunneling verification without the need to verify the tunnel on the layer-3 protocol.
IPsec tunnel mode
IPSec performs high-intensity Security Processing on data packets at the IP layer, providing security services such as data source verification, connectionless data integrity, data confidentiality, anti-replay, and limited business confidentiality. Various Applications can enjoy the security services and key management provided by the IP layer without having to design and implement their own security mechanisms. Therefore, the overhead of key negotiation is reduced, it also reduces the possibility of security vulnerabilities. IPsec can be applied consecutively or recursively. It is configured on routers, firewalls, hosts, and communication links to implement end-to-end security, virtual private network (VPN), and Security tunneling technology.
IPSec is a layer-4 protocol standard that supports secure data transmission over an IP network. This article will provide a detailed overview of IPSec in the "Advanced Security" section. Here we will only discuss one aspect of the IPSec protocol in conjunction with the tunneling protocol. In addition to the provisions on the encryption mechanism of IP data streams, IPSec also develops the packet format of the ipoverip tunneling mode, which is generally called the IPsec tunneling mode. An IPsec tunnel consists of a tunnel client and a tunnel server. Both ends are configured with the IPsec tunnel technology and adopt the negotiation encryption mechanism.
To implement secure transmission over private or public IP networks, the IPsec tunneling mode encapsulates and encrypts the entire IP packet. Then, the encrypted load is encapsulated in the plaintext IP header and sent to the tunnel server over the network. The tunnel server processes the received data packets. After the plaintext IP header is removed and the content is decrypted, the initial load IP packet is obtained. After normal processing, the load IP packet is routed to the destination of the target network.
The IPSec tunneling mode has the following functions and limitations:
Only IP data streams are supported.
It works at the underlying layer of the IP stack. Therefore, applications and high-level protocols can inherit IPSec behavior.
It is controlled by a security policy (a complete set of filtering mechanisms. Security policies create available encryption and tunneling mechanisms and authentication methods in order of priority. When communication needs to be established, the two servers verify each other and negotiate the encryption method. All subsequent data streams will be encrypted using the encryption mechanism negotiated by both parties, and then encapsulated in the tunnel header.