Detailed explanation of VPN technology (in)
Lu Xiaopo
Tunneling Technology Basics
Tunneling is a way of passing data between networks through the use of the Internet infrastructure. Data (or payload) that is passed through a tunnel can be a data frame of a different protocol (this word is incorrect) or a package. The tunneling protocol encapsulates the data frames or packages of these other protocols to be sent in the new header. The new header provides routing information so that encapsulated payload data can be delivered over the Internet.
The encapsulated packets are routed through the public Internet between the two endpoints of the tunnel. The logical path through which the encapsulated packet is passed on the public Internet is called a tunnel. Once the network endpoint is reached, the data is decompressed and forwarded to the final destination. Note Tunneling technology is the whole process of including data encapsulation, transmission and settlement package.
The transmission network used in tunnels can be any type of public Internet, this article mainly uses the Internet as an example to explain. In addition, tunnels can also be created on the corporate network. Tunnel technology after a period of development and improvement, the current more mature technologies include:
The technology of SNA tunneling on 1.IP Network
When the data stream of the system network structure (SYSTEMNETWORKARCHITECTURE) is transmitted through the Enterprise IP network, the SNA data frames are encapsulated in the UDP and IP protocol header.
The technology of NOVELLNETWAREIPX Tunnel on 2.IP Network
When an IPX packet is sent to a NetWare server or IPX router, the server or router sends the IPX packets over the IP network with UDP and IP headers encapsulated. The IP-TO-IPX router on the other end forwards packets to the IPX destination after removing the UDP and IP headers.
In recent years, a number of new tunnel technology has emerged, this article will mainly introduce these new technologies. The specific include:
1. Point-to-Point Tunneling Protocol (PPTP)
The PPTP protocol allows the IP,IPX or NetBEUI data stream to be encrypted and then encapsulated in the IP header to be sent via an enterprise IP network or a public Internet.
2. Layer 2nd Tunneling Protocol (L2TP)
The L2TP protocol allows the IP,IPX or NetBEUI data stream to be encrypted and then sent to any network that is reported via the support point pair, such as ip,x.25, hardwood relay, or ATM.
3. Secure IP (IPSEC) tunnel mode
IPSec tunneling mode allows encryption of IP payload data and is then encapsulated in the IP header via an enterprise IP network or a public IP internetwork such as the Internet.
Tunneling Protocol
To create a tunnel, both the client and the server of the tunnel must use the same tunneling protocol.
Tunnel technology can be based on the 2nd or 3rd Tunnel protocol respectively. The above layers are divided according to the reference model of Open Systems Interconnection (OSI). The 2nd-Layer Tunneling protocol corresponds to the data link layer in the OSI model, using hardwood as the Data Interchange unit. PPTP,L2TP and L2F (layer 2nd forwarding) are the 2nd-tier tunneling protocol that encapsulates data in a Point-to-Point Protocol (PPP) frame and is sent over the Internet. The 3rd-tier tunneling protocol corresponds to the network layer in the OSI model, using the package as the data Exchange unit. Both IP overip and IPSec tunneling mode are part of the 3rd-tier Tunneling protocol, which encapsulates IP packets in an additional IP header and is transmitted over an IP network.
How to realize tunnel technology
For layer 2nd tunneling protocols like PPTP and L2TP, the process of creating a tunnel is similar to establishing a session between two parties; the two endpoints of the tunnel must agree to create the tunnel and negotiate the various configuration variables of the tunnel, such as address assignment, encryption, or compression. In most cases, data transmitted through the tunnel is sent using a datagram based protocol. Tunnel maintenance protocols are used as a mechanism for managing tunnels.
The 3rd-tier tunneling technique generally assumes that all configuration issues have been completed by hand. These protocols do not maintain the tunnel. Unlike layer 3rd tunneling protocols, the Layer 2nd Tunneling Protocol (PPTP and L2TP) must include the creation, maintenance, and termination of the tunnel.
Once the tunnel is established, the data can be sent through the tunnel. The tunnel client and the server prepare to transmit data using the Tunnel data Transfer Protocol. For example, when a tunnel client sends data to the server, the client first adds a tunnel data transfer Protocol header to the load data, and then sends the encapsulated data over the Internet and routes the data to the server side of the tunnel by the Internet. After the tunnel server receives the packet, it removes the Tunnel data transfer Protocol header and forwards the load data to the target network.
tunneling protocols and basic tunnel requirements
Because Layer 2nd Tunneling Protocol (PPTP and L2TP) is based on a well-established PPP protocol, it inherits a whole set of features.
1. User authentication
Layer 2nd Tunneling Protocol inherits the user authentication method of PPP protocol. Many 3rd-tier tunneling techniques assume that the two endpoints of the tunnel are known or validated to each other before the tunnel is created. An exception is the ISAKMP negotiation of the IPSec protocol, which provides mutual authentication between the tunnel endpoints.
2. Token card (Tokencard) support
By using the Extended authentication Protocol (EAP), Layer 2nd tunneling protocols can support multiple authentication methods, including one-time passwords (One-timepassword), cryptographic Calculators (cryptographic calculator), and smart cards. The 3rd-tier Tunneling protocol also supports the use of similar methods, such as the IPSec protocol determining public key certificate authentication through Isakmp/oakley negotiation.
3. Dynamic Address Assignment
Layer 2nd Tunneling Protocol supports the dynamic allocation of customer addresses based on the network Control Protocol (NCP) negotiation mechanism. The 3rd-tier tunneling protocol usually assumes that an address assignment has been made before the tunnel is established. The current address allocation scheme in IPSec tunneling mode is still under development.
4. Data compression
The 2nd Layer Tunneling Protocol supports PPP based data compression methods. For example, Microsoft's PPTP and L2TP scheme uses Microsoft Point-to-Point Encryption Protocol (MPPE). IETP is developing a similar data compression mechanism to be applied to the 3rd-tier Tunneling protocol.
5. Data encryption
The 2nd-Tier Tunneling protocol supports PPP based data encryption mechanisms. Microsoft's PPTP scheme supports the choice of using MPPE based on the RSA/RC4 algorithm. The 3rd-tier Tunneling protocol can use a similar approach, for example, IPSec determines several optional methods of data encryption through Isakmp/oakley negotiation. Microsoft's L2TP protocol uses IPSec encryption to secure data flow between the tunnel client and the server.
6. Key Management
The MPPE, which is the 2nd-tier protocol, relies on periodic updates to the keys that are generated when the user is authenticated. IPSec publicly negotiates public keys during the ISAKMP exchange, and also periodically updates them.
7. Multi-protocol support
The Layer 2nd Tunneling Protocol supports a variety of load data protocols, enabling tunnel clients to access multiple protocol enterprise networks using IP,IPX, or NetBEUI. In contrast, layer 3rd tunneling protocols, such as IPSec tunneling mode, can only support target networks that use IP protocols.
Point to Point Protocol
Because the 2nd-Layer Tunneling protocol relies heavily on the various characteristics of the PPP protocol, it is necessary to discuss the PPP protocol in depth. The PPP protocol is designed to send data by means of a dial-up or dedicated line to establish a point-to-point connection. The PPP protocol encapsulates the IP,IPX and NetBEUI packages in the PP frame via point-to-point links. PPP protocols are primarily used to connect dial-up users and Nas. The PPP dial-up session process can be divided into 4 different phases. were as follows:
Phase 1: Creating a PPP Link
PPP creates, maintains, or terminates a physical connection using a Link Control Protocol (LCP). At the beginning of the LCP phase, the basic means of communication are selected. It should be noted that during the link creation phase, only the validation protocol is selected, and user authentication is implemented in phase 2nd. Similarly, the LCP phase also determines whether the link peers will negotiate with data compression or encryption. The actual choice of data compression/encryption algorithms and other details will be implemented in phase 4th.
Phase 2: User authentication
In phase 2nd, the customer will be given the user's identity to the remote access server. This phase uses a security authentication method to prevent a third party from stealing data or impersonating a remote client to take over a connection to the client. Most PPP schemes offer only limited authentication methods, including Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MSCHAP).
1. Password Authentication Protocol (PAP)
PAP is a simple way of validating plaintext. The NAS requires the user to provide a username and password, and PAP returns the user information in clear text. Obviously, this authentication is less secure, and third parties can easily obtain the transmitted username and password, and use this information to establish a connection with the NAS to obtain all the resources provided by the NAS. So, once a user's password is stolen by a third party, PAP cannot provide safeguards against third party attacks.
2. Challenge-Handshake Authentication Protocol (CHAP)
CHAP is a cryptographic authentication method that avoids the true password of a user when a connection is established. The NAS sends a Challenge password (challenge) to the remote user, including the session ID and an arbitrarily generated challenge string (arbitrary challengestring). The remote client must use the MD5 one-way hash algorithm (ONE-WAYHASHINGALGORITHM) to return the username and encrypted challenge password, session ID, and user password, where the user name is sent in a non hash manner.
CHAP improved PAP by not sending plaintext passwords directly through the link, but by using a challenge password to encrypt the password with a hash algorithm. Because the server side has the plaintext password of the customer, the server can repeat the operation of the client and compare the result with the password returned by the user. CHAP generates a single challenge string for each validation to prevent a replay attack (replay attack). During the entire connection, chap will repeatedly send a challenge password to the client, avoiding a 3rd party impersonating a remote client (remoteclient Impersonation) to attack.
3. Microsoft Challenge-Handshake Verification Protocol (MS-CHAP)
Similar to CHAP, MS-CHAP is also a cryptographic authentication mechanism. Like chap, when using MS-CHAP, NAS sends a challenge password with a session ID and any generated challenge string to the remote client. The remote client must return the user name and the MD4 hash of the session ID and the user's password, as well as a challenge string that is encrypted with the MD4 hash algorithm. In this way the server side will store only the user's password encrypted with the hash algorithm instead of the plaintext password, thus providing further security. In addition, MS-CHAP also supports additional error codes, including password expiration codes and encrypted client-server (client-server) additional information that allows users to modify their passwords themselves. With Ms-chap, both the client and the NAS each generate a starting key for subsequent data encryption. MS-CHAP uses MPPE data encryption, which is important to explain why MPPE-based data encryption must be enabled for MS-CHAP validation.
During phase 2nd of the PPP link configuration phase, the NAS collects validation data and then verifies the validity of the data against its own database or central authentication database server (located on the NT primary domain controller or the remote authenticated user dial-in server).
Phase 3:PPP Callback Control (Callbackcontrol)
The Microsoft-designed PPP includes an optional call back control phase. This phase uses the callback control Protocol (CBCP) after the validation is completed and if the configuration uses callback, then the connection between the remote client and the NAS will be disconnected after authentication. The NAS then uses a specific phone number to call the remote client back. This will further guarantee the security of your dial-up networking. NAS only supports callback for remote clients located at a specific phone number.
Phase 4: Calling the network layer protocol
After each of these phases is completed, PPP invokes the various network control protocols (NCP) selected during the link creation phase (phase 1). For example