Detailed explanation of VPN technology (next)
Lu Xiaopo
(Immediately medium)
Data transfer phase
Once this 4-phase negotiation is complete, PPP begins forwarding data between the connecting peers. Each transmitted datagram is encapsulated within the PPP header, which is removed after it arrives at the receiving party. If you choose to use data compression in Phase 1 and you have completed the negotiation in Phase 4, the data will be compressed between transfers. Similarly, if you have chosen to use data encryption and have completed the negotiation, the data (or compressed data) will be encrypted before the transfer.
Point to Point Tunneling Protocol (PPTP)
PPTP is a layer 2nd protocol that encapsulates a PPP data frame in an IP datagram over an IP network, such as the Internet. PPTP can also be used for connections between private local area networks. The draft RFC "Point-to-Point Tunneling Protocol" describes and introduces the PPTP protocol. The draft was submitted to the IETF by member companies of the PPTP forum, including Microsoft, Ascend,3com, and ECI, in June 1996. You can see the online copy of the draft at the following site http://www.ietf.org http://www.ietf.org. PPTP maintains a tunnel using a TCP connection and uses Universal Routing Encapsulation (GRE) technology to encapsulate data into a PPP data frame for transmission through the tunnel. Load data in the encapsulated PPP frame can be encrypted or compressed. Figure 7 shows how to assemble a PPTP packet before the data is delivered.
Layer 2nd Forwarding (L2F)
L2F is Cisco's proposed tunneling technology, as a transport protocol L2F supports dial-up access servers that encapsulate dial-up data flows through a WAN link to a L2F server (router) in a PPP frame. L2F the server to unpack the packets (inject) network. Unlike PPTP and L2TP, L2F does not have a defined client side. It should be noted that L2F is only valid in forced tunnels. (The introduction of voluntary and mandatory tunnels is referred to "tunnel type").
Layer 2nd Tunneling Protocol (L2TP)
L2TP combines the PPTP and L2F protocols. The designer wants L2TP to combine the advantages of PPTP and L2F.
L2TP is a network layer protocol that supports the transmission of encapsulated PPP frames on networks such as ip,x.25, hardwood relay or ATM. When using IP as the datagram transport protocol for L2TP, you can use L2TP as a tunneling protocol on an Internet network. L2TP can also be used directly on a variety of WAN media without the need to use an IP transport layer. The draft RFC "2nd-Tier Tunneling Protocol" provides a description and introduction to L2TP. The document was submitted to the IETF in January 1998. A copy of the draft can be obtained at the following website http://www.ietf.org http://www.ietf.org.
L2TP on the IP network maintain the tunnel using UDP and a series of L2TP messages. L2TP also uses UDP to send a PPP frame encapsulated by the L2TP protocol through the tunnel. Load data in the encapsulated PPP frame can be encrypted or compressed. Figure 8 shows how to assemble a L2TP packet before transmission.
PPTP and L2TP
Both PPTP and L2TP use the PPP protocol to encapsulate data and then add additional headers for data transmission over the Internet. Although the two protocols are very similar, there are several differences:
1.PPTP requires internet as IP network. L2TP only requires the tunneling media to provide point-to-point connections to the packet. L2TP can be used on IP (using UDP), hardwood relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCS), or ATM VCs networks.
2.PPTP only a single tunnel can be established between the two points. L2TP supports the use of multiple tunnels between two endpoints. With L2TP, users can create different tunnels for different quality of service.
3.L2TP can provide Baotou compression. When the header is compressed, the system overhead (overhead) occupies 4 bytes, while the PPTP protocol consumes 6 bytes.
4.L2TP can provide tunneling validation, while PPTP does not support tunneling validation. However, when L2TP or PPTP is used in conjunction with IPSec, tunneling validation can be provided by IPSec and no tunneling is required on layer 2nd protocols.
IPSec tunneling Mode
IPSec is the 3rd layer protocol standard that supports secure transmission of data on IP networks. This article provides a detailed overview of IPSec in the "Advanced Security" section, where only one aspect of the IPSec protocol is discussed in conjunction with the tunneling protocol. In addition to the encryption mechanism for IP data streams, IPSec has developed a packet format for the Ipoverip tunnel mode, commonly referred to as IPSec tunneling mode. An IPSec tunnel consists of a tunnel client and a tunnel server, both of which are configured to use IPSec tunneling technology, using a negotiated encryption mechanism.
For secure transport on a private or public IP network, IPSec tunneling mode uses a secure way to encapsulate and encrypt the entire IP packet. The encrypted payload is then encapsulated again within the plaintext IP header and sent over the network to the tunnel server side. The tunnel server handles the received datagram, and after removing the plaintext IP header and decrypting the content, the original load IP packet is obtained. The load IP packet is routed to the destination of the destination network after normal processing.
IPSec tunneling mode has the following features and limitations:
1. Only IP data streams can be supported
2. Work at the bottom of the IP stack (ipstack), so applications and high-level protocols can inherit the behavior of IPSec.
3. Controlled by a security policy (a complete set of filtering mechanisms). Security policies create the encryption and tunneling mechanisms and authentication methods that are available in priority order. When communication needs to be established, both machines perform mutual authentication and then negotiate which encryption method to use. All data streams thereafter will be encrypted using the encryption mechanism negotiated by both parties and then encapsulated in the tunnel header.
A detailed description of IPSec is in the "Advanced Security" section later in this article.
Tunnel type
You can create different types of tunnels.
1. Voluntary tunnels (Voluntarytunnel)
A user or client computer can configure and create a voluntary tunnel by sending a VPN request. At this point, the client computer becomes an endpoint of the tunnel as a tunnel customer.
2. Compulsory tunnel (Compulsorytunnel)
Configure and create a forced tunnel by a dial-up access server that supports VPN. At this point, the client computer is not a tunnel endpoint, but rather a remote access server that is located between the client computer and the tunnel server as the tunnel clients and becomes an endpoint of the tunnel.
At present, voluntary tunnels are the most commonly used types of tunnels. The above two types of tunnels are described in detail below.
Voluntary tunnels
A voluntary tunnel is established when a workstation or router uses the tunnel client software to create a virtual connection to the target tunnel server. For this to happen, the client computer must have the appropriate tunneling protocol installed. A voluntary tunnel requires an IP connection (over a LAN or dial-up line). When dialing is used, the client must create a dial-up connection to the public Internet before the tunnel is established. One of the most typical examples is that Internet dial-up users must dial their local ISP to get a connection to the Internet before creating an Internet tunnel.
For an enterprise intranet, the client already has a connection to the corporate network, which is provided by the corporate network to the target tunnel server route for encapsulating load data.
Most people mistakenly believe that a VPN can only use a dial-up connection. In fact, the VPN as long as the Internet to support IP. Some clients, such as the home PC, can establish IP transmissions by connecting to the Internet by using dial-up methods. This is only preliminary preparation for tunneling and is not part of the tunnel agreement.
Forced tunneling
Currently, some businesses offer dial-up access servers that can create tunnels instead of dial-up clients. These computers or network devices that provide tunneling to client computers include front-end processors (FEP) that support the PPTP protocol, L2TP access hubs (LAC) that support L2TP protocols, or secure IP gateways that support IPSec. This article will mainly take FEP as an example to explain. To function properly, FEP must install the appropriate tunneling protocol, and must be able to create a tunnel when a client computer establishes a connection.
On the Internet, for example, a client makes a dial-up call to a NAS that is located at a local ISP that can provide tunneling technology. For example, an enterprise can sign an agreement with an ISP to set up a FEP for the enterprise across the country. These FEP can create a tunnel to the tunnel server through the Internet internetwork, which is connected to the enterprise's private network. This allows you to merge different places into a single Internet connection on the corporate network side.
Because customers can only use tunnels created by FEP, they are called forced tunnels. Once the initial connection is successful, the data flow from all clients is automatically routed through the tunnel. With a forced tunnel, the client computer establishes a single PPP connection, and when the customer dials into the NAS, a tunnel is created and all data flows are automatically routed through the tunnel. You can configure FEP to create tunnels to a specified tunnel server for all dial-up clients, or you can configure FEP to create a different tunnel based on a different user name or destination.
Voluntary tunneling technology creates a separate tunnel for each customer. Tunnels built between FEP and the tunnel server can be shared by multiple dial-up clients without having to create a new tunnel for each client. As a result, multiple customer data information may be passed through a tunnel, and the entire tunnel will be terminated only after the last tunnel user disconnects.
Advanced Security Features
Although the Internet provides great convenience for creating VPNs, it is necessary to establish strong security features to ensure that enterprise internal networks are protected from external attacks and that enterprise data is delivered over the public network.
Symmetric and asymmetric encryption (private key and public key)
Symmetric encryption, or a private key (also known as regular encryption), is shared by both sides of the communication with a secret key. The sender uses the key to encrypt plaintext into ciphertext when mathematical operations are performed. The subject uses the same key to restore the ciphertext to plaintext. RSA RC4 algorithm, data Encryption Standard (DES), International Data Encryption Algorithm (IDEA) and skipjack encryption technology all belong to symmetric encryption methods.
Asymmetric encryption, or public key, the communication parties use two different keys, one is only the sender knows the private key, the other is the corresponding public key, anyone can obtain the public key. Private and public keys are interconnected on cryptographic algorithms, one for data encryption and another for data decryption.
Public key encryption technology allows digital signature of information. A digital signature encrypts a part of the sent message using a private key that sends the sending party. When the receiving party receives the information, it decrypts the digital signature using the sender's public key, verifying the sender's identity.
Certificate
When symmetric encryption is used, both the sending and the receiver use the shared encryption key. The distribution of the key must be completed before encrypted communication is performed. When asymmetric encryption is used, the sender uses a private key to encrypt information or digital signatures, and the receiver decrypts the information with a public key. The public key can be freely distributed to any party that needs to receive encrypted information or digital signature information, and the sender only guarantees the security of the private key.
To ensure the integrity of the public key, the public key is published with the certificate. A certificate (or public key certificate) is a data structure that is digitally signed by a certificate issuing authority (CA). The CA uses its own private key to digitally sign the certificate. If the receiving party knows the public key of the CA, it can prove that the certificate was issued by the CA and therefore contains reliable information and a valid public key.
In summary, a public key certificate provides a convenient and reliable way to verify the identity of the sender. IPSec can choose to use this method for End-to-end authentication. RAS can use public key certificates to authenticate users.
Extended authentication Protocol (EAP)
As discussed earlier, PPP can only provide limited authentication. EAP is an extension of the PPP protocol proposed by the IETF, allowing the connection to authenticate the validity of a PPP connection in any way. EAP supports the dynamic addition of a validation plug-in module at both ends of a connected client and server.
Transaction Layer Security Protocol (EAP-TLS)
EAP-TLS has been submitted to the IETF as a draft proposal to establish a powerful authentication method based on public key certificates. With EAP-TLS, the customer transfers to the Dial-in service