Internet Security Protocols Chapters 5 Outline Security protocols

  • Slides: 32
Download presentation
Internet Security Protocols Chapters 5

Internet Security Protocols Chapters 5

Outline • Security protocols at various layers (esp. , L 2 TP) • IP

Outline • Security protocols at various layers (esp. , L 2 TP) • IP Security protocol (IPsec) 2

Security protocols for the TCP/IP networks • To provide security over a network connection,

Security protocols for the TCP/IP networks • To provide security over a network connection, typically cryptographical mechanisms are applied. • When data (d) is sent from the sender (S) to the receiver (R), the following must be provided: – – – Confidentiality Data integrity Data origin integrity 3

Security protocols for the TCP/IP networks • Security services may be provided at one

Security protocols for the TCP/IP networks • Security services may be provided at one or more layers: – – • Application layer security protocols Transport layer Network layer Data link layer (aka. network access layer) Corresponding layers at both the sender and the receiver must implement compatible security protocols. 4

Tunneling vs Encapsulation • Encapsulation: – A higher layer packet is “encapsulated” into a

Tunneling vs Encapsulation • Encapsulation: – A higher layer packet is “encapsulated” into a lower layer packet, with a new lower layer header added. • • HTTP is encapsulated into the TCP layer. TCP is encapsulated into the IP. Etc. Tunneling – a packet at a certain layer, L 1, is encapsulated into another layer, L 2, which is either the same or higher than L 1. 5

VPNs at different OSI layers • The layer where VPN is constructed affects its

VPNs at different OSI layers • The layer where VPN is constructed affects its functionality. – Example: In encrypted VPNs, the layer where encryption occurs determines (i) how much traffic gets encrypted (ii) the level of transparency for the end users • Data link layer VPNs (Layer-2) – – Example protocols: Frame Relay, ATM Drawbacks: • • – Expensive - Requires dedicated Layer 2 pathways may not have complete security – mainly segregation of the traffic, based on types of Layer 2 connection Q: Is L 2 TP a layer 2 VPN? 6

VPNs at different OSI layers • Network layer VPNs (Layer-3) – Created using layer

VPNs at different OSI layers • Network layer VPNs (Layer-3) – Created using layer 3 tunneling and/or encryption Q: difference between encapsulation and tunneling ? See http: //computing-dictionary. thefreedictionary. com/tunneling%20 protocol – Example: IPsec, GRE, L 2 TP (tunneling layer 2 traffic by using the IP layer to do that) – Advantages: • A ‘proper’ layer – – • Low enough: transparency High enough: IP addressing Cisco focuses on this layer for its VPNs. 7

VPNs at different OSI layers • Application layer VPNs – Created to “work” specifically

VPNs at different OSI layers • Application layer VPNs – Created to “work” specifically with certain applications – Example: SSL-based VPNs (providing encryption between web browsers and servers running SSL) SSH (encrypted and secure login sessions to network devices) – Drawbacks: • – May not be seamless (transparency issue) Counter-argument: Open. VPN and SSL VPN Revolution (Hosner, 2004) “The myth that Secure Socket Layer (SSL) Virtual Private Network devices (VPNs) are used to connect applications together is not true. … A VPN is a site-to-site tunnel. … There is a terrible misunderstanding in the industry right now that pigeon-holes SSL VPNs into the same category with SSL enabled web servers and proxy servers. … A VPN, or Virtual Private Network, refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. … A VPN device is used to create an encrypted, non-application oriented tunnel between two machines that allows these machines or the networks they service to exchange a wide range of traffic regardless of application or protocol. This exchange is not done on an application by application basis. It is done on the entire link between the two machines or networks and arbitrary traffic may be passed over it. …” 8

Other Classification of VPNs ? • • Intranet VPNs vs Extranet VPNs Remote Access

Other Classification of VPNs ? • • Intranet VPNs vs Extranet VPNs Remote Access VPNs vs Site-to-site VPNs 9

Layer 2 Tunneling Protocol • • An example of network layer VPN: use IP

Layer 2 Tunneling Protocol • • An example of network layer VPN: use IP packets to encapsulate Layer 2 frames Previous RFC (v 2) RFC 2661 Layer Two Tunneling Protocol L 2 TP W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter. August 1999 (PROPOSED STANDARD) A standard method for tunneling Point-to-Point Protocol (PPP) [RFC 1661] sessions - Note: L 2 TP has since been adopted for tunneling a number of other L 2 protocols (e. g. , Ethernet, Frame Relay, etc). L 2 TPv 3 [RFC 3931] 10

Point-to-Point Protocol (PPP [RFC 1661]) - - - PPP defines an encapsulation mechanism for

Point-to-Point Protocol (PPP [RFC 1661]) - - - PPP defines an encapsulation mechanism for transporting multiprotocol packets across layer 2 (L 2) point-to-point links. PPP relies on the Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. It has a family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. Typically, a user obtains a L 2 connection to a Network Access Server (NAS) using one of a number of techniques (e. g. , dialup POTS, ISDN, ADSL, etc. ) and then runs PPP over that connection. Example: A customer uses a dialup modem or a DSL line to connect to the ISP or the company’s modem pool. Dial client (PPP peer) PPP NAS (e. g. , ISP) In such a configuration, the L 2 termination point and PPP session endpoint reside on the same physical device (i. e. , the NAS). 11

Layer 2 Tunneling Protocol • Types of L 2 TP Tunnels 1. Compulsory L

Layer 2 Tunneling Protocol • Types of L 2 TP Tunnels 1. Compulsory L 2 TP Tunneling The client is completely unaware of the presence of an L 2 TP connection. The L 2 TP Access Concentrator (LAC) is aware of L 2 TP. Figure 12 -3: (client) PPP + Data (LAC) L 2 TP + Data (LNS) 12

Layer 2 Tunneling Protocol • Types of L 2 TP Tunnels (cont. ) 2.

Layer 2 Tunneling Protocol • Types of L 2 TP Tunnels (cont. ) 2. Voluntary L 2 TP Tunneling The client is aware of the presence of an L 2 TP connection. The LAC is unaware of L 2 TP. Figure 12 -4: (client) PPP + L 2 TP + Data (LAC) L 2 TP + Data (LNS) 13

Layer 2 Tunneling Protocol (cont. ) • L 2 TP - L 2 TP

Layer 2 Tunneling Protocol (cont. ) • L 2 TP - L 2 TP extends the PPP model by allowing the L 2 and PPP endpoints to reside on different devices interconnected by a packet -switched network. - With L 2 TP, a user has an L 2 connection to an L 2 TP access concentrator (LAC, e. g. , modem bank, ADSL DSLAM, etc. ), and the concentrator then tunnels individual PPP frames to the L 2 TP Network Server (LNS). (See Fig. 12 -1) Dial client (PPP peer) PPP LAC L 2 TP tunnel LNS - This allows the actual processing of PPP packets to be divorced from the termination of the L 2 circuit. 14

Layer 2 Tunneling Protocol (cont. ) • A typical L 2 TP scenario (from

Layer 2 Tunneling Protocol (cont. ) • A typical L 2 TP scenario (from RFC 2661) 15

Layer 2 Tunneling Protocol (cont. ) RFC 3931 Layer Two Tunneling Protocol - Version

Layer 2 Tunneling Protocol (cont. ) RFC 3931 Layer Two Tunneling Protocol - Version 3 (L 2 TPv 3) J. Lau, Ed. , M. Townsley, Ed. , I. Goyret, Ed. March 2005 (PROPOSED STANDARD) L 2 TPv 3 defines the base control protocol and encapsulation for tunneling multiple Layer 2 connections between two IP nodes. L 2 TPv 3 consists of (1) the control protocol for dynamic creation, maintenance, and teardown of L 2 TP sessions, and (2) the L 2 TP data encapsulation to multiplex and demultiplex L 2 data streams between two L 2 TP nodes across an IP network. 16

Layer 2 Tunneling Protocol (cont. ) • L 2 TP (according to The. Free.

Layer 2 Tunneling Protocol (cont. ) • L 2 TP (according to The. Free. Dictionary, http: //computingdictionary. thefreedictionary. com/L 2 TP) • A protocol from the IETF that allows a PPP session to travel over multiple links and networks. (Note: a limitation of L 2 TPv 2) • L 2 TP is used to allow remote users access to the corporate network. • PPP is used to encapsulate IP packets from the user's PC to the ISP, and L 2 TP extends that session across the Internet. • L 2 TP was derived from Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's Layer 2 Forwarding (L 2 F) technology. 17

Layer 2 Tunneling Protocol (cont. ) • From Access Concentrator to Network Server •

Layer 2 Tunneling Protocol (cont. ) • From Access Concentrator to Network Server • • • The "L 2 TP Access Concentrator" (LAC) encapsulates PPP frames with L 2 TP headers and sends them over the Internet as UDP packets (or over an ATM, frame relay or X. 25 network). At the other end, the "L 2 TP Network Server" (LNS) terminates the PPP session and hands the IP packets to the LAN. L 2 TP software can also be run in the user's PC. Carriers also use L 2 TP to offer remote points of presence (POPs) to smaller ISPs. Users in remote locations dial into the carrier's local modem pool, and the carrier's LAC forwards L 2 TP traffic to the ISP's LNS. user original IP packet (p) PPP+p LAC L 2 TP+PPP+p LNS • L 2 TP and IPsec • L 2 TP does not include encryption (as does PPTP), but is often used with IPsec in order to provide virtual private network (VPN) connections from remote users to the corporate LAN. 18

L 2 TP Operations • Assumptions: Compulsory tunneling • The Procedure: 1. 2. 3.

L 2 TP Operations • Assumptions: Compulsory tunneling • The Procedure: 1. 2. 3. 4. 5. • The Client initiates a PPP connection to the LAC. The LAC does LCP negotiation with the client, and challenges the client for authentication credentials. The client supplies the credentials (such as user name, domain name, password). The LAC uses the domain name to ascertain which LNS it needs to contact (in the case of multiple domains). The LAC begins establishing an L 2 TP tunnel with the LNS. Two Stages of L 2 TP Tunnel Setup: 1. 2. – Set up a control session between the LAC and the LNS. Set up the actual L 2 TP tunnel for passing the data (aka. ‘creating the session’) Notes: • Between a pair of LAC and LNS, there may exist multiple tunnels. • Across a single L 2 TP tunnel, there may exist multiple sessions. 19

L 2 TP Tunnel Setup (from RFC 2661) 20

L 2 TP Tunnel Setup (from RFC 2661) 20

L 2 TP Operations • Control Connection Establishment - Securing the peer’s identity, identifying

L 2 TP Operations • Control Connection Establishment - Securing the peer’s identity, identifying the peer’s L 2 TP version, framing, etc. - Figure 12 -5: 1. LAC SCCRQ (start-control-connection-request) LNS 2. LAC SCCRP (start-control-connection-reply LNS 3. LAC SCCN (start-control-connection-connected LNS -------------------------------------------LAC ZLB ACK LNS The ZLB ACK is sent if there are no further messages waiting in queue for that peer. 21

L 2 TP Operations • Session Establishment A session may be created after successful

L 2 TP Operations • Session Establishment A session may be created after successful control connection is established. Each session corresponds to a single PPP stream between the LAC and the LNS. Session establishment is directional: - - Incoming call: The LAC asks the LNS to accept a session; Outgoing call: The LNS asks the LAC to accept a session Figure 12 -6 (Incoming Call Establishment): 1. LAC ICRQ (Incoming-Call-Request) LNS 2. LAC ICRP (Incoming-Call-Reply LNS 3. LAC ICCN (Incoming-Call-Connected LNS -------------------------------------------LAC ZLB ACK LNS The ZLB ACK is sent if there are no further messages waiting in queue for that peer. 22

23

23

L 2 TP Message Header 24

L 2 TP Message Header 24

L 2 TP Control Messages (from RFC 2661) 25

L 2 TP Control Messages (from RFC 2661) 25

L 2 TP Authentication (from RFC 2661) • • Authentication, Authorization and Accounting may

L 2 TP Authentication (from RFC 2661) • • Authentication, Authorization and Accounting may be provided by the Home LAN's Management Domain, which is behind the LNS. In that case, the LAC performs proxy authentication, by passing authentication information back and forth between the user and the LNS. 26

L 2 TP Operations • Case Studies: - Setting up compulsory L 2 TP

L 2 TP Operations • Case Studies: - Setting up compulsory L 2 TP Tunneling Figure 12 -10 27

L 2 TP Operations • Case Studies (cont. ) - Protecting L 2 TP

L 2 TP Operations • Case Studies (cont. ) - Protecting L 2 TP Traffic using IPsec in a compulsory tunneling setup Figure 12 -11 NOTE: L 2 TP encapsulation occurs before IPSec processing. 28

L 2 TPv 3 Topology (from RFC 3931) • L 2 TP operates between

L 2 TPv 3 Topology (from RFC 3931) • L 2 TP operates between two L 2 TP Control Connection Endpoints (LCCEs), tunneling traffic across a packet network. • There are three predominant tunneling models in which L 2 TP operates: LAC-LNS (or vice versa), LAC-LAC, and LNS-LNS. 29

L 2 TPv 3 Topology (from RFC 3931) 30

L 2 TPv 3 Topology (from RFC 3931) 30

L 2 TPv 3 Topology (from RFC 3931) 31

L 2 TPv 3 Topology (from RFC 3931) 31

L 2 TPv 3 Topology (from RFC 3931) 32

L 2 TPv 3 Topology (from RFC 3931) 32