VPN construction with independence of client environment v
- Slides: 23
VPN construction with independence of client environment v 25 January 2007 v Shin Takeuchi (University of Tsukuba)
University of Tsukuba Agenda 1. VPN n n 2. 3. 4. 5. ~Site-to-Site connection~ ~Remote-to-Site connection~ IP security protocol SSL-VPN Solution Experiment Implementation Conclusion 2
University of Tsukuba VPN 3
University of Tsukuba VPN ~Site-to-Site connection~ Site A Site B Internet VPN v We typically use “IPsec” in Site-to-Site VPN connection n Many devices support “IPsec” 4
University of Tsukuba VPN ~Remote-to-Site connection~ Remote User Site Internet VPN v We usually use “SSL-VPN” in Remote Access n PPTP is also common 5
University of Tsukuba IP security protocol (IPsec) (1/3) Original IP packet IP Header TCP Header payload Transport AH IP Header AH Header TCP Header payload ESP IP Header ESP Header TCP Header payload ESP Trailer ESP Auth Tunnel AH Tunnel IP Header AH Header IP Header TCP Header payload ESP Tunnel IP Header ESP Header IP Header TCP Header payload 6
University of Tsukuba IPsec (2/3) ~Authentication~ Original IP packet IP Header TCP Header payload Transport AH IP Header AH TCP payload authentication Header ESP IP Header ESP Header TCP payload authentication Header ESP Trailer ESP Auth Tunnel AH Tunnel IP Header AH IP TCP authentication Header ESP Tunnel IP Header ESP Header payload IP TCP payload authentication Header 7
University of Tsukuba IPsec (3/3) ~Encryption~ Original IP packet IP Header TCP Header payload Transport AH IP Header AH Header TCP Header payload ESP IP Header ESP Header TCP Header payload encryption payload ESP Trailer ESP Auth Tunnel AH Tunnel IP Header AH Header IP Header TCP Header ESP Tunnel IP Header ESP Header IP Header TCP payload encryption Header 8
University of Tsukuba SSL-VPN (1/3) IP Header TCP Header payload IP Header TCP Header Record Header payload MAC Record Header IP Header TCP Header payload MAC Record Ethernet Header IP Header TCP Header payload CRC Original IP packet Reverse Proxy Port Forwarding IP Header TCP Header L 2 -Tunneling IP Header TCP Header MAC 9
University of Tsukuba SSL-VPN (2/3) ~Authentication~ IP Header TCP Header Record payload authentication Header MAC Record Header IP TCP payload authentication Header MAC Original IP packet payload Reverse Proxy Port Forwarding IP Header TCP Header L 2 -Tunneling IP Header TCP Header Record Ethernet Header IP TCP authentication Header payload CRC MAC 10
University of Tsukuba SSL-VPN (3/3) ~Encryption~ IP Header TCP Header payload IP Header TCP Header Record Header payload encryption Record Header IP Header encryptionpayload Header Record Ethernet Header IP Header payload encryption Header Original IP packet Reverse Proxy MAC Port Forwarding IP Header TCP MAC L 2 -Tunneling IP Header TCP CRC MAC 11
University of Tsukuba Motivation v Setup n difficulty It is bothering for common users to make VPN configuration more “Simplicity” v Must be “Static” Each endpoint requires “Static” IP address n Site-to-Site : “Static”- “Static” , Remote-to-Site : “Dynamic”-“Static” n more “Flexibility” 12
University of Tsukuba Idea v Implement application Simple VPN configuration for clients n “Dynamic” – “Dynamic” connection n Introduce the “VPN-Management-Server” VPN-Management-Server handles bothering procedure Which protocol should we use ? 13
University of Tsukuba Experiment 14
University of Tsukuba Experiment with selection of protocol v Criterion n Connectivity (connect or disconnect) v Target n IPsec V. S. SSL-VPN v Experimental n n n Network University of Tsukuba campus network (Univ. Tsukuba) Tsukuba WAN Kyushu Giga. POP Project (QGPOP) Network Organization for Research and Technology in Hokkaido (NORTH) Japan Science and Technology Agency (JST) Commercial Internet Service Provider (ISP) 15
University of Tsukuba Result of the Experiment Endpoint B Endpoint A IPsec Univ. Tsukuba WAN QGPOP NORTH JST ISP Univ. Tsukuba × × × Tsukuba WAN × ○ ○ ○ × ○ QGPOP × ○ ‐ ‐ × ‐ NORTH × ○ ‐ ‐ JST × × × ‐ ‐ ‐ ISP × ○ ‐ ‐ SSL-VPN is more suitable than IPsec ! Endpoint B Endpoint A SSL-VPN Univ. Tsukuba WAN QGPOP NORTH JST ISP Univ. Tsukuba ○ ○ ○ Tsukuba WAN ○ ○ ○ QGPOP ○ ○ ‐ ‐ ○ ○ NORTH ○ ○ ‐ ‐ JST ○ ○ ○ ‐ ‐ ○ ISP ○ ○ ○ ‐ ○: connect , ×: disconnect , - : none 16
University of Tsukuba Implementation 17
University of Tsukuba Implementation of proposal system v Environments n OS : Windows n Language : C++ n Library : openssl-0. 9. 8 c n USB token : i. Key 1000 v Features n When we insert the USB token into a PC, VPN is established v Example n Sharing data in a meeting 18
University of Tsukuba Procedure sequence Client Request VPN-Management-Server SSL connecti on SSL authentication Verify Server’s Certificate Client’s Certificate ress) (Client IP add Send Request (IP address) Check included in IP Header ( source IP address ) included in application data ( IP address ) Register ・Client Certificate Serial Number ・( source IP address ) ・( IP address ) ・IP Classification Information 19
VPN-management Server VPN module create Auth info ・CA Private / Public key ・Server Private / Public key encryption algo Virtual IP access point IP Connect Port Reference Client information communication protocol Reference Repository Client Environment judge Registry ・Client Certification Serial Number ・Header IP ・Payload IP ・IP Classification Information (Global IP, Private IP) Header IP address Payload IP address Registry Certification issue SSL Auth SSL connect storage SSL Auth Reference IC chip ・CA Public key Client ・Client Private application / Public key program USB-token:i. Key (Global IP, Private IP) VPN module send packet VPN-Server Client IP address Payload IP address VPN connection tun / tap device Virtual IF creation packet routing 20
University of Tsukuba Conclusion 21
University of Tsukuba Conclusion v. VPN n. IPsec v and SSL-VPN Focus on the following problems n. Setup difficulty n. Must be “Static” IP v. My application n. Simple VPN configuration for clients n. Enable “Dynamic – Dynamic” connection 22
University of Tsukuba Thank you ! Thanks go to Prof. Kasahara for this session arrangements. I appreciate network supports of Prof. Okamura (Kyushu Univ. ). Thanks also to Prof. Okamoto, Researchers Dr. Oyama and Dr. Inomata for their supports and guidelines. 23
Ipsec vs ssl vpn
Spispy
Uni bonn rosetta stone
Vpn uf
Axgate 4000
Open source vpn client
Importance of data independence in database environment
Effciency
Linux leger
Application layer
Tsukuba vpn
Environment of business finance
Declaration of independence sections
Lesson 2 uniting for independence
Independence number of a graph
Spanish american independence
Breakup letter declaration of independence
The seed of independence was sown on 21 february 1952
Chapter 4 section 2 declaring independence
Bayes net independence
Functional independence in software engineering
Grievances in declaration of independence
Seato countries
"hospice webinar network"
