GSRAv2 1,a) 1,b) 1,c) 1,d) 2012 9 21, 2013 3 1 IPsec-VPN SSL-VPN OpenVPN PacketiX VPN GSRA Group-based Secure Remote Access NAT GSRA GSRA NAT GSRAv2 GSRAv2 NAT VPN Proposal and Evaluation of GSRAv2 that Enables Remote Access from Home Kenta Suzuki 1,a) Hidekazu Suzuki 1,b) Kensaku Asahi 1,c) Akira Watanabe 1,d) Received: September 21, 2012, Accepted: March 1, 2013 Abstract: The demand for remote access technologies is increasing these days. Widely used technologies, such as IPsec-VPN, SSL-VPN, and PacketiX VPN have both merits and demerits. In particular, there appear some constraints if the terminal is in the private address areas. We have proposed GSRA (Group-based Secure Remote Access) that solves demerits of the above technologies in the past. However, it assumes that the terminal has a global address. In this paper, we propose GSRAv2, by which the terminal can have a private address while maintaining the GSRA features. The trial system shows that GSRA has superior performance compared to other technologies. Keywords: remote access, NAT traversal, VPN, access control 1. 1 Graduate School of Science and Technology, Meijo University, Nagoya, Aichi 468 8502, Japan a) kenta.suzuki@wata-lab.meijo-u.ac.jp b) hsuzuki@meijo-u.ac.jp c) asahi@meijo-u.ac.jp d) wtnbakr@meijo-u.ac.jp VPN Virtual Private Network VPN VPN IPsec- VPN [1], [2] SSL-VPN [3] OpenVPN [4] PacketiX VPN [5] GSRA Group-based Secure Remote Access [6], [7] IPsec-VPN SSL-VPN c 2013 Information Processing Society of Japan 1751
OpenVPN PacketiX VPN SSL VPN GSRA GSRA NAT NAT-f NAT-free protocol [8] NAT-f NAT GSRA NAT-f NAT IPsec-VPN NAT NAT IPsec-VPN OpenVPN PacketiX VPN IP IP GSRA GSRA NAT GSRAv2 GSRA NAT FreeBSD GSRAv2 2 3 GSRA 4 GSRAv2 5 6 7 2. IPsec-VPN SSL-VPN OpenVPN PacketiX VPN EN External Node IN Internal Node 2.1 IPsec-VPN IPsec-VPN IPsec VPN IPsec- VPN EN IKE Internet Key Exchange [1] IPsec ESP Encapsulating Security Payload [2] IPsec IP IPsec-VPN NAT IPsec-VPN NAT IPsec 2.2 SSL-VPN SSL-VPN SSL VPN DMZ DeMilitarized Zone SSL-VPN SSL Web EN EN NAT EN EN SSL-VPN Web Web 2.3 OpenVPN OpenVPN TUN/TAP [9] EN OpenVPN c 2013 Information Processing Society of Japan 1752
Ethernet TCP/UDP IP DNS LAN 2.4 PacketiX VPN PacketiX VPN EN IN NIC NIC PacketiX VPN VPN SSL NAT PacketiX VPN VPN SSL PacketiX VPN TCP TCP over TCP *1 [10] 3. GSRA GSRA GSRA NAT-f NAT-f EN NAT EN NAT G x x =NodeID IP P x IP V x IP s d t m G x : s IP G x s Group i GK i Group i G x : s G y : d G x : s G y : d G x : s G y : d G x : s G y : d *1 TCP TCP Fig. 1 1 GSRA An example of a remote access configuration with GSRA. Table 1 Host Name 3.1 GSRA 1 ACT An example of Access Control Table. IP Address Service Group d tcp Group1 Alice P IN e udp Group2 GSRA NAT NAT-f GSRA 1 EN GSRA GSRA GSRA 1 EN Group1 IN1 Group1 IN2 Group2 EN IN1 IN2 GSRA ACT Access Control Table IN IP ACT ACT 1 1 Group1 Alice TCP d Group2 UDP e 3.2 2 GSRA EN GSRA GK EN DNS IN GSRA IP G GR c 2013 Information Processing Society of Japan 1753
2 GSRA Fig. 2 Negotiation of GSRA. EN IN 2 (1) EN DNS IN Alice GSRA IP G GR EN DNS Reply G GR IP V IN EN IN IP V IN IN IP EN GSRA IP EN IN Alice G GR V IN NRT Name Relation Table EN GSRA IP (2) EN V IN EN VAT Virtual Address Translation table VAT (1) EN VAT (3) (4) (3) EN EN IN Alice Group1 Group Authentication Request GSRA GSRA ACT EN IN GSRA EN IN t t Group Authentication Response EN 3 Fig. 3 Remote access with address translation process. GSRA EN Group Authentication Response t VAT (4) GSRA EN GSRA EN (2) G GR : t Mapping Request GSRA GSRA Mapping Request GSRA EN Mapping Response EN GSRA (3) IN (5)IN 3 EN (2) EN IN EN VAT IP / GSRA GSRA / GSRA IN IN EN EN EN IN 4. GSRA EN GSRA NAT HR Home Router c 2013 Information Processing Society of Japan 1754
4.1 GSRA Mapping Request EN / GSRA HR EN HR IP / HR HR Mapping Request HR EN HR NAT SPI Stateful Packet Inspection SPI TCP HR TCP SYN HR EN HR SPI 4.2 4 EN V IN V IN TCP TCP SYN EN ICMP HR ICMP GSRA EN HR EN TCP SYN GSRA HR TCP GSRA IP HR TCP TCP SYN GSRA GSRA ICMP EN HR ICMP EN EN VAT GSRA GSRA GSRA EN VAT GSRA GSRA EN TCP SYN EN TCP SYN HR 2 TCP SYN HR HR SPI 4.3 GSRAv2 5 GSRAv2 GSRAv2 GSRA 4 TCP TCP BReq t UDP UDP BReq u ICMP BReq i BRes i BReq t GSRA TCP SYN GSRA BReq u UDP GSRA 5 TCP UDP BReq t BReq u HR Fig. 4 4 The principle of the proposed method. 5 GSRAv2 Fig. 5 Negotiation of GSRAv2. c 2013 Information Processing Society of Japan 1755
HR Group Authentication Request EN HR GSRA GSRA HR 5. GSRAv2 FreeBSD GSRA EN GSRA IP GSRA GSRA IP 5.1 EN EN 6 IP ip input() ip output() GSRA GSRA GSRA GSRA NRT VAT GSRA GSRAv2 GSRA 5.2 GSRA GSRA 7 GSRA 6 EN Fig. 6 Module configuration of EN. GSRA NAT natd natd FreeBSD NAT GSRA divert natd / GSRA ACT 6. GSRAv2 GSRAv2 6.1 2 HR HR IPsec-VPN HR IPsec HR HR IPsec-VPN OpenVPN PacketiX VPN VPN DHCP IN EN SSL-VPN GSRAv2 HR OpenVPN PacketiX VPN GSRAv2 3 IPsec-VPN OS 2 Table 2 Comparison of remote access methods. 7 GSRA Fig. 7 Module configuration of GSRA router. IPsec- VPN SSL- VPN Open VPN PacketiX VPN GSRA v2 HR c 2013 Information Processing Society of Japan 1756
SSL-VPN Web SSL-VPN Web IPsec 1 1 SSL-VPN 1 1 OpenVPN PacketiX VPN OpenVPN PacketiX VPN GSRA GSRAv2 2 OpenVPN PacketiX VPN 2 PacketiX VPN TCP TCP TCP over TCP 2 GSRAv2 GSRAv2 OS FreeBSD EN GUI 6.2 IPsec-VPN OpenVPN PacketiX VPN 3 IPsec FreeBSD7.2 racoon2-20090327c OpenVPN FreeBSD7.2 openvpn-2.0.6 9 Packetix VPN FreeBSD PacketiX VPN EN Windows7 PacketiX Ver.3.0 8 3 NIC 1000Base-T EN IN Dummynet [11] Dummynet 4 2 A 0 Dummynet B 10 ms 0.05% ping 4 AES 128 bit EN VPN IPsec-VPN IKEv2 [1] OpenVPN TCP UDP TCP over TCP UDP IPsec-VPN ESP OpenVPN PacketiX VPN SSL GSRAv2 PCCOM [12] OpenVPN PacketiX VPN 3 8 Fig. 8 Measurement environment. 3 Table 3 Device specification. OS CPU Memory EN FreeBSD7.2 Pentium4 3.40 GHz 1GB Home Router FreeBSD7.2 Pentium4 3.00 GHz 512 MB Dummynet FreeBSD8.0 Pentium4 2.80 GHz 512 MB VPN Server FreeBSD7.2 Pentium4 3.40 GHz 2GB IN FreeBSD7.2 Pentium4 2.80 GHz 1GB 4 Dummynet Table 4 Parameter of Dummynet. A 0ms 0% B 10 ms 0.05% c 2013 Information Processing Society of Japan 1757
VPN 10 (1) Wireshark *2 EN Wireshark OpenVPN PacketiX VPN EN IPsec-VPN GSRAv2 wget *3 IN 2 9 IPsec-VPN IKE SA IKE SA INIT IPsec SA IKE AUTH 2 212 ms 2 2 =40ms 172 ms 3 IPsec TCP TCP 3 OpenVPN 2.6 SSL VPN SSL 50 PacketiX VPN IPsec-VPN 224 ms EN NIC IP DHCP EN IP PacketiX VPN GSRAv2 61 ms GSRAv2 3 60 ms EN GSRA 1ms GSRA 2 GSRAv2 3 1 20 ms GSRA GSRAv2 (2) EN wget IN wget 1GB *4 PacketiX VPN 10 A GSRAv2 1.3 1000Base-T NIC LAN 932 Mbps NIC HR NAT 98.4 Mbps GSRAv2 91.9 Mbps Fig. 9 9 Result of a measurement of negotiation time. Fig. 10 10 Results of throughput measurement. *2 http://www.wireshark.org/ *3 http://www.gnu.org/software/wget/ *4 dd if=/dev/zero of=dummy.file bs=1m count=1000 c 2013 Information Processing Society of Japan 1758
IPsec-VPN OpenVPN PacketiX VPN GSRA PCCOM GSRA GSRAv2 B PacketiX VPN TCP TCP TCP TCP over TCP 6.3 IPv6 IPv4 IPv6 IPv4 NAT GSRAv2 NAT IPv6 NAT IPv6 NAT [13], [14] GSRAv2 IPv6 7. GSRA GSRA HR GSRAv2 GSRA [1] Kaufman, C., Hoffman, P., Nir, Y. and Eronen, P.: Internet Key Exchange Protocol Version 2 (IKEv2), RFC 5996, IETF (2010). [2] Kent, S.: IP Encapsulating Security Payload (ESP), RFC 4303, IETF (2005). [3] Dierks, T. and Rescorla, E.: The Transport Layer Security (TLS) Protocol, RFC 5246, IETF (2008). [4] OpenVPN Technologies, Inc.: OpenVPN Open Source VPN, available from http://openvpn.net/. [5] SoftEther Corporation: PacketiX VPN 3.0, available from http://www.softether.co.jp/jp/vpn3/. [6] NAT DICOMO2010 Vol.2010, No.1, pp.288 294 (2010). [7] NAT Vol.51, No.9, pp.1881 1891 (2010). [8] NAT NAT-f Vol.48, No.12, pp.3949 3961 (2007). [9] Krasnyansky, M.: Universal TUN/TAP device driver, available from http://www.kernel.org/pub/linux/ kernel/people/marcelo/linux-2.4/documentation/ networking/tuntap.txt. [10] Titz, O.: Why TCP Over TCP Is A Bad Idea, available from http://sites.inka.de/sites/bigred/devel/tcp-tcp. html. [11] Rizzo, L.: Dummynet home page, available from http://info.iet.unipi.it/ luigi/dummynet/. [12] NAT PCCOM Vol.47, No.7, pp.2258 2266 (2006). [13] Thaler, D., Zhang, L. and Lebovitz, G.: IAB Thoughts on IPv6 Network Address Translation, RFC 5902, IETF (2010). [14] Wasserman, M. and Baker, F.: IPv6-to-IPv6 Network Prefix Translation, RFC 6296, IETF (2011). 2010 2012 2004 2006 2009 2008 2010 IEEE c 2013 Information Processing Society of Japan 1759
2001 2003 2008 14 16 IEEE 1974 1976 LAN 1991 2002 IEEE c 2013 Information Processing Society of Japan 1760