T27 : VPN IP-VPN vs SoftEther ( ) Chief Technology Officer mshindo@fivefront.com VPN 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 L2F ATMP PPTP L2TP IPsec BGP/MPLS SSL VPN L2VPN (MPLS, VLAN, etc.) 2 1
VPN Encapsulation IP, PPP, Ethernet, etc. IP, TCP, UDP, MPLS, etc. 3 PPTP Point to Point Tunneling Protocol RFC 2637 (Informational) Microsoft 3Com Ascend (Lucent) Windows MacOS X 4 2
PPTP VPN PPTP Home Network PAC PPP + PPTP Voluntary Tunneling PNS IP Network (e.g. Internet) PPP Home Network PC PPP PAC Compulsory Tunneling PNS 5 PPTP PAC PNS Start-Control-Connection-Request Start-Control-Connection-Reply Incoming-Call-Request Incoming-Call-Reply Incoming-Call-Connected Set-Link-Info GRE {PPP} Call-Clear-Request Disconnect-Notify Stop-Control-Connection-Request Stop-Control-Connection-Reply 6 3
Microsoft PPTP PNS PAC Start-Control-Connection-Request Start-Control-Connection-Reply Outgoing-Call-Request Outgoing-Call-Reply Outgoing-Call-Connected Set-Link-Info GRE {PPP} Call-Clear-Request Disconnect-Notify Stop-Control-Connection-Request Stop-Control-Connection-Reply 7 Quick Review (PPTP) TCP PPP GRE IP IPX PPP GRE IP 8 4
PPTP Windows Mac OS X UNIX PPP e.g. RADIUS) NAT DoS 9 PPTP NAT PPP GRE (Generic Routing Encapsulation; Protocol = 47) TCP UDP NAT 10 5
PPTP GRE CRKSs RecurA Flags Ver Protocol Type Key (HW) Payload Length Key (LW) Call ID Sequence Number (Optional) Acknowledgement Number (Optional) C: Checksum Field PPTP 0 R: Routing Field PPTP 0 K: Key Field PPTP 1 S: Sequence Number Field 1 Acknowledgment 0 s: Strict source route Field PPTP 0 Recur: encapsulation PPTP 0 A: Acknowledgment Number Field Flags: PPTP 0 Ver: PPTP 1 Protocol Type: PPTP 0x880B Key (HW) Payload Length: Key Field 16bit PPTP Payload Key (LW) Call ID: Key Field 16bit PPTP Call ID Sequence Number: Acknowledgment Number: 11 L2TP Layer 2 Tunneling Protocol RFC 2661 (Standard Track) Cisco Ascend (Lucent) Microsoft Redback L2F + PPTP LCP L2F PPTP Windows 2000 Windows 12 6
L2TP PPP PPP UDP Frame Relay ATM IP AVP AVP 13 L2TP VPN L2TP Home Network LAC PPP + L2TP Voluntary Tunneling LNS IP Network (e.g. Internet) PPP (oe) PC PPP(oE) LAC (w/ AC) LNS ISP Compulsory Tunneling 14 7
L2TP LAC LNS SCCRQ SCCRP SCCCN ICRQ ICRP ICCN L2TP {PPP} CDN StopCCN 15 LAC / LNS Shared Secret Shared Secret 16 8
LAC LNS SCCRQ w/ Challenge SCCRP w/ Challenge-Response & Challenge SCCCN w/ Challenge-Response 17 L2TP Voluntary Tunnel PPTP Compulsory Tunnel L2TP 18 9
Quick Review (L2TP) L2TP PPP UDP, etc. IP IPX UDP IP PPP L2TP IP ATM FR 19 L2TP NAT friendly PPP IPsec 20 10
L2TP L2TPv3 draft-ietf-l2tpext-l2tp-base-14.txt PPP IP Pseudo Wire Session ID, Tunnel ID 32 21 IP-VPN IP VPN IP VPN VPN IP VPN IP-VPN BGP/MPLS VPN (a.k.a RFC2547)?? 22 11
IETF Network-based VPN (NBVPN) August 3, 2000 48th IETF @ Pittsburgh - NBVPN BOF Provider Provisioned VPN (PPVPN) December 14, 2000 49th IETF @ San Diego - PPVPN BOF Pseudo Wire Edge to Edge Emulation (PWE3) March 18-25, 2001 50th IETF @ Minneapolis PWE3 BOF L3VPN, L2VPN Nov 12, 2003 58th IETF @ Minneapolis 23 IETF PPVPN PE-based RFC2547 and its variants Layer 3 VPN VR PPVPN Layer 2 VPN CE-based PE-based P2P P2MP VPWS VPLS IPLS CE-based 24 12
BGP/MPLS VPN (RFC2457) (1) UPDATE Message NextHop NextHop = = 3.3.3.3 3.3.3.3 RT RT = = 100:0 100:0 NLRI NLRI = = 200 200 (label) (label) RD RD + + 10.0.0.0 10.0.0.0 (prefix) (prefix) PE(3.3.3.3) 10.0.0.0/8 CE 20.0.0.0/8 ibgp P Static,IGP(RIP/OSPF),eBGP ibgp P P PE(2.2.2.2) CE PE(1.1.1.1) Static,IGP(RIP/OSPF),eBGP ibgp VRF(Virtual Routing & Forwarding) 25 BGP/MPLS VPN (RFC2457) (2) 10.0.0.0/8 CE PE(3.3.3.3) CE L3 200 L2 20.0.0.0/8 L3 200 15 L2 P Penultimate Hop Popping L3 200 10 L2 P Label=15 Label=10 P PE(2.2.2.2) PE(1.1.1.1) CE VRF(Virtual Routing & Forwarding) Label Binding (LDP) Packet Forwarding 26 13
Quick Review (BGP/MPLS VPN) BGP IP MPLS IP MPLS (inner) MPLS (outer) 27 BGP/MPLS VPN NAT / Firewall IP Only 28 14
BGP/MPLS VPN SP 29 SSL VPN IPsec IPsec SSL 30 15
SSL VPN Java Applet ActiveX L2 SOCKS RDP 31 SSL VPN SSL Web 32 16
Java Applet hosts SSL VPN SSL Java Hosts localhost Web 33 ActiveX L2 I/F SSL VPN SSL ActiveX L2 34 17
Quick Review (SSL VPN) HTTP TCP session UDP session Any frame SSL SSL TCP IP 35 SSL VPN vs 36 18
VPN NAT DoS 37 SoftEther (Ethernet) (Ethernet) LAN Overlay http://www.softether.com 38 19
SoftEther 39 SoftEther (PC to PC) LAN LAN 40 20
SoftEther (PC to LAN) LAN LAN LAN 41 SoftEther (LAN to LAN) LAN LAN 42 21
SoftEther IETF VPLS Virtual Private LAN Service Provider Provisioned (Compulsory) Voluntary PE 43 SoftEther HTTP Proxy SSH SOCKS NAT Firewall Proxy SSL 44 22
SoftEther CA SoftEther 45 SoftEther Hub Layer2 Layer 3 VLAN Hub ID DHCP DHCP DHCP IP 46 23
LAN VLAN LAN MAPI 47 LAN (1) and/or NAT 48 24
LAN (2) and/or NAT 49 WEP 50 25
TCP over TCP is considered harmful? TCP over TCP TCP Adaptive TCP TCP TCP CIPE http://sites.inka.de/sites/bigred/devel/tcp-tcp.html 51 SoftEther VPN 2.0 Hub SDK 52 26
SoftEther Hub 53 SoftEther SoftEther Signature Keep Alive ping TCP 54 27
Quick Review (SoftEther) Ethernet Frame IP IPX Ethernet SSL SSL TCP IP 55 SoftEther VPWS VPLS 56 28
Wish List to SoftEther Hub 802.1X PAE Supplicant PAE Authenticator Authentication Server EAPOL RADIUS 57 SoftEther is not alone Tun OpenVPN TCP or UDP Ethernet, PPP, IP, etc. 58 29
VPN / / CIPE http://sites.inka.de/sites/bigred/devel/cipe.html TinyVPN http://www.shimousa.com/tv/ tinc http://www.tinc-vpn.org/ Emotion Link http://www.freebit.com/solution/emotion.html HTTP Tunnel http://www.http-tunnel.com 59 VPN All Mighty VPN 60 30
AC Access Concentrator OSPF Open Shortest Path First ATM Asynchronous Transfer Mode P Provider (Router) AVP Attribute Value Pair P2MP Point-to-Multipoint BGP Border Gateway Protocol P2P Point-to-Point BoF Birds of Feather PAC PPTP Access Concentrator CDN Call-Disconnect-Notify (L2TP) PE Provider Edge CE Customer Edge PNS PPTP Network Server CIPE Crypto IP Encapsulation PPP Point-to-Point Protocol DHCP Dynamic Host Configuration Protocol PPPoE Point-to-Point Protocol over Ethernet DoS Denial of Service PPTP Point-to-Point Tunneling Protocol ebgp External Border Gateway Protocol PPVPN Provider-Provisioned Virtual Private Network GRE Generic Routing Encapsulation RADIUS Remote Access Dial In User Service ibgp Internal Border Gateway Protocol RD Route Distinguisher ICCN Incoming-Call-Connected (L2TP) RDP Remote Desktop Protocol ICRP Incoming-Call-Reply (L2TP) RIP Routing Information Protocol ICRQ Incoming-Call-Request (L2TP) RT Route Target IP Internet Protocol SCCCN Start-Control-Connection-Connected (L2TP) IPLS IP LAN-like Service SCCRP Start-Control-Connection-Reply (L2TP) IPsec IP Security SCCRQ Start-Control-Connection-Request (L2TP) ISP Internet Service Provider SSL Secure Socket Layer L2F Layer 2 Forwarding StopCCN Stop-Control-Connection (L2TP) L2TP Layer 2 Tunneling Protocol TCP Transport Control Protocol LAC L2TP Access Concentrator UDP User Datagram Protocol LDP Label Distribution Protocol VLAN Virtual Local Area Network LNS L2TP Network Server VPLS Virtual Private LAN Service MAPI Messaging Application Programming Interface VPN Virtual Private Network MPLS Multi Protocol Label Switching VPWS Virtual Private Wire Service NAT Network Address Translation VR Virtual Router NLRI Network Layer Reachability Information VRF WEP Virtual Routing and Forwarding Wired Equivalent Privacy 61 31