Internet Week 2000 T5 IPsec VPN 2000/12/18 1 Virtual Private Network 2 IPsec 3 IPsec VPN 4 IPsec VPN 2 1
Virtual Private Network 3 Ethernet, WAN PPTP(PPP) IPSec SSL/TLS SOCKS V5 SSH, SSL-Telnet, PET PGP, S/MIME 4 2
OSI 5» VPN» SMTP IPsec» SMTP SSL» PGP S/MIME» to PGP S/MIME» to» SMTP (https ) 6 3
VPN 7 LAN LAN VPN» WAN»» Remote Access VPN» Internet»»» VPN LAN 8 4
IPsec 9 IPsec IPsec (IP Security)»»» IPv4 IPv6 IPsec» 1995 Aug RFC1825-1829» 1998 Nov RFC2401-RFC2412 ( IPsec Version 2 ) 10 5
IPsec 11 IPsec documents (1) RFC2411 RFC2401 RFC2402 RFC2406 RFC2403 RFC2404 RFC2405 RFC2410 IP Security Document Roadmap Security Architecture for the Internet Protocol IP Authentication Header IP Encapsulating Security Payload (ESP) Use of HMAC-MD5-96 within ESP and AH Use of HMAC-SHA-1-96 within ESP and AH ESP DES-CBC Cipher Algorithm With Explicit IV NULL Encryption Algorithm and Its Use With IPsec 12 6
IPsec documents (2) RFC2408 RFC2412 RFC2409 RFC2407 Internet Security Association and Key Management Protocol (ISAKMP) OAKLEY Key Determination Protocol Internet Key Exchange (IKE) Internet IP Security Domain of Interpretation for ISAKMP 13 IPsec Transport Tunnel» Transport :» Tunnel : IP Host A Host B Host A Gateway X Gateway Y Host B 14 7
AH (RFC2402) AH (Authentication Header) IP Protocol Number = 51»»» Next Header Payload Len RESERVED Security Paramters Index (SPI) Sequence Number Field Authentication Data (variable) 15 ESP (RFC2406) ESP (Encapsulating Security Payload) IP Protocol Number = 50»» Sequence Number Field» Payload Data (variable)»» Security Paramters Index (SPI) Padding (0-255 bytes) Pad Length Authentication Data (variable) Next Header 16 8
AH/ESP AH(or ESP) ( ) HMAC-MD5-96 (RFC2403) HMAC-SHA-1-96 (RFC2404) HMAC (Keyed Hashing for Message Authentication) by RFC2401 17 IPsec AH/ESP Datagram 18 9
IPsec SA SPI SA (Security Association)» SPI (Security Parameters Index)» SA» Host A Host B 19 IPsec Sequence Number Field» replay attack ESP» ESP only, no AH» ESP outer IP header IKE 20 10
IPsec /IKE (Manual Key Management)»»» IKE (Internet Key Exchange: ISAKMP/Oakley) IKE» Phase 1 IKE SA» Phase 2 IPSec SA» UDP Port 500 IKE» 21 IKE 22 11
Main Mode Aggressive Mode IKE» Main Mode ( ) 1. SA 2. DH 3.» Aggressive Mode Main Mode SA DH ( ) VPN 23 IPsec IKE IKE» Shared Secret ( )» Public Key Encryption» Digital Certificate (X.509) ( ) X.509» PKI (Public Key Encryption) IP ec RFC2510,RFC2511,RFC2559 VPN Xauth 24 12
IKE 2 25 Quick Mode PFS IKE 2 Quick Mode» IPsec SA» IKE SA» IKE SA HMAC Quick Mode PFS (Perfect Forward Secrecy)» IPsec SA IKE SA» Quick Mode PFS DH IPsec SA 26 13
IPsec VPN 27 VPN VPN Firewall»» Firewall VPN VPN» Firewall Firewall VPN» Firewall Firewall 28 14
15 29 / 30 VPN VPN
VPN/ VPN VPN default gateway ( ) VPN static route default gateway 31 VPN» VPN» VPN» VPN (VPN ) 32 16
VPN VPN VPN IPsec RIP OSPF RIP OSPF broadcast IPsec broadcast IPsec "direct connect" Cisco IOS IPsec GRE IPsec 33 VPN MTU (VPN ) MTU fragmentation DF (Don't Framgent) bit ON ICMP (Type=3/Code=4 dategram too big = fragmentation needed) ICMP MTU 34 17
VPN IP IP /DNS LAN VPN» VPN WAN» RFC1918» NAT, Proxy» VPN DNS»» BIND 8.2 35 36 18
VPN NAT IPsec NAT» VPN» VPN IPsec NAT» AH» ESP only ( ESP IP )» 1 1 ( ) NAT tcp/udp port 1 N» IKE udp source/dest ports=500 port 37 VPN VPN» IP» IPsec/IKE» Shared Secret IP» X.509 Digital Certificate VPN» RADIUS /One Time Password IPsec/IKE IETF (Xauth) 38 19
VPN 39 VPN IP ( )» Global address»» VPN» VPN DHCP DNS IETF IPsec/IKE (mode-config) 40 20
41 VPN VPN» Internet Web» Network Printer VPN default gateway "Split Tunneling" PC VPN 42 21
PWR OK ACT/CH0 WIC0 ACT/CH1 ACT/CH0 WIC0 ACT/CH1 ETH ACT COL Split Tunneling 43 VPN VPN ( )»» VPN» Source/Destination IP address, Port, TCP» ( ) ( ) 44 22
VPN 45 IPsec IPsec»»» S/WAN, ANX, ICSA, Interoperability Workshops NTT (98/5,98/9,99/5), vpnops (99/4,99/6), JNSA» Manual IKE(shared secret) IKE(X.509)»» rekey reboot 46 23
IPsec VPN 47 PPTP/L2F/L2TP PPTP (Point to Point Tunneling Protocol)» Microsoft Ascend» RAS GRE(Generic Routing Encapsulation)» TCP port 1723» RAS MPPE RC4 40bit, MS-CHAP MS-CHAP RADIUS MS-CHAPv2» IPX IP PPTP Cisco L2F (Layer 2 Forwarding) L2TP (Layer 2 Tunneling Protocol) 48 24
PPTP» Windows NT 4.0 Server LAN Routing and RAS Update» Extranet Switch, MN128SOHO/R ( )» Ascend MAX, 3COM Total Control» Windows NT 4.0, Windows 98» Windows 95 + DialUp Networking 1.3 Upgrade 49 IPsec PPTP IPSec PPTP LAN Remote Access Multi Vendor Interoperability 50 25
L2TP ISP VPN» NTT ISDN LAC (L2TP Access Concentrator) LNS (L2TP Network Server) PPTP» IPsec/IKE L2TP+IPsec L2TP» IPsec PPP Cisco, Ascend, 3COM / (LAC LNS) Nortel Extranet Switch (LNS ) 51 / VPN /VLAN 1999 VPN ( 2 ) 2000 IPsec VPN/ / 2000 IPSec VPN 2000 C IP QoS IP VPN 2000 52 26
53 IPSEC VPN 1998.6.15 IPsec & LAN 1998/8 10 TCP/IP IPSec Internet Magazine 1998/12 VPN, 1999/1 : VPN 1999.6.7 VPN 1999.8.2 VPN INTEROP MAGAZINE 1999/10 IPSec VPN INTEROP MAGAZINE 1999/11 VPN 2000.1.3 1.17 VPN INTEROP MAGAZINE 2000/9 1 VPN Software Design 2000/12 27