DS420 Foundations of Distributed Systems
The Gershwin Project - Winter '99
Virtual Private Networks - Protocols

Virtual Private Networks

Various Protocols used in the Implemenation of VPN's
Cynthia Anderson

A virtual private network (sometimes known as an extranet) allows remote access to a private network's computing resourses via a public network such as the internet. As defined in Cisco Systems "A Primer for Implementing a Cisco Virtual Private Network" ," A VPN is an enterprise network deployed on a shared infrastructure employing the same security, management, and throughput policies applied in a private network. " Virtual Private Networks allow businesses to connect Telecommuters, Customers, Suppliers, Satelite offices and Mobile workers to a central network as long as they have access to the Internet. VPN's can be much less expensive than an ordinary WAN. In the July, 1997 Byte Magazine article "A Virtual Private Affair ", by Mike Hurwicz, it was stated that "The Internet provides WAN communications more cheaply and globally than a leased line, Frame Relay, or asynchronous transfer mode (ATM) network.

The above illustration of a Virtual Private Network was taken from
"A Primer for Implementing a Cisco Virual Private Network"
http://www.cisco.com/warp/public/779/largeent/vpne/vpn21_rg.htm

There are two basic architectures used in developing a VPN, uni-directional and bi-directional (tunnelling). An example of a directional protocol is SOCKSv5. Examples of bi-directional protocols include, Point to Point Tunnelling Protocol or PPTP as it is known, Layer Two Forwarding or L2F, and the Internet Security Protocol or IPSec.

Compatible.com has an online example of a VPN located at
http://www.compatible.com/intraport/index.html

SOCKSv5

David Koblas developed SOCKS in 1990. It is maintained by NEC Systems Laboratory. The SOCKS protocol was first approved by the IETF as an authenticated firewall transversal standard. SOCKS is a proxy protocol that allows the transfer of data across a firewall based on user authentication rather than on IP packet characteristics. However, because of SOCKSv5 strong authentication, message integrity and confidentiality capabilities, it provides a good foundation for a VPN. (http://www.socks5.nec.com/about/faq.html) SOCKSv5 supports Username/Password and GSS-API based authentication schemes. For information on the GSS-API authentication, you can go to http://www.isoc.org/inet98/proceedings/rfc/1900/rfc1961.txt. A variety of encryption, tunnelling and key management methods are also supported..

With the use of SOCKSv5, data flow across networks is controlled at the Session level of the OSI model (level 5). There is a good illustration of the OSI model at the following web site. http://www.whatis.com/osifig.htm. Since it operates at this level, SOCKSv5 can allow much more detailed access control. Tunnels can be created for individual applications unlike tunnelling methods which operate at level 2 (L2P) and level 3 (PPTP) and SOCKSv5 can limit access to specific applications based on user-level authorization once a tunnel has been established.

SOCKSv5 permits uni-directional tunnels which tend to secure a network better than bi-directional tunnels. (The following information was taken from http://www.aventail.com/index-phtml/solutions/white_papers/vpnmarketwp.phtml.) This is accomplished by proxying data between a source computer and a destination computer. "When used in conjunction with a firewall, data packets are passed through a single port (1080 by default) in the firewall to the proxy server." The information is then filtered and sent to the destination computer. This prevents multiple holes from being opened in the firewall for different applications. "For additional security, the VPN proxy server hides the address structure of the network, making it more difficult for confidential data to be cracked. "

SOCKS is platform independent and can operate as a stand alone protocol for a VPN but can also operate in conjunction with tunnelling protocols such as PPTP, L2P or others that are located at lower levels in the OSI model. When used in this capacity, a VPN's security level is greatly increased.

Disadvantages:

Again referring to Aventails web site and documention, http://www.aventail.com/index-phtml/solutions/white_papers/vpnmarketwp.phtml
Disadvantages to SOCKSv5 include a slightly slower performance rate than lower level protocols since it proxies traffic, adding an extra securtiy layer and SOCKSv5 requires more sophisticated policy management than lower level protocols.

Point to Point Tunnelling Protocol (PPTP)

Point to Point Tunnelling Protocol (subsequently referred to as PPTP) from Microsoft is a bi-directional protocol. When mapped to the OSI network model, it maps to level 2, the datalink level. PPTP uses the protocols, PPP and TCP/IP in the creation of a virtual private network. Microsoft's (http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm) PPTP is an extension of the PPP internet protocol. PPP is the protocol used to transmit Multi-Protocol documents over Point to Point links. It takes PPP packets and wraps them in IP datagrams for transmission over TCP/IP networks (i.e. the Internet). The actual creation of a VPN is completed by creating a PPTP tunnel. Referring to the above Microsoft address Microsoft explains tunnelling as follows: "Tunnelling is the process of sending packets to a computer on a private network by routing them over some other nework, such as the Internet." The PPTP tunnel is created when a client connects to an ISP via a PPP connection. A second call is then made over the PPP connection. "The second call creates the virtual private networking connection to a PPTP server on the private enterprise LAN, this is referred to as a tunnel.." The IP encapsulated PPP packets are sent over this second connection.

PPTP is generally client initiated. The following is a brief discription of how a client might access and use a private network using the PPTP VPN protocol. The client connects to the Network Access Server located at the ISP's site. The client is then connected via the internet to the PPTP server which is connected to the internet and the private network. Data from the client is encrypted and encapsulated by PPTP in an IP wrapper and sent to the private network. Once the encapsulated data packet reaches the PPTP server, the IP wrapper is removed and the data is unencrypted using the private network's protocol.

PPTP uses the PPP protocol to accomplish the following three functions: (http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm)
1.    PPP establishes and ends the connections between remote computers.
2.    PPTP uses the PPP protocol to authenticate users.
       ("Clear text, encrypted, or Microsoft encrypted authentication can be used by PPP protocol")
3.    PPP creates datagrams that can include encrypted IPX, NetBEUI, and/or TCP/IP data
       packets.

The IP datagrams that are transmitted over the PPTP tunnel are created using a modified version of the (Internet Generic Routing Encapsulation (GRE) protocol. The datagram includes an IP header which provides information necessary to traverse the internet, a GRE header which encapsulates the PPP packet within the datagram and the PPP packet which is encrypted using RAS. With RAS encryption, both ends of the connection share the encryption key. Microsoft's implementation of RAS uses the user's password to encrypt the PPP packet. The encryption key is created by hashing the user's password. This is then stored on both the client and the server. When using the RSA RC4 standard the encryption key is 40 bits long, however user's in the United States and Canada can obtain a key of 128 bits.

Advantages:

PPTP is free. It comes with Windows NT 4.0 and can be downloaded from Microsoft's web site.
It is easy to implement if you are working completely in a Microsoft environment.

Disadvantages:

It is platform dependent.
Acording to BYTE magazine's article (A Virtual Private Affair), "PPTP requires IP (though it can tunnel IPX and NetBEUI, as well as PPP) and it doesn't include authentication for tunnel endpoints". Aventail's documentation http://www.aventail.com/index-phtml/solutions/white_papers/vpnmarketwp.phtml indicated that "the tunnel is bi-directional, so while it encrypts data traveling along the Internet, it does not provide a way to monitor or control what gets passed between the two points."

Layer Two Forward (L2F )

Layer Two Forward or L2F is another tunnelling protocol developed by Cisco Systems. It is similar to PPTP in that L2F is a layer 2 tunnelling protocol as is denoted by its name. Also L2F is an extension of PPP. The differences between it and PPTP is that as opposed to wrapping the PPP packets in IP, L2F uses layer 2 protocols such as Fame Relay and ATM to create tunnels, and L2F is server initiated. Another difference is that L2F provides authentication between tunnel endpoints. A good source of information regarding L2F is located in the documentation submitted by Cisco to the IEFT. http://www.ietf.org/rfc/rfc2341.txt.

Advantages:

L2F provides authentication of end points.

Disadvantages: (from BYTE magazine http://www.byte.com/art/9707/sec6/art3.html)

L2F requires support in access servers and routers. Therefore an ISP has to support it.

Layer Two Tunnelling Protocol (L2TP)

Layer Two Tunnelling Protocol or L2TP is the combination of Microsoft's PPTP and Cisco's L2F. It is suppose to combine the best components of each tunnelling protocol. It is an emerging Internet Engineering Task Force (IETF) standard for tunnelling. As with PPTP and L2F, L2TP extends PPP. According to Microsoft, (http://msdn.microsoft.com/library/backgrnd/html/msdn_vpn.htm) L2TP is a network protocol. It sends encapsulated PPP packets over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM) networks. It can be used on a WAN without an IP tranport layer. L2TP can also be configured to use IP as its datagram transport. When configured this way, it can be used as a tunnelling protocol over the Internet.

L2TP tunnel maintanence is accomplished by sending L2TP messages over IP internetworks using UDP. UDP is not connection based an therefore sends each packet as an independent message. Dropped packets are not retransmitted therefore making it more efficient that TCP. L2TP also usesUDP to transmit encapsulated PPP packets. The data contained in these packets can be encrypted and/or compressed.

Some of the differences between PPTP and L2TP include the following: (http://msdn.microsoft.com/library/backgrnd/html/msdn_vpn.htm)

1.    PPTP requires an IP internetwork. L2TP only requires that internetwork support Point-to-Point connectivity.
2.    PPTP can support only one tunnel between end points. L2TP can support multiple tunnels and L2TP allows the construction of different tunnels for different qualites of service.
3.    L2TP headers can be compressed to 4 bytes. PPTP's header are 6 bytes.
4.    L2TP provides end point authentication unlike PPTP.

Note: When L2TP or PPTP are used over IPSec, IPSec provides tunnel authentication.

According to Cisco Systems (http://www.cisco.com/warp/public/732/l2tp/l2tp_qp.htm)
the differences between L2F and L2TP are:

1. L2F does not support flow control of data which can create problems with the transmission of data if the tunnel is gets crowded. (i.e. packets can be dropped thus causing the retransmission of data). L2TP supports flow control.
2. L2TP allows outbound calls to remote users. L2F does not.

IPSec

IPSec is a level 3 protocol (network layer). It is the proposed IETF standard for creating secure IP connections over the Internet. Referring to Ken Masica's article Securing IP, The IPSec protocol suite is expected to transform the Internet, but what does this technology acutally do? it's security architecture consists of a suite of three protocols. These are the Encapsulating Security Payload (ESP), Authentication Header and the Internet Security Association and Key Management Protocol (ISAKMP/Oakland) recently renamed the Internet Key Exchange. ESP provides both encryption and authenitication services. AH provides datagram authentication and "ISAKMP is a generic term for the application layer service that supports key management requirements of the IPSec's protocol". Another link with information regarding IPSec is http://www.whatis.com/ipsec.htm

Disadvantages:

According to Microsoft's documentation (http://msdn.microsoft.com/library/backgrnd/html/msdn_vpn.htm)
1.    An IPSec Tunnel only supports IP traffic.
2.    Application and higher level protocols inherit IPSec's behavior since IPSec is located at the bottom the IP stack.
From Aventail http://www.aventail.com/index-phtml/solutions/faqs/ipsec.phtml
3.    "IPSec requires significant changes to the current IPv4 infrastructure in order to be deployed."

MIDI: "Fascinating Rhythm", G. Gershwin