Post on 28-Nov-2014
description
Layer 2 Virtual Private Network
righthand
1 2013-07-08
Outline
• Virtual Private Network (VPN)
– Point-to-Point Tunneling Protocol (PPTP)
– Layer Two Tunneling Protocol (L2TP)
• IP Tunnel
– Generic Routing Encapsulation (GRE)
• Experiment
2
Virtual Private Network
• A Virtual Private Network is the extension of a
private network that encompasses links across
shared or public networks like the Internet.
• VPN Technique
– Tunneling – Encryption & Decryption, Key management and Authentication
• VPN Type
– PPTP, L2TP – IPSEC, SSL VPN
3
Point-to-Point Tunneling Protocol(I)
• PPTP is a Layer 2 protocol that encapsulates
PPP frames in IP data grams.
– TCP connection for tunnel maintenance
– GRE to encapsulate PPP frames for tunneled data
4
PNS
PPTP
Network Server Tunnel GRE encapsulated PPP
Control Connection TCP PAC
PPTP
Access Concentrator
Point-to-Point Tunneling Protocol(II)
• Control Connection
– Length: Total length of the PPTP message in bytes
– Message type
• Control Message (1)
• Management Message (2)
– Magic cookie: Always set to 0x1A2B3C4D
5
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Length Message Type
Magic Cookie
MAC header IP header TCP header PPTP header Data:::
Point-to-Point Tunneling Protocol(III)
• Tunnel
– Enhanced GRE header
6
MAC header IP header GRE header PPP header Data:::
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
C R K S s Recur A Flags Ver Protocol Type
Key (HW) || Payload Length Key (LW) || Call ID
Sequence Number (Optional)
Acknowledgment Number (Optional)
Encrypted
Layer Two Tunneling Protocol
• L2TP = PPTP + L2F (Layer 2 Forwarding)
• Control messages
– establish, maintain and close the tunnel
• Data messages
– encapsulate PPP frames over the tunnel
– Can use IPSec to encrypt L2TP packet
7
IP
Header
IPSec ESP
Header
UDP
Header
L2TP
Header
PPP
Header
PPP
Payload
IPSec ESP
Trailer
IPSec Auth
Trailer
Layer Two Tunneling Protocol
• Header format
– Specifies if this is a data or control message.
• Data message (0)
• Control message (1)
8
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
T L x x S x O P x x x x Ver Length
Tunnel ID Session ID
Ns (opt) Nr (opt)
Offset Size (opt) Offset Pad (opt)
MAC header IP header UDP header L2TP header Data:::
IP Tunnel
• Transport another protocol by encapsulation
9
Original IP Header Payload
New IP Header New Payload
Original IP Header Payload
Generic Routing Encapsulation
• Header format
– RFC 2784
– RFC 1701
10
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
C Reserved0 Ver Protocol Type
Checksum (optional) Reserved1 (Optional)
MAC header IP header GRE header Data:::
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
C R K S s Recur Flags Ver Protocol Type
Checksum (optional) Offset (Optional)
Experiment Environment
11
Experiment Result: PPTP
12
Experiment Result: L2TP
13