Detailed explanation of tunnel technology in the h

  • Detail

VPN tunnel technology details

VPN overview

in order to enable remote enterprise employees to exchange data information with the headquarters in real time. An enterprise has to rent a network from an ISP to provide services. However, public is vulnerable to various security attacks (such as denial of service attacks to block normal network services, or steal important internal information of enterprises)

the introduction of the concept of VPN is used to solve this problem. It uses the public network to connect to the private network of the enterprise. However, in VPN, security mechanism is used to ensure confidential, authentic and reliable access control with strict integrity. This establishes a logically virtual private network. Virtual local area provides a cost-effective means to solve the secure exchange of private information through public networks

second, VPN features

the advantages of general VPN are as follows:

a) minimum cost: no need to purchase network equipment and dedicated lines to cover all remote users

b) sharing: through the purchase of public resources, part of the maintenance is migrated to the provider (more professional, experienced, operation, maintenance cost reduction)

c) security:

d) guarantee QoS

e) reliability: if a VPN node is broken, a replacement VPN can be established to bypass it. This kind of recovery work is that the VPN operation can be continued as far as possible

f) scalability: it is very easy to expand VPN by applying for more resources from the public, or negotiate to reconstruct VPN

security is the most important feature of VPN, It is also an element that all kinds of VPN products must have and support

three VPN Security Technologies

at present, VPN mainly adopts four technologies to ensure security, which are tunneling, encryption & decryption, key management and authentication of users and devices

encryption and decryption technology is a relatively mature technology in data communication. VPN can directly use existing technology

the main task of key management technology is how to safely transfer keys on public data without being stolen. The current key management technology is divided into skip and isakmp/oakley. Skip mainly uses Diffie Hellman's algorithm to transmit keys on the network; In ISAKMP, both parties have two keys, which are used for public and private use respectively

the most commonly used authentication technology is user name and password or card authentication

tunneling refers to the use of one network protocol to transmit another network protocol. It mainly uses network tunneling protocol to achieve this function. The network tunneling technology involves three kinds of network protocols, namely, the network tunneling protocol, the bearer protocol under the tunnel protocol and the hosted protocol carried by the tunnel protocol. Network tunneling technology is a key technology, and this basic VPN technology is also to be described in detail in this paper

four network tunnel protocol

network tunnel refers to the establishment of a data channel (tunnel) in the public, so that data packets can be transmitted through this tunnel. There are two types of network tunneling protocols. One is layer-2 tunneling protocol, which is used to transmit layer-2 network protocol. It is mainly used to build remote access virtual private (accessvpn); The other is the three-layer tunnel protocol, which is used to transmit the three-layer network protocol. It is mainly used to build intranet VPN and extended intranet VPN

layer 2 Tunneling Protocol

layer 2 Tunneling Protocol First encapsulates various network protocols into PPP, and then packages the entire data into the tunneling protocol. The data packets formed by this double-layer encapsulation method are transmitted by the second layer protocol. The second layer tunnel protocol mainly includes the following three kinds: the first is widely used by Microsoft and ascend to identify the quality of castings in factories or laboratories; Inspection of raw materials or metallographic structure analysis after material treatment; PPTP (point to point Tunneling Protocol), which is supported by 3Com and other companies, is supported in windowsnt4.0 and above

the second is L2F (layer2forwarding) supported by Cisco, Northern Telecom and other companies, which is supported in Cisco routers

the third kind is drafted by IETF, and L2TP (layer 2tunnelingprotocol) with the participation of Microsoft ascend, Cisco, 3Com and other companies combines the advantages of the above two protocols. L2TP protocol is the current IETF standard, which is formed by IETF's integration of PPTP and L2F. Here we mainly introduce L2TP network protocol

among them, lac refers to L2TP access concentrator, which is a device with PPP end system and L2TP protocol processing capability attached to the switching network. Lac is generally a network access server NAS (network access server), which is used to provide network access services for users through pstn/isdn; LNs refers to L2TP network server, which is the software used to process the server-side part of L2TP protocol on the PPP side system

there are two types of connections between an LNs and lac pair. One is tunnel connection, which defines an LNs and lac pair; The other is session connection, which is reused on the tunnel connection to represent each PPP session process carried in the tunnel connection

l2tp connection maintenance and PPP data transmission are completed through the exchange of L2TP messages, which are then carried on tcp/ip through UDP port 1701. L2TP messages can be divided into two types: control messages and data messages. Control messages are used to establish and maintain tunnel connections and session connections. The data message is used to host the PPP session packet of the user. The maintenance of L2TP connection and the transmission of PPP data are completed through the exchange of L2TP messages, which are then carried on tcp/ip through the 1701 port of UDP

the parameters in the control message are represented by attributevaluepair, which makes the protocol have good scalability; In the transmission process of control messages, mechanisms such as message loss retransmission and timed detection of channel connectivity are also applied to ensure the reliability of L2TP layer transmission. The data message is used to host the PPP session packet of the user. L2TP data message transmission does not adopt retransmission mechanism, so it cannot guarantee the reliability of transmission, but this can be guaranteed through upper layer protocols such as TCP; The transmission of data messages can flexibly adopt flow control or non flow control mechanism according to the needs of applications, and even dynamically use the message sequence number in the transmission process, so as to dynamically activate the message sequence detection and flow control functions; In the process of flow control, cache reordering method is used to deal with out of order messages to improve the effectiveness of data transmission

l2tp also has the following characteristics applicable to VPN services:

· flexible authentication mechanism and high security

L2TP can choose a variety of authentication mechanisms (chap, PAP, etc.). If valasock and his team can further reduce costs and prove that it can expand all the security features of PPP, L2TP can also verify tunnel endpoints, This makes the data transmitted through L2TP more difficult to be attacked. And according to the specific network security requirements, it is also convenient to adopt tunnel encryption, end-to-end data encryption or application layer data encryption on L2TP to improve the security of data

· internal address allocation support

lns can be placed behind the firewall of the enterprise. It can dynamically allocate and manage the addresses of remote users, and support DHCP and private address application (rfc1918) and other schemes. The address assigned by the remote user is not the Internet address, but the private address within the enterprise, which facilitates address management and increases security

· flexibility of network billing

you can charge at the same time in LAC and LNs, that is, ISP (for bill generation) and enterprise (for payment and audit). L2TP can provide charging data such as the number of incoming and outgoing packets of data transmission, the number of bytes, and the start and end time of the connection, which can be used for network charging conveniently

· reliability

l2tp protocol can support backup LNs. When a primary LNs is unreachable, Lac (access server) can re establish a connection with the backup LNs, which increases the reliability and fault tolerance of VPN service

· unified network management

L2TP protocol will soon become a standard RFC protocol, and the standard MIB related to L2TP will also be formulated soon, so that SNMP network management scheme can be uniformly adopted for convenient network maintenance and management

layer 3 tunneling protocol

layer 3 tunneling protocol is to directly load various network protocols into the tunneling protocol, and the formed data packets rely on the layer 3 protocol for transmission. The three-layer tunneling protocol is not a very new technology. RFC 1701 generic routing encapsulation (GRE) protocol, which has long appeared, is a three-layer tunneling protocol. The new IETF IP layer encryption standard protocol IPSec protocol is also a three-layer tunneling protocol

IPSec (IPSecurity) is composed of a group of RFC documents, which defines a system to provide security protocol selection, security algorithm, determine the key used by the service and other services, so as to provide security at the IP layer

it is not a single protocol with obvious directionality. It gives a complete set of architecture applied to network data security on IP layer, including network security protocol authentication header (ah) protocol and encapsulating security payload (ESP) protocol, key management protocol Internet Key Exchange (IKE) protocol and some algorithms for network authentication and encryption. The authentication and encryption mechanisms and protocols of IPSec are described in detail below

1. IPSec authentication header (ah):

it is a mechanism for providing IP datagram integrity and authentication. Its integrity is to ensure that datagrams are not changed unintentionally or maliciously, while authentication verifies the source of data (identifying hosts, users, networks, etc.). Ah itself does not support any form of encryption, and it cannot guarantee the credibility of the data sent through the Internet. Ah can improve the security of global Intenret only when the export, import or use of encryption is restricted by the local government. When all functions are realized, it will provide better security services by authenticating IP packets and reducing the attack probability based on IP spoofing. The packet header used by ah is placed between the standard IPv4 and IPv6 packet headers and the next high-level protocol frame (such as TCP, UDP, ICMP, etc.)

The ah protocol provides integrity and authentication services by implementing a message digest calculation in the entire IP datagram. A message digest is a specific one-way data function that can create a unique digital fingerprint of a datagram. The output result of the message digest algorithm is placed in the authentication_data area of the ah packet header. Message digest 5 algorithm (MD5) is a one-way mathematical function. When applied to packet data, it divides the whole data into several 128 bit information packets. Each 128 bit group of information is a representation of compression or summarization of large packet data. When used in this way, MD5 only provides digital integrity services. A message digest can be calculated from a set of data before it is sent and after the data is received

Copyright © 2011 JIN SHI