Top Banner
VPN construction with VPN construction with independence of client independence of client environment environment 25 January 25 January 2007 Shin Takeuchi (University Shin Takeuchi (University of Tsukuba) of Tsukuba)
23

VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

Dec 18, 2015

Download

Documents

Sibyl Heath

static ip address site

ip security protocol

ip security protocol

vpn slide

site vpn connection

site connection

vpn construction

common slide

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

VPN construction withVPN construction with   independence of client environmentindependence of client environment

25 January25 January 2007

Shin Takeuchi (University of Tsukuba)Shin Takeuchi (University of Tsukuba)

Page 2: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

2

University of TsukubaUniversity of Tsukuba

AgendaAgenda

1. VPN ~Site-to-Site connection~ ~Remote-to-Site connection~ IP security protocol SSL-VPN

2. Solution

3. Experiment

4. Implementation

5. Conclusion

Page 3: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

3

University of TsukubaUniversity of Tsukuba

VPNVPN

Page 4: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

4

University of TsukubaUniversity of Tsukuba

Internet

VPN

Site A Site B

We typically use “IPsec” in Site-to-Site VPN connection Many devices support “IPsec”

VPN VPN ~~Site-to-Site connection~Site-to-Site connection~

Page 5: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

5

University of TsukubaUniversity of Tsukuba

Internet

VPN VPN ~Remote-to-Site connection~~Remote-to-Site connection~

VPN

Site Remote User

We usually use “SSL-VPN” in Remote Access PPTP is also common

Page 6: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

6

University of TsukubaUniversity of Tsukuba

IP security protocol IP security protocol (( IPsecIPsec ) ) (( 1/31/3 ))

IP Header

ESP Header

ESP Auth

ESP

Trailer

Original IP packet

TCP Header

ESP Header

ESP Auth

ESP

Trailer TCP

Header

IP Header

AH Header

TCP Header

payloadIP

HeaderTCP

Header

IP Header

TunnelIP Header

AH Header

TCP Header

IP Header

Transport

Tunnel

ESP

AH

ESP

AH

TunnelIP Header

payload

payload

payload

payload

Page 7: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

7

University of TsukubaUniversity of Tsukuba

payload

payload

IPsec IPsec (( 2/32/3 )) ~Authentication~~Authentication~

IP Header

ESP Header

ESP Auth

ESP

Trailer TCP

Header

ESP Header

ESP Auth

ESP

Trailer TCP

Header

IP Header

AH Header

TCP Header

IP Header

TCP Header

IP Header

TunnelIP Header

AH Header

TCP Header

IP Header

Transport

Tunnel

ESP

AH

ESP

AH

TunnelIP Header

authentication

authentication

Original IP packet payload

payload

payload

authentication

authentication

Page 8: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

8

University of TsukubaUniversity of Tsukuba

IPsec IPsec (( 3/33/3 )) ~Encryption~~Encryption~

IP Header

ESP Header

ESP Auth

ESP

Trailer TCP

Header

ESP Header

ESP Auth

ESP

Trailer TCP

Header

IP Header

AH Header

TCP Header

IP Header

TCP Header

IP Header

TunnelIP Header

AH Header

TCP Header

IP Header

Transport

Tunnel

ESP

AH

ESP

AH

TunnelIP Header

Original IP packet payload

payload

payload

payload

payload

encryption

encryption

Page 9: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

9

University of TsukubaUniversity of Tsukuba

SSL-VPN SSL-VPN (( 1/31/3 ))

IP Header

RecordHeader

TCP Header

Reverse Proxy

MAC

IP Header

RecordHeader

TCP Header

MACIP

HeaderTCP

Header

IP Header

RecordHeader

TCP Header

MACIP

HeaderTCP

HeaderEthernet Header

CRC

Port Forwarding

L2-Tunneling

IP Header

TCP HeaderOriginal IP packet payload

payload

payload

payload

Page 10: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

10

University of TsukubaUniversity of Tsukuba

SSL-VPN SSL-VPN (( 2/32/3 ) ) ~Authentication~~Authentication~

IP Header

RecordHeader

TCP Header

Reverse Proxy

MAC

IP Header

RecordHeader

TCP Header

MACIP

HeaderTCP

Header

IP Header

RecordHeader

TCP Header

MACIP

HeaderTCP

HeaderEthernet Header

CRC

Port Forwarding

L2-Tunneling

Original IP packetIP

HeaderTCP

Headerpayload

payload

payload

payloadauthentication

authentication

authentication

Page 11: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

11

University of TsukubaUniversity of Tsukuba

SSL-VPN SSL-VPN (( 3/33/3 ) ) ~Encryption~~Encryption~

IP Header

RecordHeader

TCP Header

Reverse Proxy

MAC

IP Header

RecordHeader

TCP Header

MACIP

HeaderTCP

Header

IP Header

RecordHeader

TCP Header

MACIP

HeaderTCP

HeaderEthernet Header

CRC

Port Forwarding

L2-Tunneling

Original IP packetIP

HeaderTCP

Headerpayload

payload

payload

payload

encryption

encryption

encryption

Page 12: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

12

University of TsukubaUniversity of Tsukuba

MotivationMotivation

Setup difficulty It is bothering for common users to make VPN configuration

Must be “Static” Each endpoint requires “Static” IP address Site-to-Site : “Static”- “Static” , Remote-to-Site : “Dynamic”-“Static”

more “Simplicity”

more “Flexibility”

Page 13: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

13

University of TsukubaUniversity of Tsukuba

IdeaIdea

Implement application Simple VPN configuration for clients “Dynamic” – “Dynamic” connection

Which protocol should we use ?

Introduce the “VPN-Management-Server”VPN-Management-Server handles bothering procedure

Page 14: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

14

University of TsukubaUniversity of Tsukuba

Experiment Experiment

Page 15: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

15

University of TsukubaUniversity of Tsukuba

EExperiment xperiment withwith selection of protocol selection of protocol

Criterion Connectivity (connect or disconnect)

Target IPsec V.S. SSL-VPN

Experimental Network University of Tsukuba campus network (Univ. Tsukuba) Tsukuba WAN Kyushu GigaPOP Project (QGPOP) Network Organization for Research and Technology in Hokkaido

(NORTH) Japan Science and Technology Agency (JST) Commercial Internet Service Provider (ISP)

Page 16: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

16

University of TsukubaUniversity of Tsukuba

Result of the ExperimentResult of the Experiment

Endpoint B IPsec

Endpoint A Univ. Tsukuba Tsukuba WAN QGPOP NORTH JST ISP

Univ. Tsukuba × × × × × ×

Tsukuba WAN × ○ ○ ○ × ○

QGPOP × ○ ‐ ‐ × ‐

NORTH × ○ ‐ ‐ ‐ ‐

JST × × × ‐ ‐ ‐

ISP × ○ ‐ ‐ ‐ ‐

Endpoint B SSL-VPN

Endpoint A Univ. Tsukuba Tsukuba WAN QGPOP NORTH JST ISP

Univ. Tsukuba ○ ○ ○ ○ ○ ○

Tsukuba WAN ○ ○ ○ ○ ○ ○

QGPOP ○ ○ ‐ ‐ ○ ○

NORTH ○ ○ ‐ ‐ ‐ ‐

JST ○ ○ ○ ‐ ‐ ○

ISP ○ ○ ○ ‐ ○ ‐

○:connect , ×: disconnect , - : none

SSL-VPN is more suitable than IPsec !

Page 17: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

17

University of TsukubaUniversity of Tsukuba

ImplementationImplementation

Page 18: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

18

University of TsukubaUniversity of Tsukuba

Implementation of proposal systemImplementation of proposal system

Environments OS : Windows Language : C++ Library : openssl-0.9.8c USB token : iKey 1000

Features When we insert the USB token into a PC, VPN is estab

lished

Example Sharing data in a meeting

Page 19: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

19

University of TsukubaUniversity of Tsukuba

SSL connection

SSL authentication

(Client IP address) Request

Send

Register

Request

Verify

Client’s Certificate

VerifyServer’s Certificate

(IP address)

included in IP Header ( source IP address )included in application data ( IP address )

Check

・ ( source IP address ) ・ ( IP address )

Client VPN-Management-Server

・ Client Certificate Serial Number

・ IP Classification Information

Procedure sequenceProcedure sequence

Page 20: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

Repository

Registry

VPN module

Certification issue

VPN-management Server

SSL Auth VPN-Server

ClientSSL connect

Client information

・ Client Certification Serial Number・ Header IP・ Payload IP・ IP Classification Information(Global IP, Private IP)

Auth info

・ CA Private / Public key・ Server Private / Public key

SSL Auth

IC chip

USB-token : iKey

storage

Reference

VPN module create

encryption algo Virtual IP

access point IP Connect Port

communication protocol

Client Environment judge

IP address

VPN connection

Virtual IF creation

packet routing

tun / tap device

send packet

Payload IP address

Header IP address

( Global IP,Private IP )

Payload IP address

Registry

Reference

Reference

・ CA Public key・ Client Private / Public key

Client applicationprogram

Page 21: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

21

University of TsukubaUniversity of Tsukuba

ConclusionConclusion

Page 22: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

22

University of TsukubaUniversity of Tsukuba

ConclusionConclusion

VPN IPsec and SSL-VPN

Focus on the following problemsSetup difficultyMust be “Static” IP

My applicationSimple VPN configuration for clientsEnable “Dynamic – Dynamic” connection

Page 23: VPN construction with independence of client environment 25 January 25 January 2007 Shin Takeuchi (University of Tsukuba)

23

University of TsukubaUniversity of Tsukuba

Thank you !Thank you !

I appreciate network supports of Prof. Okamura (Kyushu Univ.).

Thanks go to Prof. Kasahara for this session arrangements.

Thanks also to Prof. Okamoto, Researchers Dr. Oyama and Dr. Inomata for their supports and guidelines.


Related Documents
SPOT90 - Tsukuba

SPOT90 - Tsukuba

Category: Documents
TAKEUCHI - Graaver · 2020. 8. 4. · TAKEUCHI TAKEUCHI TB215R De hydraulisch uitschuifbare onderwagen zorgt voor een stabiele en flexibele inzetbaarheid in nauwe ruimtes. Hierdoor

TAKEUCHI - Graaver · 2020. 8. 4. · TAKEUCHI TAKEUCHI...

Category: Documents
Ave Maria - Takeuchi

Ave Maria - Takeuchi

Category: Documents
Tsukuba Memo Off

Tsukuba Memo Off

Category: Documents
Nonaka Takeuchi Def

Nonaka Takeuchi Def

Category: Documents
Computational Thinking - Tsukuba

Computational Thinking - Tsukuba

Category: Documents
Ecuaciones Diferenciales Takeuchi

Ecuaciones Diferenciales Takeuchi

Category: Documents
TSUKUBA WORLD 2014 Tsukuba World Futsal gives participants …ƒラシ案4(シューレロゴ... · TSUKUBA WORLD 2014 Tsukuba World Futsal gives participants of all ages an oppotunity

TSUKUBA WORLD 2014 Tsukuba World Futsal gives participants.....

Category: Documents
Tatsu Takeuchi Virginia Tech @Osaka University, January 10, 2012.

Tatsu Takeuchi Virginia Tech @Osaka University, January 10,....

Category: Documents
Tsukuba International Strategic Zone...Tsukuba International Congress Center Tsukuba International Congress Center (TICC) was built to encourage research exchanges, revitalize the

Tsukuba International Strategic Zone...Tsukuba International...

Category: Documents
20th AIM Workshop NIES Tsukuba Japan · 20th AIM Workshop NIES Tsukuba Japan 23-25 January 2015 . ... Role of researchers to promote Low carbon sustainable development approach Science

20th AIM Workshop NIES Tsukuba Japan · 20th AIM Workshop.....

Category: Documents
RIKI TAKEUCHI - bm.ust.hk

RIKI TAKEUCHI - bm.ust.hk

Category: Documents