Virtual Private Network And Tunneling Protocols Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Since the last decade, internet technologies have become a valuable system for the businesses to extend their local area networks to the remote offices in a satisfying way. Before Virtual Private Network, the extension of local Area networks were possible by using the leased lines technologies, but unfortunately the cost of leased line increases in a direct proportion to the distance between remote offices increases.

Virtual Private Network is the transfer of private data from one local area network to another via the internet securely, reasonably and promptly across the world. Virtual Private Network not only enables the remote branches users to share secret information's safely but it also allows travelling users to connect to office resources and co-workers securely. During the virtual private network the communication happen across internet but it appears as a private network communication to the end users. Due to this reason it is called Virtual Private Network. The following diagram shows an example of Virtual Private Network.

Tunneling protocols are used to set up a private network that spans the internet to transfer packets among different subnets. This method is called Virtual Private Network Tunneling. Before data transfer can occurs a VPN client and Server must create a tunnel. For a successful VPN session client and server must have same Tunneling protocol. During tunneling an entire packet is placed within another packet and then sends over the internet to the destination. In other words, the packet is encrypted and encapsulated with an extra header produced by the tunneling protocol. The extra header contains routing information from source to the destination.

To set up a protected tunnel between two nodes and transfer IP packets, Point-to-Point tunneling protocol encapsulates PPP (Point-to-Point Protocol) frames into IP datagram. PPP is the industry standard protocol used for accessing remote nodes. In fact PPP is not a single a protocol; it is a suite of protocols which provides connection services together.

The Authentication mechanisms of the PPTP based tunnel is same as PPP connection e.g. CHAP(Challenge Handshake Protocol),PAP(Password Authentication Protocol),EAP(Extensible Authentication Protocol), In other words PPTP depends on PPP for encapsulating and compressions of data packets. For encapsulation GRE(Generic Routing Encapsulation) protocol is used .GRE packet contains routing information and for its transformation to the destination it is then encapsulated in some other protocol called the delivery protocol.

Figure: PPTP Packet Format

2.3.2 IP-in-IP (IP-IP)

This type of tunneling protocol encapsulates an IP packet in another IP packet and relatively simple than other encapsulation techniques. The inner IP header identifies the source and destination host IP addresses. The outer IP header identifies the end points of the tunnel. The following diagram shows packet format of IP-in-IP.

2.3.3 Layer 2 Tunneling Protocol (L2TP)

CISCO System's proposed L2TP which is the combination of PPTP and L2F (Layer2 Forwarding). It can be used in LAN to LAN private networking as well as for VPN tunnel over the public network (internet). During L2TP tunneling PPP frames are encapsulated over WAN technologies like Frame relay, X.25 and ATM (Asynchronous Transfer Mode) networks.

Figure: L2TP changes during transfer

L2TP authentication mechanism is also same as PPP connection.L2TP is better tunneling protocol than PPTP for the reasons that L2TP provides

Header Compression capability

Tunnel Authentication

IPSec Encryption

2.3.4 Layer 2 Tunneling Protocol Security Problems

As it has been explained in the above paragraphs that L2TP provides multiprotocol transport, remote networks access in a very economical way but it does not provide security which is cryptographically vigorous. For instance:

L2TP does not provide authentication on the per packet basis that flows through the tunnel. However it provides the authentication for tunnel end points identifications. Due to this L2TP tunnel can be easily open to the attacks like Spoofing and man-in-the-middle.

Furthermore, due to this security issue L2TP tunnel or the underlying PPP session can be terminated by producing false control messages by denial- of- service attacks.

As L2TP by itself does not provide data encryption. Due to this problem data confidentiality is an issue.

In case of L2TP tunnel attacker can break the security key and access the data during its transmission because PPP protocol provides encryption mechanisms payload of PPP packets but it does not the capability of automatic key refresh and automatic key generation.

Now due to the aforesaid issues with L2TP, the PPP Extensions group of IETF (Internet Engineering Task Force) recommends IPSec (Internet Protocol Security) to provide adequate Security required for the packets transmitted via the Virtual private network tunnel.

2.4 Internet Protocol Security (IPSec)

IP packets have no inbuilt security. Therefore no one can assure that IP packets received are from the original sender, data is the original one and the original data was not modified by any unauthorized user during the transmission from the source to the destination. IPSec is a technique of securing IP packets.

IPSec provides strong security which can be used for all traffic sent through the public network. IPSec provides security to IP as well as upper layer protocols like User Datagram Protocol (UDP) and TCP (Transmission Control Protocol).it is not a single protocol; In fact it is a suite of protocols. IPSec has the ability to secure data packets between two computers, firewalls, routers and between computer and routers as well.

IPSec consists of the following protocols:

Encapsulating Security Protocol (ESP)

Authentication Header (AH)

Internet Security Association and Key Management Protocol (ISAKMP)

Internet Key Exchange (IKE)