Upload
tbproy
View
412
Download
1
Embed Size (px)
DESCRIPTION
I did this as a semester project for the course Engineering of Packet Switched Networks.
Citation preview
PROJECT PRESENTATION FOR
CE/CS 6345 ENGINEERING OF PACKET SWITCHED NETWORKS
SUBMITTED BY SHUBHAYU ROY.
Design of a VPN
The University Of Texas At Dallas.Richardson Texas .
The Problem Statement
Design a VPN
1.What is a VPN ?
VPN or Virtual Private Network, functionally is equivalent to a Local Area Network.
But unlike a LAN the hosts in a VPN are not connected locally on the same physical network (via a switch).
Instead they are scattered at possibly different locations and sites over the Internet.
Hence the LAN topology is a simulated rather than being actual. Hence Virtual Private Network.
The Problem Statement
Design a VPN
Now that we have an idea of what a VPN is we must delve into how to build one.
The Problem Statement
Design a VPN : Objectives Providing a VPN service means:
Any application on a host of a VPN should be able to access the VPN.
This means that the OS once it receives the packet from the application should be able to forward it similar to other LAN destinations.
Forward the packet to the corresponding Network Interface( similar to an actual network interface for wire transmission)
Any incoming packet from the VPN should reach the application via the OS when it arrives on the V Interface
The VPN packets must be available only to other hosts on the VPN The packets must be capable of travelling over internet –
preferably in the form of IP packets
Solution
Thus we see the need of a Virtual Interface. Both VPN and IP (which is used to route VPN packets over the
Internet) are Layer 2 technologies We will need VPN packets to travel over internet to other VPN
sites. This can happen over IP communication Hence we will need Encapsulation and Decapsulation of VPN
packets to and from IP packets during transmission and reception.
Existing Technologies
There are many VPN clients available today. They are capable of simulating IP communications over a
LAN They are however not many that provide generic support for
the use of any network layer protocols, not specifically IP Apple Talk, Novell IPX, experimental protocols Our goal : include support for generic network layer
protocols
Innovation
In order to allow generic network layer protocol to run on the Virtual Network, we need to free the users of the VLAN from sticking to any specific packet format
In order for Virtual LAN to function, the VPN client program on the clients needs• The virtual network address of the destination(provided by the
program)• The virtual network address of the source (is known to VPN client
program)
Innovation
So how does the VPN client program know where the packet at hand is headed??
The VPN client program accepts as command line inputs the location and length in bits of the destID field in the otherwise unintelligible header. Smart.
It extract the destID thus. The packet public-key-encrypted using destination’s public key. (keys are either stored or exchanged)
Regardless of where the packet is headed on the VLAN the encapsulated IP datagram is always addressed to the central VPN server’s public address
However a Shim header is added for the server to understand. It contains: Client VPNID Destination VPNID
Innovation
When VPN central server receives the IP datagram it decapsulates it to find a VPN datagram = Shim header + encrypted VPN packet.
Now what?? The Server queries its database, with the destination
VPNID(from shim header), and uses it to retrieve destination hosts public IP and port address.
Uses this to send packet to the destination It also sends this info back to sending VPN program the
triplet <destVPNID, publicIP,port for destVPN client program>
The sender stores these details for subsequent sendings to that host, in a cache DS. Flushes it regularly.
Model
Packet from VLAN sender host encapsulated in IP packet . IP destination is initially that of central server
The server queries the database to get the public IP and port of VPN destination host
The encapsulated packet arrives at destination host. This packet is decapsulated to get the VPN packet which is then written by VPN client program to the TUN interface
IP datagram to dest vpn host sent directly to VPN destinatin
Destination host infor for caching
Security
Public key securityAugment Central database triplets into
QuadrupletsExtra field is to store the public key of that
hostVPN program encrypts the app data while
sending, after extracting destination VPNID