Due to the increasing popularity of the network, the security of the network is the current hot topic. This paper analyzes the analysis of tunnel technology, in terms of safety field, making recommendations on the use of tunnel technology to achieve Linux under Linux.
The VPN is a network of networks, which has many advantages compared to the private network. In VPN, by using a so-called "tunnel" technology, data packets can be transmitted through a public route network, such as an Internet, or other commercial networks.
Here, the proprietary "tunnel" is similar to a point-to-point connection. This approach enables network traffic from many sources from the same infrastructure by separate tunnels. This tunnel technology uses a point-to-point communication protocol instead of the exchange connection, and connects the data address by routing network. Tunnel technology allows authorization to access the corporate network at any time any time to mobile users or authorized users.
With Tunnel's establishment, the following features can be implemented:
Promote data traffic to specific destinations
Hidden private network address
Transfer non-IP protocol packets on IP online
Provide data security support
Assist in completing the user based on AAA management.
Tunnel technology foundation
Tunneling Technology is a way to pass data between networks by using an internet network. Data (or load) that use tunnels (or load) can be data (this word is incorrect) or packets of different protocols. The tunnel protocol will re-encapsulate these other protocols or packages in the new header. The new header provides routing information so that the packaged load data can be passed through the Internet.
The packaged packet is routed through the public internet network between the two endpoints of the tunnel. The logical path passed by the packaged packet is transmitted on the public interconnection network is called a tunnel. Once the network end point is reached, the data will be unpack and forward to the final destination. Note that tunneling technology refers to a whole process including data packaging, transmission, and unpacking.
The transmission network used by the tunnel can be any type of public internet network, which is mainly described as an example for the current universal use of the INTERNET. In addition, a tunnel can also be created in an enterprise network. After a period of development and improvement, the tunnel technology includes:
1. SNA tunneling technology on IP network
When the SNA data flow is transferred through the enterprise IP network transmission, the SNA data will be packaged in the UDP and IP protocol header.
2. NovellNetWareipx tunnel technology on the IP network
When an IPX packet is sent to the NetWare server or IPX router, the server or router is sent to the IPX packet with the IPX packet by the IPX packet by the UDP and IP Package header. The IP-TO-IPX router in the other ends forwards the packet to the IPX destination after removing the UDP and IP headers.
In recent years, some new tunnel technologies have emerged, which will mainly introduce these new technologies. Specifically include:
1. Point-to-point tunnel agreement (PPTP)
The PPTP protocol allows IP, IPX or NetBeui data streams to encrypt and then packaged in the IP header through the enterprise IP network or public internet network.
2. Layer 2 Tunnel Protocol (L2TP)
The L2TP protocol allows encryption of IP, IPX or NetBeui data stream, and then transmitted by any network passed by support point-to-point datagram, such as IP, X.25, Neutral or ATM.
3. Safety IP (IPSec) Tunnel Mode
IPSec tunnel mode allows IP load data to be encrypted, and then packaged in the IP header through a business IP network or public IP internet network such as Internet.
Tunnel agreement
In order to create a tunnel, the client and server of the tunnel must use the same tunneling agreement.
Tunnel technology can be based on the second or third floor tunnel agreement. The above layers are divided according to the open system interconnection (OSI) reference model. The Layer 2 Tunnel Protocol corresponds to the data link layer in the OSI model, using as a data exchange unit. PPTP, L2TP, and L2F (Layer 2 forwarding) are all Layer 2 tunnel protocols, which are sent to the Point-to-Point Protocol (PPP). Layer 3 Tunnel Protocol corresponds to the network layer in the OSI model, using a package as a data exchange unit. IP Overip and IPSec tunnel models belong to the Layer 3 tunnel protocol, which are transmitted to IP packages in additional IP headers. Provide encrypted communication between PPTP clients and PPTP servers. The PPTP client refers to the PC running the protocol, such as Windows95 / 98 that launches the protocol; the PPTP server refers to the server running the protocol, such as the WindowsNT server that starts the protocol. PPTP is an extension of the PPP protocol. It provides a communication method for establishing a multi-protocol on the Internet. Remote users can access the company's private network through any ISP supporting PPTP.
With PPTP, customers can access public IP networks with dialing methods. The dial user first dials to the ISP access server (NAS) in a regular manner, establishes a PPP connection; on this basis, the user performs the secondary dialing to establish the connection to the PPTP server, which is called the PPTP tunnel, which is substantially IP based on IP Another PPP connection of the protocol, the IP package can be packaged in multiple protocol data, including TCP / IP, IPX, and NetBeui. PPTP uses the data encryption method based on RSA RC4 to ensure the security of the virtual connection channel. For users who directly connect to the Internet, they do not require PPP dial-up connections, and they can establish virtual channels directly with the PPTP server. PPTP handed the initiative to the establishment of the tunnel to the user, but the user needs to configure PPTP on its PC, which increases both the user's workload and bring hidden dangers to the network. In addition, PPTP only supports IP as a transport protocol.
Layer 2 forward (L2F)
L2F is Cisco Company proposing tunnel technology, as a transmission protocol L2F supports dialing access server to transmit dial data stream into the PPP Transfer to the L2F server (router). The L2F server reinjects the data package unpacking package. Unlike PPTP and L2TP, L2F has no confirmation. It should be noted that the L2F is only valid in the mandatory tunnel. (Introduction to voluntary and mandatory tunnels "Type").
Layer 2 Tunnel Protocol (L2TP)
The L2TP tunnel protocol is a typical passive tunnel protocol. It combines the advantages of L2F and PPTP, allowing users to initiate a VPN connection from the client or access server side. L2TP is a package protocol that encapsulates link layer PPP frames such as IP, ATM, and frame relay in the tunnel transmission.
L2TP is mainly composed of LAC (L2TP Access Concentrator) and LNS (L2TP Network Server), the LAC supports the client's L2TP, used to initiate calls, receive calls, and establish tunnels; LNS is the end of all tunnels, LNS terminates all PPP streams . In a conventional PPP connection, the end point of the user dial-up connection is the LAC, and the L2TP causes the terminal of the PPP protocol to extend to the LNS.
The benefit of L2TP is to support multiple protocols, users can retain the original IPX, AppleTalk and other protocols or original IP addresses. L2TP also solves the bundling problem of multiple PPP links. PPP link bundles require their members to point to the same NAS (Network Access Server), L2TP can physically connect to different NAS PPP links, logically end Click on the same physical device. L2TP also supports channel certification and provides errors and flow control. L2TP uses IPsec to enhance security, support the authentication, encryption, and key management of packets. L2TP / IPSEC can therefore provide remote users with a skincactive safety tunnel connection. This is a good solution for secure remote access and security gateways. Therefore, secure VPN needs to address two different issues of L2TP and IPsec simultaneously. The L2TP protocol solves the conversion problem of different user protocols through the IP network; the IPsec protocol (encryption / decryption protocol) solves the confidentiality issue of transmitting information through public network.
The L2TP on IP Online uses UDP and a series of L2TP messages to maintain the tunnel. L2TP also uses UDP to send PPPs encapsulated by the L2TP protocol through the tunnel. The load data in the package PPP can be encrypted or compressed. PPTP and L2TP
PPTP and L2TP are encapsulated using the PPP protocol, and then add additional headers for the transfer of data on the Internet. Although the two agreements are very similar, there is still the following aspects:
PPTP requires the Internet to be an IP network. L2TP only provides a tunnel medium to provide a connection to a packet-oriented point-to-point. L2TP can be used on IP (using UDP), Equivalence Permanent Virtual Circuit (PVCS), X.25 Virtual Circuit (VCS), or ATM VCS network.
PPTP can only establish a single tunnel between both ends. L2TP supports multiple tunnels between the two ends. Using L2TP, users can create different tunnels for different service quality.
L2TP can provide cladding compression. When compressed cladding, the system overhead occupies 4 bytes, while 6 bytes should be taken under the PPTP protocol.
L2TP can provide tunnel verification, and PPTP does not support tunnel verification. However, when L2TP or PPTP is commonly used with IPsec, tunnel authentication can be provided by IPSec, and do not need to verify the tunnel on the Layer 2 protocol.
IPSec tunnel mode
IPsec provides high-intensity security processing on the IP layer, providing secure services such as data sources, no connection data integrity, data confidentiality, anti-broadcast, and limited business stream confidentiality. Various applications can enjoy the security services and key management provided by the IP layer without having to design and implement their own security mechanisms, so reduce the overhead of key negotiation, which also reduces the possibility of generating security vulnerabilities. IPsec can be used continuously or recursively, configured on routers, firewalls, hosts, and communication links to implement end-to-end security, virtual private network (VPN), and security tunnel technology.
IPSEC is the 3rd floor protocol standard, supports secure transmission of data on IP networks. This article will provide a detailed general introduction to IPSec in the "Advanced Security" section, here only one aspect of the IPSec protocol is discussed in conjunction with the tunnel protocol. In addition to the encryption mechanism of IP data streams, IPSec also develops the packet format of the iPoverip tunnel mode, generally referred to as IPsec tunnel mode. An IPsec tunnel consists of a tunnel customer and tunnel server, both ends all over the IPSec tunnel technology, using negotiation encryption mechanisms.
In order to achieve secure transmission on a private or public IP network, the IPSec tunnel mode is packaged and encrypted throughout the IP package. Then the encrypted load is then sealed in the plain text IP header through the network to the tunnel server. The tunnel server processes the received datagram that removes the original load IP package after decrypting the contents. The load IP package is routed to the destination of the target network after normal processing. The IPSec tunnel mode has the following functions and limitations:
Can only support IP data stream
Working on the bottom of the IP stack (IPStack), therefore, the application and high-level protocol can inherit the behavior of IPSec.
Controlled by a security policy (a full filter mechanism). Security policies create encryption and tunnel mechanisms and verification methods in order in order of priority. When the communication is required, the two other machines perform mutual verification, and then negotiate what encryption is used. All of the data streams will be encrypted using the encryption mechanisms negotiated by both parties and then packaged in the tunnel.
