P1: IXL
Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0
586 VIRTUALPRIVATENETWORKS:INTERNETPROTOCOL(IP) BASEDR SGISP ARADIUSNAS
ISP BISP CNASR SGWeb
ServerSG RExtranet
DataRemote, Dial-in
UsersFigure 8: Pure IP-distributed VPN design.squares showing the hub–hub tunnels. As with the VC
overlay approach, adding a new site to a full mesh re-
quires configuration of a tunnel to every other site. Fur-
thermore, if the enterprise does not use globally unique,
routable IP addresses, the CE devices may also include
network address translation functions. When a single ISP
provides the network for an IP-based VPN, then guaran-
tees on quality and performance are feasible. Beware of
an IP-based VPN built on top of the public Internet using
services provided by several ISPs: It may not provide the
quality necessary for telephone-grade voice or multimedia
applications.
The IETF designed the IPsec protocol suite to address
the known issues involved with achieving secure commu-
nications over the Internet (McDysan, 2000). It reduces
the threat of attacks based on IP address spoofing and
provides a standardized means for ensuring data integrity,
authenticating a data source, and guaranteeing confiden-
tiality of information. Furthermore, it tackles the complex
problem of key management head on. When a public key
management infrastructure is used, the Internet can be
trusted based upon this set of standards. IPsec will play
an important role not only in enterprise VPNs, but also
in electronic commerce and in secure individual end user
communication.
IPsec refers to a suite of three interrelated security pro-
tocols implemented by modification to, or augmentation
of, an IP packet in conjunction with an infrastructure that
supports key distribution and management. An interre-
lated set of Request for Comments (RFCs) published by
the IETF specifies the details of IPsec. RFC 2401 (Kent
and Atkinson, 1998) describes the overall IP security ar-
chitecture, whereas RFC 2411 (Thayer et al, 1998) gives
an overview of the IPsec protocol suite and the docu-
ments that describe it. Three protocols make up IPsec,
with the names identifying the function performed. The
two primary protocols involved in the transfer of data are
called the authentication header (AH) and the encapsu-
lating security payload (ESP). The AH protocol provides
source authentication and data integrity verification us-
ing a header field, but it does not provide confidentiality.
AH also supports an optional mechanism to prevent re-
play attacks. The ESP protocol uses both a header and a
trailer field to provide confidentiality via encryption. ESP
may also provide data integrity verification, source au-
thentication, and an antireplay service. Because both theAH and the ESP protocols utilize cryptographic methods,
secure distribution and management of keys is a funda-
mental requirement. IPsec specifies that key management
may be manual or automatic. The automatic key man-
agement protocol specified for IPsec is called Internet key
exchange and involves the mechanism for creating a secu-
rity association (SA) between a source and a destination
for the AH and ESP protocols.
The AH and ESP protocols operate in either transport
or tunnel mode, as defined by the parameters of an SA.
Intransport mode,they provide security by creating com-
ponents of the IPsec header at the same time the source
generates other IP header information. This means that
transport mode can operate only between host systems.
Intunnel mode,IPsec creates a new IP packet, which con-
tains the IPsec components and encapsulates the original
unsecured packet. Because tunnel mode does not modify
the original packet contents, it can be implemented using
hardware or software located at an intermediate security
gateway (SG) between the source or destination system.
Figure 8 illustrates a pure IP-based VPN design that
has a cost structure essentially independent of the traf-
fic pattern. Here, every site has a firewall and security
gateway, so any site may directly access the Internet or
any other site. In addition, we show a network access
server (NAS), remote authentication dial-in user service
(RADIUS) server, Web server, and extranet database lo-
cated at three separate sites. Dial-in users are secured us-
ing the RADIUS server and the SG. This design also re-
duces access costs because traffic for the Internet need
not traverse a firewall at a headquarters site, as shown in
the hierarchical example above. Sites may also be dual-
homed to different ISPs or to different sites within the
same ISP for resiliency purposes, as necessary. This de-
sign is better suited to extranet applications and electronic
commerce because communication via the public Inter-
net is more interoperable and rapidly deployable than any
other communication service.PROVIDER-EDGE-BASED LAYER 3
VIRTUAL PRIVATE NETWORKS
A PE-based VPN is one in which PE devices in the service
provider network provide the partitioning of forwarding
and routing information to only those (parts of) sites that
are members of a specific intranet or extranet. This allows