v i r t u a l p r i v a t e n e t w o r k i n g VirtualPrivateNetworking G.Held 2004JohnWiley&Sons,Ltd ISBN:0-470-85432-4 BooksbyGilbertHeld,publishedbyWiley SecuringWirelessLANs 0470851279(September2003) EthernetNetworks,4thEdition 0470844760(September2002) QualityofServiceinaCiscoNetworkingEnvironment 0470844256(April2002) BulletproofingTCP/IP-BasedWindowsNT/2000Networks 0471495077(April2001) UnderstandingDataCommunications:FromFundamentalstoNetworking, 3rdEdition 0471627453(October2000) HighSpeedDigitalTransmissionNetworking:CoveringT/E-Carrier Multiplexing,SONETandSDH,2ndEdition 0471983586(April1999) DataCommunicationsNetworkingDevices:Operation,UtilizationandLAN andWANInternetworking,4thEdition 047197515X(November1998) DictionaryofCommunicationsTechnology:Terms,Definitionsand Abbreviations,3rdEdition 0471975176(May1998) InternetworkingLANsandWANs:Concepts,TechniquesandMethods, 2ndEdition 0471975141(May1998) LANManagementwithSNMPandRMON 0471147362(September1996) v i r t u a l p r i v a t e n e t w o r k i n g A Construction, Operation and Utilization Guide GILBERT HELD 4-DegreeConsulting,Macon,Georgia,USA Copyright2004 JohnWiley&SonsLtd,TheAtrium,SouthernGate,Chichester, WestSussexPO198SQ,England Telephone(+44)1243779777 Email(forordersandcustomerserviceenquiries):[email protected] VisitourHomePageonwww.wileyeurope.comorwww.wiley.com AllRightsReserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystem ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording, scanningorotherwise,exceptunderthetermsoftheCopyright,DesignsandPatentsAct1988 orunderthetermsofalicenceissuedbytheCopyrightLicensingAgencyLtd,90Tottenham CourtRoad,LondonW1T4LP,UK,withoutthepermissioninwritingofthePublisher. RequeststothePublishershouldbeaddressedtothePermissionsDepartment,JohnWiley& SonsLtd,TheAtrium,SouthernGate,Chichester,WestSussexPO198SQ,England,oremailed [email protected],orfaxedto(+44)1243770620. Thispublicationisdesignedtoprovideaccurateandauthoritativeinformationinregardtothe subjectmattercovered.ItissoldontheunderstandingthatthePublisherisnotengagedin renderingprofessionalservices.Ifprofessionaladviceorotherexpertassistanceisrequired,the servicesofacompetentprofessionalshouldbesought. OtherWileyEditorialOffices JohnWiley&SonsInc.,111RiverStreet,Hoboken,NJ07030,USA Jossey-Bass,989MarketStreet,SanFrancisco,CA94103-1741,USA Wiley-VCHVerlagGmbH,Boschstr.12,D-69469Weinheim,Germany JohnWiley&SonsAustraliaLtd,33ParkRoad,Milton,Queensland4064,Australia JohnWiley&Sons(Asia)PteLtd,2ClementiLoop#02-01,JinXingDistripark,Singapore 129809 JohnWiley&SonsCanadaLtd,22WorcesterRoad,Etobicoke,Ontario,CanadaM9W1L1 Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappears inprintmaynotbeavailableinelectronicbooks. BritishLibraryCataloguinginPublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary ISBN0-470-85432-4 Typesetin10.5/13ptMeliorbyLaserwordsPrivateLimited,Chennai,India PrintedandboundinGreatBritainbyBiddlesLtd,KingsLynn,Norfolk Thisbookisprintedonacid-freepaperresponsiblymanufacturedfromsustainableforestry inwhichatleasttwotreesareplantedforeachoneusedforpaperproduction. ForlongerthanIcaretoadmitIhavebeenblessedwiththeopportunity toteachgraduateschoolatGeorgiaCollegeandStateUniversity.In doingsoIamabletoteachaswellaslearnfrommystudents,a situationwhichhasbeenextremelyhelpfulfortailoringlecturesand writingbooksandarticles.Inrecognitionoftheirindirectassistance, thisbookisdedicatedtomystudents. c o n t e n t s Preface xiii Acknowledgements xv Chapter 1 Introduction to Virtual Private Networking 1 1.1 THEVPNCONCEPT 1 1.1.1 DEFINITION 1 1.1.2 TYPESOFVPNS 2 1.1.3 CATEGORIESOFVPNS 4 1.1.4 INFRASTRUCTURE 8 1.1.5 BENEFITSOFUSE 9 1.1.6 DISADVANTAGESOFVPNS 12 1.1.7 VPNPROTOCOLS 14 1.1.8 SUMMARY 17 1.1.9 ALTERNATIVESTOVPNS 18 1.1.10 ECONOMICISSUES 19 1.1.11 OTHERALTERNATIVES 20 1.2 BOOKPREVIEW 20 1.2.1 UNDERSTANDINGAUTHENTICATIONANDCRYPTOLOGY 21 1.2.2 UNDERSTANDINGTHETCP/IPPROTOCOLSUITE 21 1.2.3 LAYER2VPNTECHNIQUES 21 1.2.4 HIGHERLAYERVPNS 22 1.2.5 VPNHARDWAREANDSOFTWARE 22 1.2.6 SERVICEPROVIDER-BASEDVPNS 22 VirtualPrivateNetworking G.Held 2004JohnWiley&Sons,Ltd ISBN:0-470-85432-4 vii viii contents Chapter 2 Understanding Authentication and Encryption 23 2.1 AUTHENTICATION 23 2.1.1 PASSWORDAUTHENTICATIONPROTOCOL 24 2.1.2 CHALLENGE-HANDSHAKEAUTHENTICATIONPROTOCOL 27 2.1.3 EXTENSIBLEAUTHENTICATIONPROTOCOL–TRANSPORTLEVELSECURITY 30 2.1.4 TOKENAUTHENTICATION 30 2.2 ENCRYPTION 31 2.2.1 GENERALMETHODOFOPERATION 31 2.2.2 PRIVATEVERSUSPUBLICKEYSYSTEMS 33 2.2.3 PUBLICKEYENCRYPTION 34 2.2.4 THERSAALGORITHM 35 2.2.5 DIGITALCERTIFICATES 40 2.2.6 HASHINGANDDIGITALSIGNATURES 49 Chapter 3 Understanding the TCP/IP Protocol Suite 53 3.1 FRAMEFORMATION 53 3.1.1 HEADERSEQUENCING 54 3.1.2 SEGMENTSANDDATAGRAMS 54 3.1.3 ICMPMESSAGES 55 3.1.4 ONTHELAN 56 3.1.5 DATAFLOWCONTROLFIELDS 56 3.2 THENETWORKLAYER 57 3.2.1 THEIPV4HEADER 57 3.2.2 SUBNETTING 61 3.2.3 THESUBNETMASK 63 3.2.4 THEWILDCARDMASK 63 3.2.5 ICMP 65 3.3 THETRANSPORTLAYER 69 3.3.1 TRANSPORTLAYERPROTOCOLS 69 3.3.2 THETCPHEADER 69 3.3.3 THEUDPHEADER 70 3.3.4 SOURCEANDDESTINATIONPORTFIELDS 71 3.4 PROXYSERVICESANDNETWORKADDRESSTRANSLATION 73 3.4.1 PROXYSERVICE 73 3.4.2 NETWORKADDRESSTRANSLATION 74 3.4.3 TYPESOFADDRESSTRANSLATION 75 3.4.4 VPNCONSIDERATIONS 76 contents ix Chapter 4 Layer 2 Operations 79 4.1 THEPOINT-TO-POINTPROTOCOL 79 4.1.1 COMPONENTS 79 4.1.2 PPPENCAPSULATION 80 4.1.3 LINKCONTROLPROTOCOLOPERATIONS 83 4.1.4 MULTILINKPPP 89 4.2 POINT-TO-POINTTUNNELINGPROTOCOL 90 4.2.1 IMPLEMENTATIONMODELS 90 4.2.2 NETWORKINGFUNCTIONS 93 4.2.3 ESTABLISHINGTHEPPTPTUNNEL 95 4.2.4 PPTPENCAPSULATEDPACKETS 95 4.2.5 THEPPTPCONTROLCONNECTIONPACKET 96 4.2.6 CONTROLCONNECTIONPROTOCOLOPERATION 111 4.2.7 PPTPDATATUNNELING 112 4.3 LAYERTWOFORWARDING 115 4.3.1 EVOLUTION 115 4.3.2 OPERATION 115 4.3.3 THEL2FPACKETFORMAT 116 4.3.4 TUNNELOPERATIONS 118 4.3.5 MANAGEMENTMESSAGES 119 4.4 LAYERTWOTUNNELINGPROTOCOL 119 4.4.1 OVERVIEW 120 4.4.2 ARCHITECTURALMODELS 120 4.4.3 THEL2TPPACKETFORMAT 121 4.4.4 CONTROLMESSAGES 124 4.4.5 PROTOCOLOPERATIONS 127 Chapter 5 Higher Layer VPNs 133 5.1 UNDERSTANDINGIPSEC 133 5.1.1 OVERVIEW 134 5.1.2 TOPOLOGIESSUPPORTED 134 5.1.3 SPECIFYINGSESSIONPARAMETERS 135 5.1.4 THESPI 137 5.1.5 PROTOCOLS 137 5.1.6 AUTHENTICATIONHEADER 139 5.1.7 ENCAPSULATINGSECURITYPAYLOAD 142 x contents 5.1.8 OPERATIONS 146 5.1.9 KEYMANAGEMENT 152 5.2 WORKINGWITHIPSEC 157 5.2.1 CONFIGURINGIPSECPOLICIES 157 5.2.2 ADDINGTHEIPSECSNAP-IN 158 5.2.3 CREATINGANIPSECPOLICY 161 5.2.4 WORKINGWITHIPSECFILTERS 172 5.3 SSLANDTLS 187 5.3.1 RATIONALEFORSSL 187 5.3.2 OVERVIEWOFSSL 188 5.3.3 SSLOPERATION 190 5.3.4 MESSAGEEXCHANGE 190 5.3.5 CIPHERSUITES 194 5.3.6 THENETILLASECURITYPLATFORM 197 5.3.7 SUMMARY 201 Chapter 6 VPN Hardware and Software 203 6.1 USINGTHEASANTEVPNSECURITYROUTER 203 6.1.1 OVERVIEW 204 6.1.2 CONFIGURATIONACCESS 204 6.1.3 WIRELESSCONSIDERATIONS 205 6.1.4 VPNOPERATIONS 209 6.1.5 CLIENT-TO-NETWORK 215 6.2 WINDOWSVPNSOFTWARE 216 6.2.1 USINGAWINDOWSXPCLIENT 217 6.2.2 CREATINGTHEVPN 217 6.3 WORKINGWITHWINDOWS2000SERVER 233 6.3.1 INSTALLINGRRAS 234 6.3.2 ENABLINGRRAS 234 6.3.3 CONFIGURINGRRAS 239 6.3.4 CREATINGATESTACCOUNT 254 6.3.5 TESTINGTHECONNECTION 256 Chapter 7 Service Provider-Based VPNs 261 7.1 RATIONALEFORUSE 262 7.1.1 ECONOMICS 262 7.1.2 PERSONNELLIMITATIONS 263 contents xi 7.1.3 RELIABILITY 264 7.1.4 COMMUNICATIONSUNITY 265 7.1.5 MANAGEMENT 266 7.1.6 INSTALLATIONANDSUPPORT 266 7.1.7 PACKAGEDSECURITY 267 7.2 TRANSPORTFACILITIESANDVPNOPERATION 267 7.2.1 HARDWARE-BASEDSWITCHING 268 7.2.2 SOFTWARE-BASEDSWITCHING 269 7.3 SERVICELEVELAGREEMENTS 271 7.3.1 SLAMETRICS 271 7.3.2 SLALIMITATIONS 275 7.4 VPNSERVICEPROVIDEROVERVIEW 276 7.4.1 AT&TCORPORATION 277 7.4.2 LEVEL3COMMUNICATIONS 279 7.4.3 SPRINT 279 7.4.4 VERIZON 280 Appendix A VPN Checklist 283 Index 287