network access for remote users dr john s. graham ulcc

Network Access for Remote Users Dr John S. Graham

ULCCj.graham@ulcc.ac.uk

Review of Technologies• Remote Site

– Private Leased Lines• Kilostream or Megastream Circuits• LES

– ISDN– EPS9– ISP

• Remote User– Private Dialup Service– ISP

Site-to-Site Private Infrastructure

Traditional Dialup Service

High CostsSupport BurdenLimited to 56K Analogue DialupLimited Service

Security Guaranteed

Virtual Private Network

Highly Flexible SolutionUses Existing Infrastructure

Complex Security Issues

VPN Roadmap

Tunnelling

Sym metric Asymm etric

Encryption

Endpoints Data User

Authentication IP Framew ork

Tunnelling Methods• Layer III

– GRE– IPSec

• Layer II– L2F– PPTP– L2TP

Layer 3 Tunnelling (GRE)

TCPIP DataGREIP

TCPIP Data

passenger protocol

encapsulating protocol

carrier protocol

Tunnelling In Action

IP GRE TCPIP Data

Source 62.49.38.138Destination

192.168.17.26194.82.103.186

IP GRE TCPIP Data

192.168.17.26

Layer 2 Tunnelling (L2TP)

TCPIP DataL2TPUDPIP PPP

TCPIP DataL2TPUDPIP PPPESP ESP

L2TP + IPSec

TCPIP DataPPP

Layer 2 Tunnelling Modes

Compulsory L2 Tunnelling

Voluntary L2 Tunnelling

Authentication• Peer Identity

– Shared Secret– Digital Certificate

• Data Integrity– Digital Signatures

• User Identity– Kerberos– RADIUS

IP Security (IPSec)• Protocols

– Authentication Header– Encapsulating Security Payload– Internet Key Exchange

• Modes– Tunnel– Transport

IPSec Protocols

Sequence Number

Authentication Data

NextHeader

PayloadLength Reserved

Sequence Number

Authentication Data

NextHeader

PadLengthPad

Authentication Header (51) Encapsulating Security Protocol (50)

IPSec ModesTunnel Mode

Transport Mode

IP AH/ESP TCPIP Data

AH/ESP TCPIP Data

Equipment at Remote Site

• ‘Wires Only’ ADSL Connection– One Static IP Address

• Splitter• Cisco 827H Router

– Ethernet hub (4 ports) plus ATM port

Customer Installation

Router Configuration

Routing Table

NAT IPSec

Tunnel

Dialer

Ethernet

IPSec Followed by NAT• Immutable fields of outer IP header

included in AH protocol’s ICV data.• Transport mode IPSec renders

TCP/UDP checksums invalid.• Multiple incompatibilities between

SA parameters and NAT.

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt

Fragmentation Hell

http://www.ja.net/documents/

network access for remote users dr john s. graham ulcc

Documents

remote-sensing and biodiversity in a changing climate...

ulcc e-ilp focus group

sébastien françois, eprints lead developer eprints...

maharauk 09 - james and philip, ulcc - let's get personal

combining remote sensing and biological data to predict the...

ulcc moodle user group (he) july 2014

collaboration and innovation: ulcc and leap by richard davis

ulcc (415 m)

ulcc moodle user group - march 2015

people chris bligh sonia graham of bligh graham architects

ulcc moodle user group (fe) july 2014

daniel j. graham, ph.d. - colorado state...

data stream algorithms frequency moments graham cormode...

success despite headwinds - airtap€¦ · success despite...

the billy graham library - static.billygraham.org ·...

problématique de la corruption -...

ulcc moodle user group (he) 25.03.14

ulcc moodle user group (he) 18.12.13

philip butler from ulcc @ fote2008

superjanet4 update roland trice, ulcc superjanet4 rollout...