1 / 21

Network Access for Remote Users

Network Access for Remote Users . Dr John S. Graham ULCC j.graham@ulcc.ac.uk. Review of Technologies. Remote Site Private Leased Lines Kilostream or Megastream Circuits LES ISDN EPS9 ISP Remote User Private Dialup Service ISP. Site-to-Site Private Infrastructure.

edith
Télécharger la présentation

Network Access for Remote Users

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Access for Remote Users Dr John S. Graham ULCC j.graham@ulcc.ac.uk

  2. Review of Technologies • Remote Site • Private Leased Lines • Kilostream or Megastream Circuits • LES • ISDN • EPS9 • ISP • Remote User • Private Dialup Service • ISP

  3. Site-to-Site Private Infrastructure

  4. Traditional Dialup Service • High Costs • Support Burden • Limited to 56K Analogue Dialup • Limited Service • Security Guaranteed

  5. Virtual Private Network • Highly Flexible Solution • Uses Existing Infrastructure • Complex Security Issues

  6. VPN Roadmap

  7. Tunnelling Methods • Layer III • GRE • IPSec • Layer II • L2F • PPTP • L2TP

  8. Layer 3 Tunnelling (GRE) IP TCP Data GRE IP GRE IP TCP Data passenger protocol encapsulating protocol carrier protocol

  9. IP GRE IP TCP Data IP GRE IP TCP Data Tunnelling In Action 194.82.103.186 192.168.17.26 192.168.17.26

  10. PPP IP TCP Data L2TP IP UDP L2TP PPP IP TCP Data L2TP + IPSec IP ESP UDP L2TP PPP IP TCP Data ESP Layer 2 Tunnelling (L2TP)

  11. Layer 2 Tunnelling Modes Compulsory L2 Tunnelling Voluntary L2 Tunnelling

  12. Authentication • Peer Identity • Shared Secret • Digital Certificate • Data Integrity • Digital Signatures • User Identity • Kerberos • RADIUS

  13. IP Security (IPSec) • Protocols • Authentication Header • Encapsulating Security Payload • Internet Key Exchange • Modes • Tunnel • Transport

  14. NextHeader PayloadLength Reserved SPI SPI Sequence Number Sequence Number Authentication Data Data IV Pad PadLength NextHeader Authentication Data IPSec Protocols Authentication Header (51) Encapsulating Security Protocol (50)

  15. IP AH/ESP IP TCP Data IP AH/ESP TCP Data IPSec Modes Tunnel Mode Transport Mode

  16. Equipment at Remote Site • ‘Wires Only’ ADSL Connection • One Static IP Address • Splitter • Cisco 827H Router • Ethernet hub (4 ports) plus ATM port

  17. Customer Installation

  18. Ethernet Routing Table B1 Tunnel A1 B2 NAT IPSec A2 B3 Dialer Router Configuration

  19. IPSec Followed by NAT • Immutable fields of outer IP header included in AH protocol’s ICV data. • Transport mode IPSec renders TCP/UDP checksums invalid. • Multiple incompatibilities between SA parameters and NAT. http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt

  20. Fragmentation Hell

  21. http://www.ja.net/documents/

More Related