Application Specific Tunneling Protocol Selection for

NSysS 2017. Department ofCSE, BUET. 5-8 January, 2017

Application Specific Tunneling Protocol Selection for Virtual Private Networks Sohety Jahan, Md. Saifur Rahman, Sajeeb Saha Department of Computer Science and Engineering Jagannath University Dhaka, Bangladesh Email: [email protected]@[email protected]

Abstract-The application scope of VPN is increasing day by day as the organizations are creating private networks through public Internet using VPN tunneling instead of leased line. VPN protocols are classified into site-to-site and remote access VPN which exhibits different set of characteristics in terms of security mechanism. But there is no VPN preferences based on the organizational application requirements. In this paper, different VPN tunneling protocols like GRE, IPSec, PPTP and L2TP with IPSec are analyzed to measure the performance in terms of throughput, RTT, Jitter and security parameters. The results exhibits that, GRE is preferable for delay and bandwidth sensitive application in context of site to site VPN and L2TP is more effective than PPTP for remote access VPN.

Index terms- VPN protocol, VPN selection, VPN per­ formance, remote access VPN, site to site VPN, Tunneling protocol. I. INTRODUCT ION The evolution of world's e-business raises the demand of reliable communication. For secure communication, most of the organizations use traditional leased line method to connect remote users or offices. But the main problem with the private leased line is that it's not cheap to plan and deploy, take large amount of time to install and activate. Modern organizations want to use such communication techniques that are comparatively inexpensive and more reliable. These aspects introduce alternate secure and private communication mechanisms like Virtual Private Network (VPN). VPN exploits the public network infrastructure such as the Internet to send and receive data but ensures secure communication path for reliable data transmission between the sender and receiver. The VPN technologies play vital role in various communica­ tion environments such as businesses, military organizations, educational institutes and even individuals [1] [2]. In mod­ ern digitalized educational system, the cost effectiveness and security for on-line exam and remote teaching-learning can be ensured by VPN. The VPN expands the remote learning by ensuring various courses and resources through virtual classrooms [3] [4]. Based on the deployment methodology VPN tunneling protocols are categorized as site to site access VPN (SSL, GRE, IPSec) and remote access VPN (PPTP, L2TP, MPLS) [5] [6]. A statistics shows that 63% of the companies uses site to site VPN to connect their branch offices where as 90% of the working employees and 79% of the traveling

employees uses remote access VPN to communicate with the head office [7]. The SSL is web browser based VPN technique that has security weakness, poor performance under high load and doesn't supports non-windows OS [8] [9]. MPLS VPN is cumbersome to set up, mostly dependent on Internet Service Provider (ISP), and used for large applications [10]. On the other hand, protocols like GRE, IPSec, PPTP and L2TP with IPSec are cheaper, easier to configure and maintain than others. Different types of systems want to use VPN tunneling mechanisms but the system requirements of each application is different. Hence, ascertainment of suitable VPN tunneling techniques according to application's requirements is a chal­ lenging task. Numerous researches have been done so far to identify the characteristics of VPN in different circumstances. In [11], Paul Knight and Chris Lewis classifies Virtual Private Network services based on the OSI layer such as layer 2 and layer 3. The work analyzes the architecture and solution of the Layer two VPN and Layer three VPN. Thomas Berger [5] attempts to analyze current most popular VPN technologies. The interaction of common VPN protocols like PPTP, L2TP, IPSec with the new phion VPN is tested to find out the advantages and disadvantages of the protocols. Ahmed A. Jaha et al. in [6] tries to find out a new VPN protocol using various matrices of the existing common VPN protocols. In the work, the authors classified VPN as Secure or Trusted VPNs, Client­ based or Web-based VPNs, Customer Edge-based or Provider Edge-based VPNs, Outsourced or In-house VPNs. A trade-off between scalability and security on the VPN technology is presented in [12]. Muhammad Hafiz et al. in [13] made a comparative analysis on IPSec VPN. Different cryptographic algorithm like AES 256, 3DES, SAH-l, MD5 with varied file sizes are applied on IPSec VPN on Windows Vista OS to get comparative performance. All the above works analyzes and classifies the existing protocols to propose new VPN protocols but none of them focus on organizational application requirements. As different organization runs different types of applications their VPN requirement are also diverse. In this work, two site-to-site (GRE and IPSec) and two remote access (PPTP and L2TP) VPN protocols are analyzed based on the organizational various application requirements. The performance of the protocols are measured in terms of Throughput, RTT, Jitter and Security mechanism. The results exhibits that, for site to

978-1-5090-3260-0117/$31.00 ©2017 IEEE

site GRE is suitable for time sensitive and bandwidth sensitive application whereas IPSec is more applicable for security sensitive applications. Similarly, for remote access L2TP is more preferable than PPTP and applicable for the bandwidth sensitive, time sensitive and security sensitive applications. The remainder of the paper is organized as follows. Section II contains a study on the intended tunneling protocols and an example problem scenario is presented in Section III. The Section IV discusses on the performance evaluation results and finally, we conclude the paper in Section V. II. THE VPN TUNNELING SOLUTIONS The fundamental security functions are the encryption and authentication of data traffic, security policy negotiations among communication partner, defined security properties and trusted transmission path of VPN should not be altered with external third party. The major security attacks of the VPN are man-in-the-middle attack, DoS attack and VPN hijacking. The security threats and vulnerabilities happen due to weak authentication of valid user, the client side connectivity with compromised system, lack of synchronization among two connecting system of different vendor, infection of client side with virus and malware etc. The above vulnerabilities reasosns should be controlled to achieve main security goals of the VPN tehnique [14] [15]. In this section, the intended VPN tunneling protocols such as GRE and IPSec for site-to-site access VPN as well as PPTP and L2TP with IPSec for remote access VPN are described. A. Generic Routing Encapsulation (GRE)

The GRE was normally used as an encapsulation protocol wrapping higher-level protocols. Mainly this tunnel is used to carry IP packets or non-IP packets through the public IP network. This tunnel also can be used for the encapsulation with any OSI layer 3 protocol. The original data packets are simply encapsulated inside GRE header that protects from various Internet attacks. The following Figure 1 illustrates the GRE encapsulation packet format. GRE creates a point

IP Header

l

IP Payload

IP Packet Before Tunneling Encapsulation

II II

I

IP Payload

I

IP Packet After Tunneling Encapsulation

Fig. 1: GRE Packet Format

I

to point private connection that creates reliable and secure communication path. But the communication path is not secure like IPSec because GRE does not provide strong security features like encryption, authentication, and sequencing. It is very simple but powerful tunneling technique. The GRE tunnel can be used to perform a fast, reliable and easy communication through the public network. In the sender site of the tunnel, data packet is received by the GRE endpoint routers and

then packet is encapsulated with GRE header along with destination address of the tunnel. In the receiver site of the tunnel, receiving encapsulated packet with receiver end routers deencpsulate that packet and finally delivered to the desired destination [16] [17]. B. Internet Protocol Security (IP Sec)

The Internet Protocol Security (IPSec) is a more secure and reliable VPN tunneling protocol that can be used in both site to site access VPN and remote access VPN. Here, the IPSec tunneling is used for establishing the site to site access VPN. A collection of protocols are combined in IPSec tunneling that provides security at IP layer packet. Two security protocols like Authentication Header (AH) and the Encapsulating Security Payload (ESP) are integral part of the IPSec tunnel. In the AH protocol, data integrity and origin authentication are maintained but it does not ensures privacy. In the ESP, data integrity, origin authentication and privacy are ensured. The Internet Security Association (SA) is a fundamental issue of the IPSec tunneling that creates secure channel between the two parties [18]. The Internet Key Exchange (IKE) protocol establishes the required SA for the IPSec protocol that exchange keys between parties. The Internet Security Association and Key Management Protocol (lSAKMP) offers the framework for the IKE exchange cre­ ating SA and cryptographic keys. The Figure 2 showss the IPSec tunneling packet format. This protocol operates in two

I Transport

Layer

I IPSec

Layer

I I

L---�----TT--L---�

Fig. 2: IPSec Packet Format modes such as transport mode and tunnel mode. In Transport Mode, the transport layer payload is encapsulated for ensuring protection in the IPSec transport mode. The IPSec transport mode only protects the original payload. The transport mode does not provide any protection for IP header. In Tunnel Mode, the entire IP packet including IP header is protected in the IPSec tunnel mode. The network layer IP payload is encapsulated with AH or ESP header and then the additional header [19]-[21]. C. Point-to-Point Tunneling Protocol (PPTP)

The Point to Point Tunneling Protocol (PPTP) is one of the remote access tunneling techniques. This protocol allows the extension of an organizational network using private tunneling methods. The PPTP is a layer two tunneling protocol that extends the Point to Point Protocol (PPP) standard for dial-up networking. Firstly the PPTP encapsulates packets inside PPP packets, then encapsulated with GRE and lastly wrapped in IP header. The PPTP encapsulation packet format is illustrated in Figure 3. This tunneling technique works in client-server architecture. The PPTP ensures authentication and encryption.

l

IP

IP

Tep

User

Data

PPP

IP

Tep

User

Data

To simulate the actual network environment one site to site and one remote access VPN has been implemented in GNS3 which is described in the following section.

GRE

PPP

IP

Tep

User

Data

A. Site-to-Site Access VPN

GRE

PPP

IP

Tep

User

Data

Fig. 3: PPTP Packet Format

The authentication is ensured using Challenge Handshake Au­ thentication Protocol (CHAP) technique. For the encryption, the PPTP uses Microsoft Point-to-Point Encryption (MPPE) method. There are two type of tunnel for the PPTP such as Compulsory tunneling and Voluntary tunneling [ 19].

The simulation environment of GRE is shown in Figure 5. One communication end has N 1, N2, N3 three networks and other site has N4, N5, N6 three networks. Configuring the GRE tunnel involves creating a tunnel interface which is a logical interface. To configure the tunnel source and destination, issue the tunnel source and tunnel destination commands under the interface configuration mode for the tunnel.

D. Layer 2 Tunneling Protocol (L2TP) with IPSec

The Layer 2 Tunneling protocol (L2TP) is one kind of remote access VPN tunneling technique. The main security features such as strong authentication, encryption, confiden­ tiality, integrity are not provided for the per-packet with L2TP. But the IPSec tunnel provides per-packet security protection. T he IPSec tunneling individually cannot create tunnel for layer 2 packets. Considering this situation, the L2TP and IPSec protocols are combined for ensuring security per-packet. L2TP with IPSec encapsulates data packet more times ensuring more privacy and security which is shown in Figure 4. The

Fig. 4: L2TP with IPSec Packet Format L2TP/lPSec tunnel works in the client server model for con­ necting remote user. This tunnel has two communication ends like L2TP Access Concentrator (LAC) and L2TP Network Server (LNS). The LAC acts as client and LNS acts as server. Both the L2TP client and L2TP server are pre-configured for certificate-based IPSec authentication. In L2TP over IPSec connection, an IPSec policy is automatically created to specify the Internet Key Exchange (IKE) which use certificate-based authentication during the negotiation of security settings for L2TP. For this reasons, this provides very strong authentication and encryption [ 19]. III. PROBLEM DESCRIPTION Various types of tunneling protocols can be used for the VPN implementation that provides secure communication en­ vironment like dedicated communication network. But select­ ing proper VPN solutions according to organizational appli­ cation requirements are not explicitly defined. To implement site to site secure communication, the extension of an organi­ zation's intranet and extranet concept is applied. To connect remote user with central office or branch office, the remote access VPN tunneling techniques are used. The common VPN application scenarios are communication with branch office, business partner or supplier's networks as well as remote users.

Fig. 5: Generic Routing Encapsulation (GRE) The IPSec tunneling protocol is implemented in the same network topology of the GRE. The Site-to-Site IPSec VPN tunnel configuration can be divided into two phase such as Phase 1, Phase 2. In ISAKMP Phase 1, the encryption method (3DES), the authentication method (Pre-share), the hashing algorithm (MD5) are used for create first tunnel. In Phase 2, different types of operation such as creation extended ACL, creation IPSec Transform, creation Crypto Map and applying crypto map to the public interface are occurred. In this implementation, only N 1 network of one end and N4 network of other end use IPSec tunnel for secure communication that means other networks access is denied using access control list. B. Remote Access VPN

The PPTP is a remote access VPN tunneling protocol that creates private virtual point to point connection. This is usually implemented between a server and a client where the server belonging to the enterprise network and the client being a remote workstation. The Figure 6 shows PPTP tunneling. Cisco routers can be set up to act as PPTP servers, alternatively known as Virtual Private Dialup Network (VPDN) servers. In this simulation, cloud is used as home user that uses windows 7 and router 1 acts as a PPTP server. In remote access PPTP, remote user accesses its central office through public network via PPTP server securely. The L2TP is another highly secure remote access tunnel­ ing protocol that carries layer 2 traffics that combined with IPSec. To configure L2TP over IPSec, first we configured

available bandwidth etc. The throughput is calculated by the following equation. Throughput (bls)

Fig. 6: Point to Point Tunneling Protocol (PPTP»

IPSec transport mode to enable IPSec with L2TP. Then we configured L2TP with a Virtual Private Dial-up Network VPDN group. The configuration of L2TP with IPSec supports certificates using the pre-shared keys. The L2TP with IPSec is implemented in same network topology as PPTP using same networking devices. IV. PERFORMANCE EVALUATION

TABLE I: Simulation Parameter List Parameter Simulation Software Router Switch Computer Operating System Routing Protocol

Value GNS31.2.1 Cisco Router 3745 Cisco 8 port Ethernet Switch VPCS Windows 7 RIP

protocols are observed in ONS3 simulation environment. The performance metrics such as Throughput, RTT, Jitter and security parameters are used for the evaluation criteria. B. Throughput Analysis

Throughput or network throughput is the rate of successful message delivery that is transferred from one location to another in a given amount of time over a communication channel. Tn other words, it refers to number of bits per unit of time received by receiver correctly sent by sender. Throughput is usually measured in bps. It is controlled by different types of parameter such as, hardware limitations (CPU, RAM),

Latency (s)

30

�

GRE­ IPSec - - PPTP ----L2TP with IPSec - - -

25

'"

0.. .D

20

'--'

ONS3 is a popular network simulator that implements various network topology for research purposes. ONS3 can simulate complicated network topology that can be connected to real world environment. Routing protocols are essential for exchanging routing information with each other. In this paper, dynamic routing protocol RIP (Routing Information Protocol) is used as routing protocol. The ping statistics of the ICMP message is used for the data extraction of each VPN tunneling methods. Table I shows the simulation parameters that are used to evaluate the performance of the networks. The performance of ORE, IPSec, PPTP and L2TP with IPSec

-------

Throughput calculation is perf01111ed on the ping statistics of the TCMP messages. The Figure 7 represents throughput result of ORE and IPSec with 128 byte packet size. In case of site-to-site VPN, the throughput of ORE fluctuates but IPSec primarily gives steady throughput as the number of packets increases. When both protocols adjust with the growth of packets number, then it provides maximum throughput. Here, comparatively ORE provides higher throughput than IPSec. For remote access VPN, the L2TP with IPSec throughput grad­ ually increases with the packet growth but PPTP throughput radically fluctuates with the packet growth. In this case, L2TP with IPSec shows higher throughput than the PPTP.

�

A. Simulation Environment

TCP Window Size (b) =

./

.....

;::S 0.. ..c: OJ) ;::S 0 .... ..c: E-