Laminarnet: a Simple, Secure and Practical Network Structure Based on VPN Liang Zhao and Hideo Yamamoto
Faculty of Engineering, Utsunomiya University, Japan. Email:
[email protected],
[email protected]
Abstract— This paper shows a novel network structure called laminarnet, which is constructed by building (virtual) networks over existing (physical or virtual) networks using VPN (Virtual Private Network) technology. This structure can provide a simple and practical infrastructure for single and multiple levels of security assurance based on cryptography, PKI (Public Key Infrastructure) or other standard/emerging schemes. Physically connected network is called the level-1 laminarnet. A multi-level laminarnet, i.e. a secure LAN (Local Area Network) is shown. A preliminary study on the performance is also reported.
I. I NTRODUCTION For many years, the field of computer networks has achieved great advance. Today, as one of the most essential component in ubiquitous computing, network is still evolving at a rapid pace, see, e.g., the next generation of Internet IPv6 [5], [6]. In particular, engineers and researchers are pushed by the high requirement of e-commerce, e-governance, personal interest and many others to design a simple, secure, flexible and highperformance computer network infrastructure. To illustrate this, let us start with a secure LAN problem. A. The SecureLAN problem The motivation of our study is to build a secure LAN (called SecureLAN in the following) satisfying the next requirement. Any untrusted information device (e.g., a laptop computer) cannot join the LAN or play as if it was a trusted member (i.e., spoofing). However, the untrusted device may connect to the physical network (which is easy for both wireless and wired LANs), hence can eavesdrop all network traffic and can play as a manin-the-middle. The situation is illustrated in Fig. 1. WAN or The Internet Firewall/Gateway LAN
Trusted hosts
Fig. 1.
Untrusted hosts
An illustration of the SecureLAN situation.
For this problem, we first considered IPsec which is a part of IPv6 but there also exist implementations for IPv4 too. At
the network layer (i.e. IP), IPsec can keep a point-to-point communication secure, hence is strong against eavesdropping. However, we soon found that it cannot solve the SecureLAN problem fully. The problem is that IPsec is essentially incompatible with firewall (which is widely used as a basic equipment for security, load balancing and other purposes). To speak more precisely, we summarize it as follows. How can a firewall know if an outgoing/incoming packet is really sent from/to a trusted host, and if it is, how can it be forwarded securely (security is considered only in the LAN)? We note that the data may be in clear text, e.g., a plain text email or a plain HTTP connection. MAC (Media Access Control) or IP address based filtering is a commonly used method. But this kind of filtering does not help. One reason is that both MAC and IP address are only weak identifiers. Above all, address filtering has no function to the man-in-the-middle style eavesdropping or falsification. It is obvious that IPsec does not help too, because it cares the communication peers only and is not firewall-friendly. In the following, before we show our solution, let us further state the next requirements for practicality of the solution. 1) Simplicity: The installation should be easy for both professional and beginner. This also includes seamless migration from existing networks. 2) Security: Security assurance for one and multiple levels of requirement must be provided. For example, there is no reason to encrypt weather broadcast data, whereas a group of members may require a secure scheme. This will be discussed in more detail in the next section. 3) Flexibility and Performance: This infrastructure should be flexible in size. It means scalability and adaptability to the heterogeneous computing environment. Besides, it must provide a good performance that is based on available equipment and technology. This paper considers a solution called the laminarnet. The feature of laminarnet is to build separated (virtual) networks over an existing physical or virtual network. The structure is simple. Let us call the physically connected network1 the level-1 network. A level-i network is obtained by building an overlay network over a level-(i − 1) network (a level-(i − 1) 1 By physical connected network, we do not mean the physical layer of a network protocol. Instead, we refer to the base non-VPN network, e.g., a LAN, a WAN or the Internet.
network may have multiple level-i networks). The union of these networks is called a laminarnet2 , as illustrated in Fig. 2. We note that a laminarnet can be modeled by a tree or forest data structure, where level-1 networks are the root nodes.
Physical Connected Network (level 1) level 2
level 2 network
level 2
level 3
Fig. 2.
An illustration of the laminarnet structure.
Notice that this is similar to but not the same as a layered protocol family such as the OSI reference network model or the TCP/IP. It builds a network – not an upper protocol layer – over another network with no interconnecting except for gateways which will be explained later. Before we get into the details, let us first see some examples. B. Examples of laminarnet One example can be found in Wireless LAN. Due to the weakness of WEP (Wired Equivalent Privacy), traditional Wireless LAN standard has severe security problem (see [2], [10]). As a result, people use VPN with stronger authentication and encryption scheme to protect the communication data over an untrusted wireless connection. In this case, we have a two-level laminarnet: the physical Wireless LAN is a level1 network, whereas the VPN is a level-2 network. From the viewpoint of layered protocols, they are at the same layer (layer 2 with respect to the OSI model), but the second (VPN) is built over the first (Wireless LAN). VPN is not the only example. The so-called P2P network also adopts a similar structure. Although currently all known public P2P networks are constructed for specific purposes (e.g., uploading or downloading music files), if they support the general network communication (e.g., layer 2 switch), they become two-level laminarnets. Similarly, the emerging Application Layer Multicast (ALM) (see, e.g., [1]) tries to build distribution tree at the application layer, which is nothing but another (though limited) level-2 laminarnet structure. This paper generalizes the above observation to laminarnet of arbitrary levels. We will propose a simple, secure and practical laminarnet based on the VPN technology. In the following, we first discuss details of the proposed laminarnet in Section II, as well as its advantages and disadvantages. In Section III, we show an implementation using the OpenVPN software ([9]), then report a preliminary study on its performance. Finally in Section IV, we conclude with remarks on future works. 2 It
is called laminar since there is no two (or more) components cross.
II. C ONSTRUCTION AND ANALYSIS OF VPN- BASED LAMINARNET
A. VPN and laminarnet construction Originally VPN was designed to connect two or more separated distance networks. Usually, it builds a point-to-point connection/tunnel (i.e., a two-node overlay network) over the existing physical network, then forward packets between the two points. Due to the recent development of VPN technology (see [9]), a VPN peer may also serve as a virtual switch (layer 2) or a virtual router (layer 3) in the virtual network (this feature is not available in IPsec). Thus theoretically the virtual network can work without (explicit) connection with the lower level network. This has been noted in the previous section (the example of Wireless LAN). For our problem, VPN can provide a perfect solution. Let us explain it. We set up a VPN that covers the firewall and all the trusted hosts. The firewall is set to forward packets that come/to the VPN interface. Speaking precisely, letting R and U be the filtering/forwarding rule sets for trusted hosts and untrusted hosts respectively, we apply R and U to the VPN interface and to the physical network interface, respectively. Of course, data encryption and authentication scheme can be used for security requirement, e.g., static key (pre-shared key), PKI (see, e.g., [8]) or other standard/emerging schemes. Any untrusted host, though it can connect to the physical network, since it has no valid key or signed certificate, it cannot join the VPN (this is what a VPN for), hence is impossible to access the protected resources. Therefore we can say that this solution is good for the SecureLAN problem. This structure is illustrated in Fig. 3. WAN or The Internet Firewall/Gateway VPN
Trusted hosts
physical virtual
LAN
Untrusted hosts
Fig. 3. An illustration of a VPN-based SecureLAN (a two-level laminarnet).
We note that the above model can also be used in a public LAN, where trusted and untrusted (e.g., guest) hosts may have loose and strict (may not be a deny) policies, respectively. What we proposed for the SecureLAN solution is a twolevel laminarnet. Notice that all trusted hosts must be in the same VPN in order to exchange data securely (on the other hand, the physical network can be used for connections of low security requirement). However, in a large LAN environment, it is possible that a group of trusted hosts want a separated network that covers only the group members. One solution is to build a VPN for each group. These VPNs are at the same level, and works fine if members for each group are known before construction. If members are unknown at the
time of construction, since group topology must be changed after construction, the VPN has to be rebuilt again. On the other hand, of course we may have multi-level security requirements. This does not only mean the strength of authentication and encryption scheme, but also mean that, like the case of Wireless LAN, the security assurance of higher level network even if the lower level network has been cracked. For this, we generalize the previous two-level laminarnet to 3-level laminarnet. That is, we first build a VPN (a level-2 network) of trusted hosts over the physical connected network. Then we build a virtual (level-3) network over the existing level-2 laminarnet. In order to break into the level-3 network, an attacker will have to break into the level-1 network first, then level-2 network, then level-3. Of course we can construct 4-level, 5-level, ..., n-level laminarnet, too. See an illustration for host-to-host communication in laminarnet in Fig. 4. In the next section, we will see a practical 6-level laminarnet.
Virtual Network
Virtual Network
Phsyical Network
Phsyical Network
Application
Application
Security Level
Performance
Fig. 4.
An illustration of host-to-host communication in laminarnet.
We believe that the laminarnet structure can play well in the next generation of networks. That is, we can let the physical network as simple as possible to keep it fast and cheap, e.g., no authentication and no data encryption (the Internet has shown that this is enough for a large part of communication). For secure connections, we can build a VPN by hand, or use a VPN service provided by a VPN provider. Then some members of this level-2 VPN may build a level-3 VPN for higher level security requirement. And so on. Notice that building higher level VPNs requires no change at the lower level network infrastructure. At each level, there can be multiple networks. And gateways must be provided to connect two networks. This generalizes the familiar Internet (a 1-level laminarnet) to multilevel laminarnets. B. Analysis of VPN-based laminarnet So far we have discussed the construction of VPN-based laminarnet. Now let us discuss the advantages and disadvantages of it. As stated in Section I, we have three requirements: simplicity, security, flexibility and performance (as well as functionality which has been discussed before). 1) Simplicity: We say laminarnet is simple. The level-1 network is nothing but the physical network. The construction of a level-2 network can be done by existing software only, hence is not difficult to install and upgrade. One difficulty may be the authentication and encryption, but we can choose
from the simple static key or the more secure and flexible PKI with the mature SSL/TLS scheme. In fact, the migration from existing network is seamless, since at the network layer (IP), a VPN interface is the same as a physical interface. Furthermore, the number of levels can be arbitrary and building a higher level virtual network is the same as building a VPN. 2) Security: Providing multi-level security assurance is the main purpose of laminarnet. In laminarnet, a host at level-n network can have n network interfaces – each associated to a different level of security assurance (higher level is securer than lower level). User can obtain different level of security assurance by simply choosing the network interface. 3) Flexibility and performance: Obviously the flexibility of laminarnet depends on the base VPN solution. While the detail of our implementation will be shown in the next section, we remark that modern VPN technology can provide a flexible enough environment. Of course the flexibility is related to performance. Since VPN has overhead, the performance might be a problem. High level network will get poorer performance than low level network since the data must be encrypted and decrypted for more times (we think this is natural when considering the security level). We will show a performance study in the next section. Notice that the user can choose the tradeoff of security assurance and performance in our software-based solution. 4) Disadvantage: The disadvantage of laminarnet is that, if a network of lower level is stopped by some reason, then all networks of higher level (built over the stopped lower level network) will not work. Therefore for high reliability, some redundant construction is preferred (but not required) for higher level networks. This may increase the complexity of a laminarnet construction. III. I MPLEMENTATION USING O PEN VPN In this section, we will show an implementation and show its performance by some preliminary experiments. A. Implementation We adopt the OpenVPN [9] to construct VPN. OpenVPN is an open source project that is widely used on Linux, Windows, OpenBSD, FreeBSD, NetBSD, Mac OS X and Solaris. It uses SSL/TLS and supports static key and PKI that are supported by the OpenSSL library (http://www.openssl.org/). Other features include load-balancing, firewall-friendly communication. For more details, we refer the readers to the project homepage http://openvpn.net. For simplicity, we used the combination of static key and SSL/TLS, but the more complex PKI based system is not a problem too. The firewall/gateway runs Linux with the iptables filtering software (http://www.netfilter.org). The performance test is done with netperf (http://www.netperf.org/), by measuring the raw TCP throughput. The simple test environment is illustrated in Fig. 5. All hosts are laptop computers with 100BASE-TX network interface(s). There is no hub used for the purpose of pure speed test.
•
•
•
Host1. Panasonic Let’s Note T1 (CPU: Intel Mobile Pentium III 933MHz, RAM: 256MB) running Linux kernel 2.6.10 (Momonga Linux 2) and OpenVPN 2.0. Host2. IBM Thinkpad X31 (CPU: Intel Pentium M 1.3GHz, RAM: 256MB) running Linux kernel 2.6.9 (Cent OS 4) and OpenVPN 2.0. Firewall. Panasonic Let’s Note R3 (CPU: Intel Pentium M 1.1GHz, RAM: 256MB) running Linux kernel 2.6.11 (Fedora Core 3) with iptables v1.2.11 and OpenVPN 2.0. virtual
Host 1 Fig. 5.
virtual
Firewall physical
constant for multiple tests, which is 94.2 ± 0.1 Mbps. Next we measured the throughput using the direct virtual connection (i.e., level-1) between them. For the total 5 tests, the results are 110.0 ± 1.0 Mbps. This high score is due to the LZO compression. For this purpose, we also did another test with LZO disabled. This time the throughput is 70.5 ± 1.0 Mbps, which could be considered as the “raw” throughput. Similarly we measured the throughput of direct connection between Host1 ↔ Firewall and Host2 ↔ Firewall. The results are listed in Fig. 6, where the throughput of direct physical connection is omitted (94.2 ± 0.1 Mbps for all).
Host 2 physical
An illustration of the experiment environment.
An example of the OpenVPN configuration file is shown in the following, which is used to build a level-2 network. dev tun remote 192.168.0.1 ifconfig 192.168.1.2 192.168.1.1 secret key1 comp-lzo This is to tell OpenVPN to use the tun device driver, connect to remote host 192.168.0.1 (IP address of physical network interface), then set local VPN address to 192.168.1.2 (remote is 192.168.1.1), use secret key file key1 and use the LZO real-time data compression library (see http://www. oberhumer.com/opensource/lzo/). The secret key is previously generated by openvpn --genkey --secret key1 OpenVPN is started by running the next command, where level1.conf is the name of the above configuration file. openvpn --config level1.conf The configuration of the other side (192.168.0.1) is as follows. dev tun ifconfig 192.168.1.1 192.168.1.2 secret key1 comp-lzo Of course, the secret key file key1 must be the same one. Similarly as before, OpenVPN is started by command openvpn --config level1.conf. Within 5 seconds after the OpenVPN daemon starts, the connection is established and a tun0 network interface is created which is associated with the specified IP address. Other configuration files are similar except for the usage of IP addresses, hence are omitted here. We remark that the format of configuration file is common for all platforms. B. Performance test Firstly, we measured the TCP throughput using the direct physical connection between Host1 and Host2. The result is
Hosts Host1 ↔ Host2 Host1 ↔ Host2 Host1 ↔ Firewall Host1 ↔ Firewall Host2 ↔ Firewall Host2 ↔ Firewall Fig. 6.
LZO yes no yes no yes no
Throughput (Mbps) 110.0 ± 1.0 70.5 ± 1.0 120.0 ± 2.0 54.6 ± 0.2 90.0 ± 1.0 55.5 ± 1.0
Results of direct (level 1) TCP throughput.
Then we measured the performance of Firewall. The physical TCP throughput from Host1 to Host2, forwarded by Firewall, is 94.0 ± 0.1 Mbps, almost the same as the direct connection. To measure the throughput of the SecureLAN structure, we used the virtual connection of Host1 ↔ Firewall and physical connection of Firewall ↔ Host2. The result is 75.6 ± 0.2 Mbps with LZO compression and 47.5 ± 0.1 Mbps without LZO compression. This is roughly a 20% loss comparing to the throughput of physical connection. Finally, for more study on the performance of higher level networks, we built a 6-level laminarnet using OpenVPN. For simplicity, we only checked the throughput of Host1 ↔ Firewall. The results are listed in Fig. 7, which is plotted in Fig. 8. We note that level-1 is nothing but the physical throughput, and level 2 is the direct OpenVPN throughput which has been shown in Fig. 6 (they are included for easy comparison). Notice that even the lowest throughput (level-6 with no compression) is faster than 10BASE-T (10Mbps) or the 802.11b Wireless LAN standard (11Mbps maximum). Level 1 2 2 3 3 4 4 5 5 6 6
Host1 Host1 Host1 Host1 Host1 Host1 Host1 Host1 Host1 Host1 Host1 Fig. 7.
Hosts ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall ↔ Firewall
LZO n/a yes no yes no yes no yes no yes no
Throughput (Mbps) 94.2 ± 0.1 120.0 ± 2.0 54.6 ± 0.2 64.7 ± 0.1 37.2 ± 0.1 47.2 ± 0.2 23.8 ± 0.1 35.5 ± 0.3 16.3 ± 0.1 29.0 ± 1.0 11.3 ± 0.1
TCP Throughput of a 6-level laminarnet.
120
TCP Throughput (Mbps)
Physical Limit = 100Mbps 100
80 LZO compression enabled
60
40 LZO disabled 20
0
1
2
Fig. 8.
3
Level
4
5
6
Graph showing the throughput of Fig. 7.
From the above results, we conclude that even a 6-level laminarnet is practical. Of course the actual performance depends on the hardware, too, i.e., the more powerful, the better. In other words, the migration from lower level network to higher level network should be seamless (by simply upgrading the hardware of communication peers, not the IP routers). We remark that OpenVPN can work in a serverclient style. According to its document, a server can serve as many as hundreds or even thousands of clients, and set the correct routing information. This implies the scalability of our implementation of SecureLAN is good. IV. C ONCLUSION AND REMARK In this paper,we have proposed a simple, secure and practical network structure laminarnet using existing VPN technology. The core of this structure is software based, hence can be seamlessly migrated from existing network infrastructure. It can provide a multi-level security assurance, too. Preliminary experiments show that the performance is quite good even for a high level network, where the OpenVPN project [9] is used for building VPNs in the test. As a future work, we consider to test the implementation on larger networks. As a related work, Khoussainov and Patel [7] considered a hardware (i.e. layer-1) based security structure which also depends on the PKI. However, as we stated before, hardware based structure is expensive and their solution is probably not practical. It also lacks of multi-level secure assurance. For multi-level security assurance, on the other hand, there exists another approach [3], [4]. ACKNOWLEDGMENT This research is partially supported by International Communication Foundation (ICF), Japan. R EFERENCES [1] Suman Banerjee, Christopher Kommareddy, Koushik Kar, Bobby Bhattacharjee, Samir Khuller, “Construction of an Efficient Overlay Multicast Infrastructure for Real-time Applications,” in Proc IEEE INFOCOM 2003 (April 2003).
[2] Nancy Cam-Winget, Russell Housley, David Wagner, Jesse Walker, “Security flaws in 802.11 data link protocols,” Communications of the ACM 46 (5), 35–39 (2003). [3] Cynthia E. Irvine, “Cybersecurity Considerations for Information Systems,” in Handbook of Public Information Systems 2nd. Edition, ed. D. Garson, in press, 2004. [4] Cynthia E. Irvine, Timothy E. Levin, Thuy D. Nguyen, et al, ”Overview of a High Assurance Architecture for Distributed Multilevel Security,” in Proc. 2004 IEEE Systems Man and Cybernetics Information Assurance Workshop, 38–45 (June 2004). [5] IP Version 6 (IPv6), http://playground.sun.com/pub/ipng/ html/ [6] IPv6: The Next Generation Internet! http://www.ipv6.org/ [7] Rinat Khoussainov, Ahmed Patel, “LAN security: problems and solutions for Ethernet networks,” Computer Standards & Interfaces 22, 191– 202 (2000). [8] The Open-source PKI book, http://ospkibook.sourceforge. net/ [9] James Yonan, OpenVPN, http://openvpn.net [10] Michael Ossmann, “WEP: Dead Again, Part 1,” 2004-12-14, http:// securityfocus.com/infocus/1814, “WEP: Dead Again, Part 2,” 2005-03-08, http://securityfocus.com/infocus/1824
