Virtual Private Network (VPN) Tunneling Protocols

Virtual Private Network (VPN) create secure connections, called tunnels, through public shared communication infrastructures such as the Internet. These tunnels are not physical entities, but logical constructs, created using encryption, security standards, and protocols. The VPN tunneling protocols are set of standardized rules and policy that are employed on the transmitted data. There are various standard of protocol technologies used to create a VPN tunnel and each of these protocols is specially built with some unique security features. The most widely used  Virtual Private Network (VPN) Tunneling Protocols are discussed below.

Internet Protocol Security (IPSec)

The Internet Protocol Security (IPSec) has proposed in Internet Engineering Task Force (IETF) Request for Comment (RFC) database in RFC (2401), provides data packet integrity, confidentiality and authentication over IP networks. The IPSec policy consists of sets of rules that designate the traffic to be protected, the type of protection, such as authentication or confidentiality, and the required protection parameters, such as the encryption algorithm. The IPSec protocol provides security at the network layer and offers a collection of methods, protocols, algorithms and techniques to establish a secure VPN connection.

There are two basic modes of IPSec connections, Transport mode and Tunnel mode. The transport mode, attaches an IPSec header to the IP header of the packet. The Tunnel mode is more flexible compared to the transport mode; it encapsulates the IP packet into another IP packet, also attaching an IPSec header to the outer IP packet. This mode protects the entire IP packet. The IPSec modes, are determined and agreed on by both corporate networks at each end of the VPN connection, are contained in the Security Association(SA) among other things. The SA is a set of policy and keys used to protect information such as the IPSec modes, symmetric ciphers, and keys which are used during secure data transmission.

The IPSec uses two main protocols that are usually used with any of the modes, the Authentication Header (AH), and Encapsulating Security Payload (ESP). The authentication header contains a Security Parameter Index(SPI) and provides data authentication and integrity (MD5 or SHA-1 hash) on the whole IP packet but does not guarantee privacy (confidentiality) on the data. ESP guarantees privacy (confidentiality) on the data in addition to all the features AH provides. The ESP header includes an initialization field, which is used by symmetric block ciphers. Another essential protocol that IPSec uses in establishing the VPN tunnel is the Internet Key Exchange protocol (IKE). This protocol exchanges encryption keys and shares authentication data (RFC 2409) through UDP packets at port 500, and also relies on the Internet security association and key management protocol(ISAKMP) — this protocol allows both endpoints share a public key and authenticate themselves with digital certificates (RFC 2408). To create a VPN tunnel using the IPSec protocol, two things needs to be done. First, both networks need to agree on the SA for the IKE and this is done by using the Diffie — Hellman key exchange method to authenticate one another. After this is done, both network endpoints need to set the parameters for the VPN tunnel including symmetric cipher keys (and key expiry information), security policy, network routes, and other connection-relevant information.

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. PPTP operates at Layer 2 of the OSI model. PPTP, as specified in the RFC 2637 document, is a protocol that describes a means for carrying Point-to-Point protocol (PPP) — described in RFC 1661 — over an IP based network. It is created by a vendor consortium known as the PPTP industry forum which includes Microsoft Corporation, Ascend Communications, 3Com/Primary Access, ECI Telematics, US Robotics and Copper Mountain Networks. PPTP is the most commonly used protocol for dial-up access to the internet. Microsoft included PPTP support in Windows NT Server (version 4) and released a Dial-up Networking pack in Windows 95 and since then PPTP is supported in any Microsoft Windows version.

The PPTP transfers two different types of packets over a VPN connection. The first is the Generic Routing Encapsulation (GRE) (described in RFC 1701 and RFC 1702) packet. It encapsulates PPP frames as tunneled data by attaching a GRE header to the PPP packet or frame. The PPP frame contains the initial PPP payload which is encrypted and encapsulated with PPP while the GRE header contains various control bits, sequence and tunnel numbers. The function of the GRE is to provide a flow- and congestion-control encapsulated datagram service for carrying PPP packets. The total sum up of the packet consists of a Data link header, IP header, GRE Header, PPP Header, Encrypted PPP payload and Data link trailer. The second type of packet is the PPTP control message or packet. The PPTP control packet includes control information such as connection requests and responses, connection parameters, and error messages and it consists of IP header, TCP header, PPTP control message and a data link trailer. In order to create, maintain and terminate the VPN tunnel, the PPTP uses a control connection between the remote client and the server using the TCP port 1723. This two different packets used by PPTP does not ensure privacy on the packet payload, so in order to enhance security on these packets, the PPTP supports encryption and authentication method same as used in PPP connections. To authenticate packets that pass through the VPN tunnel, PPTP uses any of the following protocols; Extensible Authentication protocol — Transport Layer Security (EAP-TLS), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Shiva Password Authentication protocol (SPAP) and Password Authentication Protocol (PAP). For encryption, PPTP uses either the Microsoft Point to Point Encryption (MPPE) to encrypt PPP packets that passes between the remote computer and the remote access server by enhancing the confidentiality of PPP encapsulated packets (as described in RCF 3078) or uses the symmetric RC4 stream cipher to encrypt the GRE payload is encrypted.

Layer 2 Tunneling Protocol (L2TP)

The L2TP is an IETF standard established as a result of combining the best features of two protocols: Cisco’s Layer 2 Forwarding (L2F) protocol (described in RFC 2341) and Microsoft’s PPTP. L2TP facilitates the tunneling of PPP frames across an intervening network in a way that is as transparent as possible to both end-users and applications (RFC 2661). L2TP encapsulates the PPP packet (whose payload can either be encrypted or compressed or both can be done) into a User Datagram Protocol (UDP) packet at transport layer. The L2TP can be used over the internet as well as over private intranet and also can send PPP packets over X.25, Frame relay or ATM networks. The UDP packet consists of the following in this order: UDP header with source and destination address using port 1701, control bits representing options like version and length of the packet, sequence number and tunnel ID fields which is used to track the packet and identify the tunnel, the layer 2 frame which contains the following also: Media Access Code (MAC) addresses and the payload. To ensure security and enhance authenticity of the L2TP packet it is combined with IPSec by attaching an IPSec ESP header, using the IPSec transport mode. After combining IPSec to L2TP, the UDP packet is encrypted and encapsulated with an IPSec ‘ESP header and trailer’ and ESP authentication trailer. The L2TP packet now consists the following: data link header, IP Header, IPSec ESP Header, UDP header, L2TP frame, IPSec ESP trailer, IPSec ESP Authentication trailer and Data Link trailer, resulting in excessive protocol overhead.

Virtual Private Network (VPN) Protocol Overhead

The tunneling protocols also affect the performance of the network by adding processing overhead on the VPN connection. Implementing these secure technologies on any insecure public network like the internet comes with some weaknesses and this can be as a result of either the specific standards are not sophisticated enough to provide secure, stable and fast data links, or interaction with lower leveled protocols causes serious problems. For example the IPSec technology employs three kinds of protocols namely AH, ESP and IKE; in order to ensure security over the public network, this in turn adds overhead on the packet being sent. The IPSec uses two modes for transferring packets: transport and tunneling mode. The tunneling mode is the widely used because the tunnel can be used to access several resources and it encapsulate and encrypts all part of the IP packet within another IP packet. An analysis was carried out in order to evaluate the performance of the overhead associated with IPSec on VPN servers, and the tunneling mode was used. The tunneling mode uses different technologies to ensure added security on the packet: it uses two different kinds of protocols namely ESP and IKE and various encryption algorithm and cryptographic key sizes, by so doing doubling the size of the packet. It is reported that overheads of the IKE protocol are considerably higher than those incurred by ESP for processing a data packet, also cryptographic operations contribute 32   ˆ’  60% of the overheads for IKE and 34   ˆ’  55% for ESP, and lastly, digital signature generation and Diffie-Hellman computations are the largest contributor of overheads during the IKE process and only a small amount of the overheads can be attributed to the symmetric key encryption and hashing.

Also the layer 2 Tunneling Protocol (L2TP) implemented on the VPN connection originally does not cause any overhead since encryption, authentication and privacy mechanism is not used on the data packet. But when this protocol is combined with IPSec, it adds all the aforementioned mechanism on the packet and makes it very secure but this comes with added problems — protocol overhead, among other things. In this case both the IPSec and L2TP headers are added to the data packet which increases the size of the packet and by so doing, it decreases the VPN performance.

The Internet, the Problem

Actually VPN does not directly incur processing overhead on the network instead the internet affects the performance. Most performance slowdowns will in fact result from inconsistent Internet connections rather than by encryption processing overhead. IPv4 ( this is an internet protocol that is widely deployed) based networks have inherent deficiencies which have become obstacles to the evolution of networks. VPNs implemented on the network i.e. the internet automatically inherits some of these problems, such as, big overhead of the net-transport, lack of quality assurance of Service (QoS), NAT traversing problem, and so on. VPNs implemented on IPv6 (Internet Protocol version 6), which is known as “the next generation protocol” can solve this problems effectively.

Packet Loss

A VPN tunnel can sometimes suffer high packet loss and reordering of packets problems. Reordering can cause problems for some bridged protocols, and high packet loss may have an impact on the optimal configuration of higher-layer protocols. In addition, packet loss is variable and can be very high, and packets can be delivered out-of-order and fragmented. One main cause of packet loss on a network with VPN connection is the use of products from different vendors to implement the connection, which may not interoperate properly, and this can degrade the network performance.

Remote User CPU Capability/ CPU Usage

Another factor that needs to be put into consideration when implementing a client to site VPN configuration is to make sure that the remote users systems processor can handle the load of the packets being sent in on daily basis. The remote users system being the VPN client and at the other end of the connection, it is responsible for establishing, maintaining, and using the tunnel, as well as for encrypting and encapsulating data, which can prove demanding on the CPU, depending on the level of encryption. In order to enhance performance for these machines the encryption should be disabled, just to increase the overall performance of the VPN. Also compressing data before being sent over a VPN connection can hamper the performance of the client system if the CPU does not have the resources to accept such packets and even if it had the capability to decompress the data, it could be too big a load on the CPU. VPNs require specific hardware and/or software devices to terminate the encrypted sessions. This centralized encryption/decryption imposes heavy CPU loads on the devices, and such devices tend to be somewhat expensive, increasing in price with the scale of the number of simultaneous sessions they can support. Virtual private networks implemented in software provide an economic and accessible alternative to hardware VPN solutions but software VPNs may have a significant impact on performance, producing high CPU usage and limiting network throughput. In addition, compression implemented at the user level adds an additional CPU overhead that has a negative effect on the performance. In essence, when the network connection is fast, the software based VPN is unable to handle the data transmission but when the network connection is slow, the CPU does not easily gets overloaded.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.