Time

Sunday, August 31, 2008

VPN ...

VPN Protocols

The term "VPN" has taken on many different meanings in recent years. VPNC has a white paper about VPN technologies that describes many of the terms used in the VPN market today. In specific, it differentiates between secure VPNs and trusted VPNs, which are two very different technologies.

For secure VPNs, the technologies that VPNC supports are

  • IPsec with encryption
  • L2TP inside of IPsec
  • SSL with encryption
For trusted VPNs, the technologies that VPNC supports are:
  • MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs")
  • Transport of layer 2 frames over MPLS ("layer 2 VPNs")

IPsec is the most dominant protocol for secure VPNs. SSL gateways for remote-access users are also popular for secure VPNs. L2TP running under IPsec has a much smaller but significant deployment. For trusted VPNs, the market is split on the two MPLS-based protocols. Companies want to do their own routing thend to use layer 2 VPNs; companies that want to outsource their routing tend to use layer 3 VPNs.

The various VPN protocols are defined by a large number of standards and recommendations that are codified by the Internet Engineering Task Force (IETF). There are many flavors of IETF standards, recommendations, statements of common practice, and so on. Some of the protocols used in IPsec are full IETF standards; however, the others are often useful and stable enough to be treated as standard by people writing IPsec software. Neither of the trusted VPN technologes are IETF standards yet, although there is a great deal of work being done on them to get them to become standards.

RFCs

The IETF codifies the decisions it comes to in documents called "Requests For Comments". These are almost universally called by their acronym "RFCs". Many RFCs are the standards on which the Internet is formed.

The level of standardization that an RFC reaches is determined not only by "how good" the RFC is, but by how widely it is implemented and tested. Some RFCs are not solid standards, but they nonetheless document technologies that are of great value to the Internet and thus should be used as guidelines for implementing VPNs.

For the purpose of defining VPNs, any protocol that has become an IETF Request For Comments (RFC) document can be treated as somewhat of a standard. Certainly, any IPsec-related RFC that has been deemed to be on the IETF "standards track" should certainly be considered a standard.

Internet Drafts

Before a document becomes an RFC, it starts out as an Internet Draft (often called "IDs" or "I-Ds"). IDs are rough drafts, and are sometimes created for no other benefit than to tell the Internet world what the author is thinking. On the other hand, there is often very good information in some IDs, particularly those that cover revisions to current standards.

Some Internet Drafts go along for years, but are then dropped or abandoned; others get on a fast track to becoming RFCs, although this is rare. Internet Drafts are given names when they first appear; if they become RFCs, the I-D name disappears and an RFC number is assigned.

It should be emphasized here that it is unwise to make any programming decisions based on information in Internet Drafts. Most IDs go through many rounds of revisions, and some rounds make wholesale changes in the protocols described in a draft. Further, many IDs are simply abandoned after discussion reveals major flaws in the reasoning that lead to the draft.

That being said, it is worthwhile to know which IDs pertain to areas of interest. The following is a list of the IDs that are related to Internet mail. Some of these drafts will likely become RFCs in the months or years to come, possibly with heavy revision; some will be merged with other drafts; others will be abandoned.

Protocol listings

The relevant IETF Working Groups for the protocols used by secure VPNs and trusted VPNs are:

Note that the IPsec Working Group was disbanded in April, 2005.

The documents are arranged by the general categories they apply to. These categories are:

For secure VPNs:

For trusted VPNs:

General IPsec




RFC 4301Security Architecture for the Internet ProtocolProposed standard
RFC 2401Security Architecture for the Internet Protocol Obsoleted by RFC 4301
RFC 2411IP Security Document RoadmapInformational RFC
RFC 2521ICMP Security Failures MessagesExperimental RFC
RFC 2709Security Model with Tunnel-mode IPsec for NAT DomainsInformational RFC
RFC 2764Framework for IP Based Virtual Private NetworksInformational RFC
RFC 3102Realm Specific IP: FrameworkExperimental RFC
RFC 3103Realm Specific IP: Protocol SpecificationExperimental RFC
RFC 3104RSIP Support for End-to-end IPSECExperimental RFC
RFC 3554On the Use of SCTP with IPsecProposed standard
RFC 3884Use of IPsec Transport Mode for Dynamic RoutingInformational RFC
RFC 3723Securing Block Storage Protocols over IPProposed standard
RFC 3706Traffic-Based Method of Detecting Dead IKE PeersInformational RFC
RFC 3776Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home AgentsProposed standard
RFC 3756IPv6 Neighbor Discovery trust models and threatsInformational RFC
RFC 4891Using IPsec to Secure IPv6-in-IPv4 TunnelsInformational RFC
RFC 5265Mobile IPv4 Traversal across IPsec-Based VPN GatewaysProposed standard
draft-ietf-pana-ipsecSecuring the first hop in PANA using IPsec
draft-vidya-ipsec-failover-psIPsec Gateway Failover and Redundancy - Problem Statement and Goals
draft-dondeti-ipsec-failover-solIPsec Gateway Failover and Redundancy Protocol
draft-sheffer-ike-session-resumptionStateless Session Resumption for the IKE Protocol
draft-hoffman-esp-null-protocolAn Authentication-only Profile for ESP with an IP Protocol Identifier
draft-grewal-ipsec-traffic-visibilityTraffic visibility using IPsec ESP NULL encryption
draft-nir-qcrA Quick Crash Recovery Method for IKE
draft-nir-ike-qcdA Quick Crash Detection Method for IKE



ESP and AH Headers




RFC 4302IP Authentication HeaderProposed standard
RFC 4303Encapsulating Security Payload (ESP)Proposed standard
RFC 4304Extended Sequence Number Addendum to IPsec DOI for ISAKMPProposed standard
RFC 4835Cryptographic Algorithm Implementation Requirements For ESP And AHProposed standard
draft-nikander-esp-beet-modeBound End-to-End Tunnel (BEET) mode for ESP
draft-ietf-rohc-ikev2-extensions-hcoipsecExtensions to IKEv2 to Support Header Compression over IPsec (HCoIPsec)



Key Exchange




RFC 4306Internet Key Exchange (IKEv2) ProtocolProposed standard
RFC 4718IKEv2 Clarifications and Implementation GuidelinesInformational RFC
draft-ietf-ipsecme-ikev2bisInternet Key Exchange (IKEv2) ProtocolReplacement for RFC 4306 and RFC 4718
RFC 4307Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)Proposed standard
RFC 4308Cryptographic Suites for IPsecProposed standard
RFC 2407Internet IP Security Domain of Interpretation for ISAKMP Obsoleted by RFC 4306 (IKEv2)
RFC 2408Internet Security Association and Key Management Protocol (ISAKMP) Obsoleted by RFC 4306 (IKEv2)
RFC 2409Internet Key Exchange (IKE)Obsoleted by RFC 4306 (IKEv2)
RFC 4109Algorithms for IKEv1Proposed standard
RFC 3715IPsec-NAT Compatibility RequirementsInformational RFC
RFC 3948UDP Encapsulation of IPsec PacketsProposed standard
RFC 3947Negotiation of NAT-Traversal in the IKEProposed standard
RFC 3766Determining Strengths For Public Keys Used For Exchanging Symmetric KeysBest Current Practice (BCP 86)
RFC 2412OAKLEY Key Determination ProtocolInformational RFC
RFC 2367PF_KEY Key Management API, Version 2Informational RFC
RFC 2522Photuris: Session-Key Management ProtocolExperimental RFC
RFC 2523Photuris: Extended Schemes and AttributesExperimental RFC
RFC 3129Requirements for Kerberized Internet Negotiation of KeysInformational RFC
RFC 4025Method for storing IPsec keying material in DNSProposed standard
RFC 4595Use of IKEv2 in The Fibre Channel Security Association Management ProtocolInformational RFC
RFC 4806Online Certificate Status Protocol (OCSP) Extensions to IKEv2Proposed standard
RFC 5106EAP IKEv2 Method (EAP-IKEv2)Experimental RFC
RFC 4739Multiple Authentication Exchanges in the IKEv2 ProtocolExperimental RFC
draft-nourse-scepCisco Simple Certificate Enrollment Protocol (SCEP)
RFC 3547Group Domain of InterpretationProposed standard
RFC 4322Opportunistic Encryption using the Internet Key Exchange (IKE)Informational RFC
RFC 4809Requirements for an IPsec Certificate Management ProfileInformational RFC
RFC 4945IPsec PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIXProposed standard
RFC 4478Repeated Authentication in IKEv2Experimental RFC
RFC 4869Suite B Cryptographic Suites for IPsecInformational RFC
draft-eronen-ipsec-ikev2-ipv6-configIPv6 Configuration in IKEv2



Cryptographic Algorithms




RFC 2405ESP DES-CBC Cipher Algorithm With Explicit IVProposed standard
RFC 2451ESP CBC-Mode Cipher AlgorithmsProposed standard
RFC 2104HMAC: Keyed-Hashing for Message AuthenticationInformational RFC
RFC 2202Test Cases for HMAC-MD5 and HMAC-SHA-1Informational RFC
RFC 2403Use of HMAC-MD5-96 within ESP and AHProposed standard
RFC 2404Use of HMAC-SHA-1-96 within ESP and AHProposed standard
RFC 2857Use of HMAC-RIPEMD-160-96 within ESP and AHProposed standard
RFC 2410NULL Encryption Algorithm and Its Use With IPsecProposed standard
RFC 1828IP Authentication using Keyed MD5 (may be moved to Historic)Proposed standard
RFC 1829ESP DES-CBC Transform (may be moved to Historic)Proposed standard
RFC 2085HMAC-MD5 IP Authentication with Replay PreventionProposed standard
RFC 3173IP Payload Compression Protocol (IPComp)Proposed standard
RFC 2394IP Payload Compression Using DEFLATEInformational RFC
RFC 2395IP Payload Compression Using LZSInformational RFC
RFC 3051IP Payload Compression Using ITU-T V.44 Packet MethodInformational RFC
RFC 3526More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)Proposed standard
RFC 3566AES-XCBC-MAC-96 Algorithm and Its Use With IPsecProposed standard
RFC 3602AES-CBC Cipher Algorithm and Its Use With IPsecProposed standard
RFC 4434AES-XCBC-PRF-128 algorithm for IKEProposed standard
RFC 3686Using AES Counter Mode With IPsec ESPProposed standard
RFC 4309Using AES CCM Mode With IPsec ESPProposed standard
RFC 4196SEED Cipher Algorithm and Its Use With IPSecProposed standard
RFC 4894Use of Hash Algorithms in IKE and IPsecInformational RFC
RFC 4270Attacks on Cryptographic Hashes in Internet ProtocolsInformational RFC
RFC 4312The Camellia Cipher Algorithm and Its Use With IPsecProposed standard
RFC 4753ECP Groups For IKEInformational RFC
RFC 4106Use of Galois Message Authentication Code (GMAC) in IPsec ESPProposed standard
RFC 4359Use of RSA/SHA-1 Signatures within ESP and AHProposed standard
RFC 4493AES-CMAC AlgorithmInformational RFC
RFC 4494AES-CMAC-96 Algorithm and its use with IPsecProposed standard
RFC 4615AES-CMAC-PRF-128 Algorithm for IKEProposed standard
RFC 4634US Secure Hash Algorithms (SHA and and HMAC-SHA)Informational RFC
RFC 4231Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512Proposed standard
RFC 4754IKE and IKEv2 Authentication Using ECDSAProposed standard
draft-ietf-ipsec-ike-ecc-groupsAdditional ECC Groups For IKE and IKEv2 In IETF Last Call
RFC 4868Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsecProposed standard
RFC 5282Using Authenticated Encryption Algorithms with the Encrypted Payload of IKEv2Proposed standard



IPsec policy handling




RFC 3585IPsec Configuration Policy Information ModelProposed standard
RFC 3586IP Security Policy RequirementsProposed standard
draft-ietf-l3vpn-ce-basedFramework for Provider Provisioned CE-based Virtual Private Networks using IPsec
RFC 4807IPsec Security Policy Database Configuration MIBProposed standard



Remote access




RFC 2661Layer Two Tunneling Protocol (L2TP)Proposed standard
RFC 2888Secure Remote Access with L2TPInformational RFC
RFC 3193Securing L2TP using IPsecProposed standard
RFC 3457Requirements for IPsec Remote Access ScenariosInformational RFC
RFC 3456Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel ModeProposed standard
RFC 4621Design of the MOBIKE ProtocolInformational RFC
RFC 4555IKEv2 Mobility and Multihoming Protocol (MOBIKE)Proposed standard



SSL and TLS




RFC 2246The TLS Protocol Version 1.0Proposed standard, being updated to version 1.1 by draft-ietf-tls-rfc2246-bis
RFC 2818HTTP Over TLSInformational RFC
RFC 3546TLS ExtensionsProposed standard, being updated by draft-ietf-tls-rfc3546bis
RFC 4279Pre-Shared Key Ciphersuites for TLSProposed standard



General MPLS




RFC 3031Multiprotocol Label Switching ArchitectureFull standard
RFC 3032MPLS Label Stack EncodingFull standard
RFC 3036Label Distribution Protocol (LDP) SpecificationFull standard
RFC 3037LDP ApplicabilityInformational RFC



MPLS constrained by BGP routing




RFC 4364BGP/MPLS IP VPNsProposed standard
RFC 4365Applicability Statement for BGP/MPLS IP VPNsInformational RFC
RFC 4381Analysis of the Security of BGP/MPLS IP VPNsInformational RFC
RFC 4026Provider Provisioned Virtual Private Network (VPN) TerminologyInformational RFC
RFC 4176Framework for PPVPN Operations and ManagementInformational RFC
RFC 4265Definition of Textual Conventions for Virtual Private Network (VPN) ManagementProposed standard
draft-ietf-l3vpn-ipsec-2547Use of PE-PE IPsec in RFC2547 VPNs
draft-ietf-l3vpn-gre-ip-2547Use of PE-PE GRE or IP in RFC2547 VPNs
RFC 4031Service requirements for Layer 3 Provider Provisioned Virtual Private NetworksInformational RFC
RFC 3809Generic Requirements for Provider Provisioned VPNs (PPVNP)Informational RFC
RFC 4110Framework for Layer 3 Provider Provisioned Virtual Private NetworksInformational RFC
draft-ietf-l3vpn-bgpvpn-autoUsing BGP as an Auto-Discovery Mechanism for Network-based VPNs
RFC 4111Security Framework for Provider Provisioned Virtual Private NetworksInformational RFC
draft-ietf-l3vpn-rt-constrainConstrained VPN route distribution Approved as a Proposed Standard



Transport of layer 2 frames over MPLS




draft-ietf-l2vpn-requirementsService Requirements for Layer 2 Provider Provisioned Virtual Private Networks
draft-ietf-l2vpn-vpls-bgpVirtual Private LAN Service Approved as a Proposed Standard
draft-ietf-l2tpext-l2vpnL2VPN Extensions for L2TP Approved as a Proposed Standard
RFC 3916Requirements for Pseudo-Wire Emulation Edge-to-Edge (PWE3)Informational RFC
RFC 3985PWE3 ArchitectureInformational RFC
RFC 4447Transport of Layer 2 Frames Over MPLSProposed standard
RFC 4448Encapsulation Methods for Transport of Ethernet Over MPLS NetworksProposed standard
draft-ietf-l2tpext-pwe3-ethernetTransport of Ethernet Frames over L2TPv3 Approved as a Proposed Standard
draft-ietf-pwe3-frame-relayFrame Relay over Pseudo-Wires



Virtual Routers




draft-ietf-l3vpn-as-vrApplicability Statement for Virtual Router-based Layer 3 PPVPN approaches
draft-ietf-l3vpn-vpn-vrNetwork based IP VPN Architecture using Virtual Routers
draft-ietf-l3vpn-vr-mibVirtual Router Management Information Base Using SMIv2



Posted by loading at 3:42 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Live contact Available..

Ask an Expert - Visit my Virtual Office at LivePerson Ask an Expert - Visit my Virtual Office at LivePerson