Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Thomas Berger
University of Salzburg
tberger.tks2000@fh-salzburg.ac.at
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
of IPSec connections, transport mode and tunnel mode. performed periodically. For this purpose, only phase
When IPSec is operated using transport mode, a so- two is repeated - the complete IKE process including
called IPSec header is added to the original IP header. both phases is only performed at time of connection
This IPSec header contains authentication and integrity establishment. However, IPSec does not prescribe re-
information. Tunnel mode provides more flexibility, keying in general, which depends on the
because each original IP packet is surrounded by a new implementation. For detailed information on the IPSec
IP packet, which consists of a new IP header and the standard, refer to [3].
IPSec header. Therefore, information on the content of
the original IP packet is hidden in the payload of the
new IP packet. 2.2. L2TP
In order to determine which IPSec mode is applied,
both connection partners have to agree on a common The layer two tunneling protocol is based on the
security association (SA). It contains information on Layer Two Forwarding protocol (L2F), which is
the IPSec mode, symmetric ciphers, and keys which are described in [RFC2341]. It enables encapsulation of a
used during secure data transmission. Of course, both complete data-link-layer frame (e.g. an Ethernet frame)
partners have to keep their SA secret, and exchange of into a UDP packet at transport layer. Therefore, a data
SA information must be done by means of a public-key packet with local (or private) network addresses can be
protocol. sent through the internet. The UDP packet, carrying the
There are two different types of IPSec headers, the layer two frame, consists of the following data fields:
Authentication Header (AH), and Encapsulating after the UDP header (port 1701), several control bits
Security Payload (ESP). The authentication header represent various options, version, and length of the
contains information providing data authenticity and packet. After that, sequence number and tunnel-ID
integrity, and contains a Security Parameter Index fields keep track of the current VPN connection in
(SPI), authentication data and an integrity checksum order to ensure correct packet processing. Then, layer
(MD5 or SHA-1 hash) on the whole IP packet. Since two frame follows, containing, for example, media
AH does not include encryption methods, it does not access code (MAC) addresses, and the payload. It is
offer privacy. Therefore, ESP, which includes data obvious, that solely encapsulating a layer two frame
encryption, is more often used than AH. The ESP into a UDP packet does not provide data authenticity or
header includes an initialization field, which is used by privacy. Therefore, L2TP is often combined with IPSec
symmetric block ciphers. When IPSec is used in tunnel by adding the IPSec header in front of the L2TP header.
mode and ESP, it provides a maximum of security and Of course, IPSec transport modus is applied in this
flexibility. case, as encapsulating the L2TP packet (which already
The internet key exchange protocol (IKE) is used to encapsulates a layer two frame) into a new IP packet
establish IPSec connections, exchange encryption keys, would result in excessive protocol overhead.
and sharing authentication data. It is also referred to as
negotiating - both tunnel partners negotiate the 2.3. PPTP
parameters of the VPN connection in order to agree on
a common SA. IKE messages are exchanged via UDP Microsoft’s point-to-point tunneling protocol is an
packets at port 500, and rely on the Internet security extension to the point-to-point protocol (PPP) and is
association and key management protocol (ISAKMP). supported by any version of Microsoft Windows, which
When establishing an IPSec connection, there are two is described in [4]. PPTP uses two different packet
phases of negotiations. During phase one, the SA for types to establish a VPN connection. First, generic
IKE is negotiated. Of course, there is no data routing encapsulation (GRE) packets carry the VPN
encryption or authentication at that point of time. payload by adding the GRE header to the original
Therefore, both tunnel partners have to authenticate packet. The GRE header is quite similar to the L2TP
themselves, and exchange keys using the Diffie- header, and contains various control bits, sequence and
Hellman key exchange method. This is an asymmetric tunnel numbers. The second packet type is the PPTP
public-key protocol which relies on the complexity of control message. This is simply a TCP packet (port
solving the discrete logarithm problem, refer to [1] for 1723), containing control information, such as
details. connection requests and responses, connection
Once an IKE SA is established, phase two is initiated. parameters, and error messages. Since neither GRE nor
During this phase, which is already protected by the SA PPTP messages provide authentication or encryption,
determined during phase one, the parameters for the PPTP must be combined with additional security
VPN tunnel(s) are negotiated, including symmetric methods. For this purpose, Microsoft uses the challenge
cipher keys (and key expiry information), security authentication protocol (MS-CHAP) in order to
policy, network routes, and other connection-relevant authenticate both tunnel partners. For data privacy,
information. After that, data can be exchanged in a GRE payload is encrypted using the symmetric RC4
secure way. Since keys should always have a limited stream cipher.
time of validity, a process of re-keying should be Thus it appears that the design of PPTP is quite simple.
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
Because Microsoft Windows is widely used, PPTP can as hybrid mode, represents a combination of TCP and
be applied to establish VPN connections between the UDP tunnels, sending TCP traffic into a UDP tunnel,
networks of internet service providers and their and vice versa. Since it is not efficient sending TCP
customers, who do not have to install additional VPN traffic into a TCP tunnel, resulting in double TCP
software. In Austria, PPTP is used to establish ADSL traffic ensuring mechanisms (such as retransmission,
connections, as PPTP is low-cost and GRE packets do acknowledgement ...), hybrid mode was introduced. On
not add much protocol overhead. the other hand, sending UDP traffic into a UDP tunnel
would not provide any transmission ensuring methods,
2.4. phion VPN since UDP is not connection oriented. The last tunnel
mode is ESP, which is equivalent to IPSec ESP.
The Austrian company phion Information
Technologies ([5]) develops and sells security gateway 3. Problems caused by VPN
software called netfence, which includes a VPN
solution. Netfence is a commercial product providing a Current VPN technologies suffer from the fact that
complete IT-security solution for enterprise networks, originally, protocols used in the internet, were not
including firewall, VPN, mail and web security with designed to provide data security, and technologies
central management and monitoring capabilities. VPN presented in the previous section were added
tunnel establishment is performed by means of a newly afterwards. This causes several drawbacks, which are
developed handshake process. Establishing VPN described in the following section.
tunnels is described as follows, using the terms initiator
as the Client who wants to establish a connection, and 3.1. Technology-specific aspects
responder acting as server which checks the identity of
the initiator before a VPN tunnel is established. Development of IPSec followed a long lasting
At time of configuration, a unique tunnel-id string is process, and suffers from its complexity. The IPSec
assigned to each VPN connection. First of all, the standard, in general, aroused disappointment within the
initiator sends a tunnel request, including the tunnel-ID, IT industry. Tunnel negotiations using IKE should
to the responder, which keeps an encrypted server- provide VPN connections between security gateways of
cookie in a file. The server does not need to calculate a different vendors, but they are complex and inefficient.
new cookie every time when an initiator sends a Therefore, many implementations do not fulfill all
request, but it can use the stored cookie, which provides requirements of the IPSec standard, leading to reduced
a basic denial of service (DOS) protection of the VPN interoperability capabilities. Another drawback of
server. The server cookie is sent to the initiator, which IPSec is the fact, that important and necessary
has to decrypt the cookie in order to authenticate him. mechanisms are not part of the standard. For example,
After decryption the server cookie is returned to the there is no mechanism for tunnel probing to check
server, together with an encrypted client-cookie. The whether a tunnel partner is still reachable or not. Only
responder checks the decrypted server cookie and at time of re-keying, tunnel status information is
decrypts the client-cookie received from the client. exchanged. This could eventually lead to loss of VPN
After successful authentication, both partners generate connectivity, and tunnel downtime. Further, IPSec does
new cookies, so an eventually wiretapped cookie can no not include any policies for network route exchange,
longer be used. The next step is exchange of tunnel i.e. which network routes are allowed for VPN
parameters, such as ciphers, network routes, and connections. In the worst case, a VPN partner could
various options. After that, the VPN connection is propagate a default route (0.0.0.0/0) for VPN
established. connections, and all hosts in the network would use this
The messages exchanged during the handshake process route instead of their original default route, leading to
rely on a proprietary protocol called transport loss of internet connectivity. IPSec places the burden of
independent network architecture (TINA). Using UDP tunnel probing and network route policy on the
at port 691, TINA messages consist of length and developers of IPSec implementations.
message type fields. There are several message types, As already mentioned, L2TP does not include
such as tunnel requests, cookie exchange, mechanisms for authentication and data privacy. Thus,
authentication, tunnel keep-alive messages, and re- it is not suitable for mission-critical applications.
keying requests. By means of these messages, the VPN Internal network addresses and the payload are not
link is under constant surveillance, and re-keying is encrypted, and transmitted in plain text. Combining
performed periodically. L2TP and IPSec provides a solution for this problem,
After successful connection establishment, VPN traffic but comes with several other drawbacks. Since IPSec
can be exchanged by four different tunnel modes, and L2TP headers are added to each packet, protocol
which are determined at time of configuration. The first overhead is very high, which leads to decreased VPN
and second one, named TCP and UDP tunnel, add an performance. VPN protocol overhead in general causes
additional TCP header, or UDP header to the problems, which are outlined in the following section.
encapsulated packet. The third tunnel mode, referred to Originally, PPTP did not include mechanisms for data
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
authenticity, integrity and privacy, as well as L2TP. dynamically decides, according to its routing table,
Microsoft combined PPTP with the asynchronous which traffic is to be sent through a VPN tunnel. But if
authentication protocol MS-CHAP, and GRE packets there are any other firewalls on the route through the
are encrypted by means of the symmetric stream cipher internet (e.g. located at the internet service providers),
RC4. These mechanisms offer a basic security level, which filter VPN packets, an alternative way must be
but do not meet high security standards. Bruce Schneier found in order to establish a VPN tunnel.
describes in [9] the drawbacks of PPTP using MS- Another challenging problem related with VPN and IP
CHAP and RC4, and presents weaknesses ant possible is the fact that VPN technologies add additional
points of attack. transmission protocol overhead. As a consequence, the
Phion VPN is part of the commercial product called maximum transmission unit (MTU) of a packet is
netfence security gateway series, and therefore only reached earlier. IP provides a mechanism to counter this
available in combination with this product. The problem, called fragmentation. If the size of an IP
connection handshake protocol, and TINA, packet would increase a pre-determined value, the IP
respectively, which were described in the previous packet is fragmented, and the corresponding flags in the
section, are not standardized and therefore only applied IP header are set. It is obvious that packet
within phion netfence systems. However, one of the fragmentation means a modification to the IP packet,
critical aspects of a cryptosystem is that it is fully causing VPN packet integrity checks to fail. Setting the
researched by specialists, and its security is proven by “don’t fragment” flag in the IP header before adding the
resisting all kinds of known security attacks. Phion VPN header seems to be a fast and simple solution for
VPN is a fairly new product, and not widely applied; as this problem. But transmitted packets through the
such it is not that researched and tested like the other internet can sometimes not be processed by routers (or
presented VPN technologies. Anyway, there are no other network devices), and will simply be discarded
weaknesses and security issues reported so far. In order when the size exceeds a critical value, and the don’t
to ensure interoperability with other VPN system fragment field is set. VPN technologies add additional
vendors, netfence also includes an IPSec data overhead, but they also suffer from causing
implementation. additional packet processing time, resulting in increased
packet round-trip time and decreased data throughput.
3.2. Interaction of VPN with TCP/IP Packet authentication, encapsulation, adding VPN
headers and checksums, and especially encryption
As already mentioned before, secure VPN algorithms need extra calculation time. In most cases,
technologies were added to existing internet the effects are not dramatic, causing file transfers to last
technologies. This may cause several undesired issues. longer. But when using response time critical
Network address translation (NAT), which translates applications (such as multimedia applications, database
private IP network addresses (e.g. 192.168.x.x) into access systems), VPN technologies could lead to a
public IP addresses, which can be routed through the significant loss of performance, and in the worst case,
internet, could lead to various problems, since it means these applications do no longer work, because they
a modification of an IP header. permanently run into time-outs.
VPN technologies, such as IPSec transport mode, do These are the major problems caused by adding VPN
not allow any changes to the IP packet, because technologies to existing technologies. However, VPN
authentication and packet integrity checks (MD5 or implementations provide different solutions, which are,
SHA-1 hash) would fail if an IP header is modified by a among other aspects, analyzed in the following
routing device during transmission. By means of sections.
network address port translation (NAPT), which
enables a router to translate various numbers of internal 4. Practical analysis
network addresses into one public IP address, a router
keeps track of the single connections by modifying the This section documents the practical analysis of the
source port address in the TCP (or UDP, respectively) presented VPN technologies. Each testing scenario is
header. However, since also the payload of an IP packet described by explaining the testing environment, testing
cannot be changed during transmission without method and the results of each test, including a table for
violating integrity checksums, NAPT cannot be comparison.
applied. When a VPN technology is used, encapsulating
a whole IP packet into a new one, a router cannot keep 4.1. Testing environments
track of the original TCP header.
The interaction of VPNs and firewalls, in practice, and The testing environment for IPSec tests is illustrated
under circumstances, may cause other problems. Of in figure 1. Four different VPN appliances and their
course, firewall packet filtering rules must be con- interaction with the phion netfence IPSec
figured properly, and in the best case, VPN and firewall implementation were tested:
functionality is performed by the same device (which is
often referred to as security gateway), which
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
• Cisco Systems Pix 501
• Netscreen 5XP
• Soho Watchguard WG2500
• Symantec FW/VPN 100
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
was not possible. Anyway, these testing configurations Table 2: Results of basic functionality tests
deliver comparable results, and since for all testing
environments the same hardware is used, which is
naturally always faster by far than the maximum
throughput of the network traffic would require,
differences in throughput and roundtrip measurement
can be lead back to the properties of each VPN
technology. The configuration parameters of all VPN
technologies are listed in table 1.
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
Table 3: Performance measurement results packets, cause a total data overhead of 94 bytes. Since
L2TP requires L2TP and IPSec headers, this is the
technology with most data overhead (110 bytes, and
118 bytes for the echo message). PPTP, of course, adds
fewest VPN data overhead. In order to analyze packet
fragmentation behavior, the size of the ICMP messages
was increased to 1600 bytes. Since default MTU of
Ethernet connections is 1500 bytes, these packets need
to be fragmented at IP layer. This test showed
differences in behavior of the VPN technologies, which
are listed in table 5.
Without VPN, a data rate of 94 MBit/sec was achieved, Table 5: VPN Packet fragmentation behavior
which approximately corresponds to the maximum
throughput that can be reached by means of 100 Mbit
fast Ethernet connections. Compared with the results of
the different VPN technologies, there is a dramatic loss
of performance, especially when IPSec appliances were
used. The IPSec appliances, which are not equipped
with high performance CPUs, were not able to handle
100 simultaneous TCP sessions through the IPSec
tunnel - all IPSec connections broke down, and had to
be re-initiated. Thus it appears that VPN appliances are
not suitable to be stressed hard. PPTP delivers the best Packet fragmentation seemed to be no problem for all
performance value, but this goes back, as already VPN technologies, except one: the IPSec
mentioned, to the simple RC4 cipher. Additional packet implementation of Symantec, where the destination
processing time, which is required when using any workstation could no longer be reached (however, this
VPN technology, leads to significant loss of may go back to a bad interoperability of different IPSec
performance. implementations). A very interesting point is that the
number of transmitted packets of one ICMP message,
4.4. Interaction with TCP/IP and ICMP echo message, respectively, differs; and
when using Cisco IPSec and PPTP, the “Don’t
The next test series were performed to analyze the fragment” flag of the IP header was set.
problems of VPNs in combination with TCP/IP, which For testing NAT / NAPT behavior, the router between
are discussed in section 3.2. By means of ICMP the security gateways (as shown in the testing
messages (of different size), additional VPN header environment diagrams in section 4.1) was configured to
overhead, IP packet fragmentation behavior, and perform address translation. Since all tested VPN
NAT/NAPT capabilities were examined. The first test technologies (except PPTP) exchanged traffic by means
considers additional data overhead caused by VPN of ESP packets, where the encrypted and authenticated
technologies. For this purpose, ICMP messages (1000 IP packet is encapsulated into an other IP packet, the
Bytes size) were exchanged, and the actual size of header of which can be modified, NAT was possible
packets transmitted through the VPN tunnel was without problems. With PPTP, where only the payload
measured using Ethereal. The results are listed in table is encrypted and authenticated, and not the whole IP
4, where ICMP and ICMP echo messages are printed in packet, it was also possible to change IP network
different columns. addresses during transmission.
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE
during tunnel establishment phase and VPN traffic problems which may occur when using e.g. IPSec, but
phase delivered no usable results; no passwords or it is only available in combination with the commercial
other security relevant data was transmitted in plain product netfence security gateway series.
text. Therefore, other methods to disturb VPN
connections had to be applied. The first packet for References
tunnel initiation request was wiretapped and stored in a
file. By means of Hping, a new IP packet was [1] K. Schmeh, Cryptography and Public Key Infrastructure
generated, using the source IP address of one VPN on the Internet, John Wiley & Sons Inc., New York, 2003
gateway, and destination IP address of the other VPN
gateway. The payload of this fake packet was filled [2] R. Yuan, W.T. Strayer, Virtual Private Networks:
with the content of the previously wiretapped packet. Technologies and Solutions, Addison-Wesley
Professional, Boston, 2001
Therefore, an exact copy of the VPN tunnel initiation
packet was generated by Mallory. The VPN gateways [3] N. Doraswamy, D. Karkins, IPSec: The New Security
of all technologies responded with the corresponding Standard for the Internet, Intranets and Virtual
reply message for authentication. Of course, Private Networks, Prentice Hall PTR Internet
authentication is practically not possible without the Infrastructure Series, New York, 1999
knowledge of the correct authentication data.
During the next try, the payload of the fake packet was [4] E. Lewis, J. Davies, Deploying Virtual Private
filled with arbitrary values. All VPN gateways Networks with Microsoft Windows Server 2003, Microsoft
responded with error messages (e.g. IPSec appliances Press, Redmond, 2003
reacted with the error message Error: Invalid initiator [5] PHION Information Technologies GmbH,
cookie). These errors had no effects, even VPN traffic Austria, A-6020 Innsbruck, Eduard-Bodem-Gasse 1,
between Alice and Bob was not affected. www.phion.com (2006-02-05)
The next test was performed to try a denial of service
(DOS) attack on the security gateways. For this [6] M. Finlayson, J. Harrison, R. Sugarman,
purpose, the fake tunnel initiation message was sent to VPN Technologies - A Comparison,
the security gateway in time intervals of 10 ms. Each of Data Connection Ltd., Enfield, UK,
these tunnel requests had to be answered by the VPN http://www.cse.iitb.ac.in/˜varsha/
gateways. At the same time, ICMP traffic was allpapers/network-misc/vpntechwp.pdf (2006-02-05)
exchanged between Alice and Bob via the VPN tunnels. [7] H. Hamed, E. Al-Shaer, W. Marrero, “Modeling
Again, this had no effect to all VPN gateways, except and Verification of IPSec and VPN Security
the Watchguard VPN appliance. Here, the VPN traffic Policies”, In Proceedings of the 13th IEEE International
immediately came to an end, Alice and Bob could no Conference on Network Protocols (ICNP’05),
longer reach each other. Wiretapping VPN traffic with pp. 259-278, 2005
Ethereal showed that the Watchguard appliance
permanently answered Mallory’s fake tunnel requests, [8] L. Jin-Cherng, C. Ching-Tien, C. Wei-Tao
and no ESP packet was generated during this phase, “Design, Implementation and Performance Evaluation
which results in a successful DOS attack. of IP-VPN”, In Proceedings of the 17th International
Conference on Advanced Information Networking and
Applications (AINA’03), p. 206, 2003
5. Conclusion
[9] B. Schneier, Mudge, Cryptanalysis of Microsoft’s
The results of the tests described in the previous PPTP, Mountain View, CA,
section show that current VPN technologies offer http://www.schneier.com/paper-pptp.pdf (2006-02-05)
secure and quite stable data connections. One
significant drawback which concerns all tested [10] T. Berger, Analyse aktueller VPN Technologien in Bezug
auf kryptographische Methoden, Performance und Tunnel-
technologies is the dramatic loss of performance and
management, Dipl. Thesis, University of Salzburg, 2005
throughput, which goes back to the complex
encapsulation and authentication techniques. Thus it [11] C. Draschl, Querkopplung von kommerziellen
appears that adding VPN technologies to existing und nichtkommerziellen IPsec-Systemen, Dipl.
protocols comes with additional complexity and high Thesis, Salzburg University of Applied Sciences and
data processing costs. IPSec suffers from a complex Technologies, 2004
tunnel negotiation process, causing interoperability
problems between different implementations. L2TP [12] R. Kämpfe, Analyse und Vergleich von VPN Protokollen,
offers data privacy and authenticity if and only if it is Dipl. Thesis, University of Mittweida, 2002
combined with IPSec, resulting in excessive data
overhead. PPTP is the fastest of the presented
technologies, but its security level is, for critical
applications, not sufficient (refer to [9]). Finally, phion
netfence VPN offers acceptable solutions for the
Proceedings of the First International Conference on Availability, Reliability and Security (ARES’06)
0-7695-2567-9/06 $20.00 © 2006 IEEE