Professional Documents
Culture Documents
State of Art
Internals
Summary
Pau Rodriguez-Estivill
Introduction
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction Status
State of Art
Internals
Summary
Internet
Insecure
Trafc can be read by other parties Trafc can be modied by other parties Content can be faked (phishing)
Untrusted
IPs can be spoofed
Divided
NATs separate it in multiple private networks
Introduction Status
State of Art
Internals
Summary
VPN
Virtual Network
a tunnel with no routing hops own IP addressing
Private
exclusive for trusted parties trafc cannot be read by other parties
Introduction Status
State of Art
Internals
Summary
Security
Encrypting it cannot be read by other parties Integrity validation ensure it has not been modied Authenticating ensure that it is from a trusted party No repudiation other parties cannot lie Anti-replay protect against malicious replay
Introduction Objectives
State of Art
Internals
Summary
Project Aims
Add dynamically nodes to the fully connected mesh Authenticate nodes and IP addressing together Low latency and low overhead NAT friendly
Introduction
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction IPsec
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction IPsec
State of Art
Internals
Summary
IPsec vs VPMN
Pros Standard Mandatory in IPv6 implementations DNSSEC enable possible dynamic tunneling Cons Different implementations are not compatible Must be supported in kernel Only one mode supported through NAT IP addressing authentication not centralized
Introduction OpenVPN
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction OpenVPN
State of Art
Internals
Summary
OpenVPN vs VPMN
Pros IP congurations can be pushed Standard encryption channel Cons Centralized, mesh alternative not easy IP addressing not authenticated
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
State of Art
Internals
Summary
Pros Meshed Network Cons Not fully connected IP addressing not authenticated
Introduction
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction Overview
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction Overview
State of Art
Internals
Summary
Application
Introduction Security
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction Security
State of Art
Internals
Summary
Security summary
Datagram TLS (DTLS) Uses CA for trusting nodes from the same network Certicates contain ACLs for IP addressing NameConstraints (x509v3) nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
Introduction Security
State of Art
Internals
Summary
Introduction Security
State of Art
Internals
Summary
Type of packets
3 4
Introduction Architecture
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction Architecture
State of Art
Internals
Summary
Introduction Architecture
State of Art
Internals
Summary
Introduction Conclusions
State of Art
Internals
Summary
Outline
1 2
Introduction State of Art IPsec OpenVPN Tinc VPN Internals Overview Security Architecture Conclusions
Introduction Conclusions
State of Art
Internals
Summary
Conclusions Pros Dynamic Fully Connected Mesh Network Authenticated IP addressing with certicates Standard encryption channel (DTLS) Cons No relay mode possible Fragmentation needed Future tasks Heterogeneous MTU support Let fragmentation be optional User-space NAT
Introduction
State of Art
Internals
Summary
Summary
Internet is insecure and VPN is needed Server-less architecture Dynamic Fully Connected Mesh Network Authenticated IP addressing with certicates Standard encryption channel (DTLS)
Introduction
State of Art
Internals
Summary
Questions?