Anti-replay services are services in which the receiver device can reject duplicate packets or late arrival packets in order to protect against replay attacks.
Encryption is the mechanism commonly used for protecting confidentiality and privacy of data over the public network. The sender encrypts the data using a particular method, which is normally called a key, and the receiver decrypts the message using the same method and the same key.
The implementation of a VPN is based on one of the protocols listed in Table 12-1.
Table 12-1. VPN Protocol Architecture
Site-to-site VPN Remote Access
Internet Protocol Security (IPSec) Point to Point Transport Protocol (PPTP) Generic Routing Encapsulation (GRE) Or IP Tunneling Layer Two Protocol (L2TPv3)
Multi-Protocol Label Switch (MPLS) Cisco L2F
The Secure Socket Layer (SSL)
Point to Point Transport Protocol (PPTP) Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), or Secure Socket Tunneling Protocol (SSTP) rely on Point-to-Point Protocol (PPP). PPP1 was designed to provide a full-duplex communication between the two peers that is assumed to deliver packets in order. PPP is intended to support a wide variety of connections between routers, bridges, and hosts.
PPP first authenticates the users before the transmission of data. The PPP encapsulation supports multiplexing of different protocols simultaneously over the same link, thus allowing multiple vendor compatibility and supporting multiple applications and protocols.
PPTP protocol describes how a secure PPP link can be established over a TCP/IP connection. PPTP encapsulates the IP protocol packets inside PPP datagrams and transmits them over the Internet. PPTP requires IP connectivity between the server and the client. If there is already a connection between the server and the remote client, then
a PPTP tunnel can easily be created and data transmitted over a secured channel across the LAN. If the remote client needs an Internet connection, then a dial-up can be used or any other services to connect to an ISP before establishing the tunnel.
PPTP was developed by the vendor consortium of Accend Communications, Microsoft Corporation, Copper Mountain Networks, 3COM, U.S. Robotics, and several other individuals. It was then submitted to the Internet community as an RFC 2637.2
PPTP allows PPP to be tunneled through the IP network as shown in Figure 12-7. It does not change any PPP protocol itself. PPTP uses Generic Routing Encapsulation (GRE) to provide a flow and congestion control datagram services for transporting PPP packets over the Internet connection.
Figure 12-7. PPTP Tunneling
PPTP uses an enhanced GRE (Generic Routing Encapsulation) mechanism to provide a flowand congestioncontrolled encapsulated datagram service for carrying PPP packets. The PPTP Network server (NAS) runs on any operating system platform while the client, PPTP Access Controller (AC) operates on a PPP platform.
PPTP supports the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP) authentication methods:
• PAP – The Password Authentication Protocol (PAP) provides a simple method for the peer to establish a connection by simple two-way handshake as soon as the link is established.3
PAP is not a strong authentication method. Passwords are sent over the link in a clear text (plain text) format, and there is no protection against playback or repeated packet attacks.
• CHAP – This is another protocol for authentication. The Challenge-Handshake Authentication Protocol (CHAP) is used to verify the identity of the remote user by a three-way handshake. After the link is established, the server sends the “challenge” message to the remote user, which becomes the first handshake. The remote user responds to the “challenge” using a oneway hash, which is the second handshake. If the response matches, then the authentication is acknowledged and a connection is established, which is the third handshake. Otherwise the connection is terminated. The CHAP protocol protects the network from playback or repeated packet attacks and controls the frequency and timings of the challenges.4
Other protocols include:
• MS-CHAP – Microsoft CHAP
• MS-CHAPv2 – Microsoft CHAP version 2 (and later versions)
• Extensible Authentication Protocol (EAP)
The PPTP protocol implementation is designed to use its own encryption algorithms, with an option to negotiate their own keys. However, DES (Digital Encryption Standard), triple DES, Rivest Cipher (RC)-4, and RC-5 are some of the other common encryption algorithms that are used by PPTP. The 128-key encryption algorithms are considered secure enough for VPN.