`
`Virtual Private Networks
`Second Edition
`
`CharlieScott, Paul Wolfe, and Mike Erwin
`
`O'REILLY”
`Beijing - Cambridge - Farnham- K6in- Paris - Sebastopol- Taipet- Tokyo
`
`Petitioner Apple Inc. - Exhibit 1074, Cover
`
`Petitioner Apple Inc. - Exhibit 1074, Cover
`
`

`

`a
`Virtual Private Networks, Second Edition
`B08, E69 by Charlie Scott, Paul Wolfe, and Mike Erwin
`Copyright © 1999, 1998 O'Reilly & Associates, Inc. All rights reserved.
`Printed in the United States of America.
`
`Published by O'Reilly & Associates, Inc., 101 Morris Street, Sebastopol, CA 95472.
`
`Editor: Andy Oram
`
`Production Editor: Jane Ellin
`
`Printing History:
`
`March 1998:
`
`January 1999:
`
`First Edition.
`
`Second Edition.
`
`Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered
`trademarks of O'Reilly & Associates, Inc. Manyof the designations used by manufacturers
`andsellers to distinguish their products are claimed as trademarks. Where those designations
`appearin this book, and O'Reilly & Associates, Inc. was aware of a trademark claim, the
`designations have been printed in caps orinitial caps.
`
`The association between the image of puffins and the topic of virtual private networks is a
`trademark of O'Reilly & Associates, Inc.
`
`While every precaution has been taken in the preparation ofthis book, the publisher assumes
`no responsibility for errors or omissions, or for damages resulting from the use ofthe
`information contained herein.
`
`This bookis printed on acid-free paper with 85%recycled content, 15%post-consumerwaste.
`O'Reilly & Associates is committed to using paper with the highest recycled content available
`consistent with high quality.
`
`ISBN: 1-56592-529-7
`
`[6/99]
`
`Petitioner Apple Inc. - Exhibit 1074, Copyright
`
`Petitioner Apple Inc. - Exhibit 1074, Copyright
`
`

`

`UM MULE KS
`SAUCE IT
`
`
`nt
`
`J |
`
`Table of Contents
`
`PHOLACE ooo eecceccccsceseecsesseessessssssssvessvessessssteasiessesvsssssreesassutavsssntavssssusvesseavenseereeaveaeeen 1x
`
`I. Why Build a Virtual Private Network? o.....0.0..c..cccccccccccccsssescsvcssseveens i
`What oes & MPN DG? sasvsscerssaresstiiia sinaviemacsaceernesssneneraepreonevanneranesneerensomceres 2
`Security Risks of the Internet .......00.0.000cceesRATAN +
`How VPNsSolve Internet Security ISSues .......0cccccccccccsscsesvsscsvsvsvesesescseavecsees 5
`EIST SeSs su gevagevacanrea ae ee sais Wks ng adlesarenecasn erneavagnsnvnes torememnanorurnsanerrccens &
`A Note on IP Address and Domain Name Conventions
`SGC i THIS BOOKS sassussmssarenaw nares asin vaeAna eae RERUN sss ones 10
`
`2. BASIC VPN Tecnologies o.......c..c..sccccccsesssssesssevsstessessesvevesseseveervesseesvees Il
`Firewall Deployment sunsmnssnmumanaoaRANE 12
`Encryption and Authentication .....0....ccccccccccscsssscssessssesvescsevscsevsevavsnseseevesees 22
`MEIN PEOLOCOIS: sey aiiceapataiviniidiseccecarncosseccerarsnssnmenenmeexemecmrancueneceavacsexanvececsannmes 32
`Methodologies for Compromising VPNS .......ccccccsesssesssssesssesessessesvevsveveees 37
`Patents and Legal Ramifications .........c0cccccccccccscsscescesevssecseesensvseesensvssserensess 43
`
`3. Wide Area, Remote Access, ANd the VPN oocccccccccccccccccccccccccsccceceseses 45
`General WAN, RAS, and VPN Concepts o..c.cccccccccccssscesecsesesseeseetsrseresssscseesees 45
`MPN Wersuis WAN ssiiipvciiatictiieiietisisiicerceccenesencernesersnensuneceneencenavennernune reecmeanosas 47
`NEEIN MGTGHS BIAS! ascssrcaans secaunracucer een UNA Au ales we NE INNESE 55
`
`4.
`
`Implementing Layer 2 CONNECCHONS ...........cccc0.scccsssvvscesvvsessevvveveeee 62
`Differences Between PPIPLULZE, AHO TATE:
`ssc asccsancsnmevmsnenascera naires 63
`HOW PPTP Works oo.ccccccccceeececcecesceseseesesssssesesessstvstinvsscsesevavsaveuvnssavaeereererees 64
`FGAtUTES SOF PPTP.
`sspussscsarayszssn ease eaeeeuasGiihiiaiawseraosnnaneaneersencoresavorerereoerentrn ners 74
`
`Petitioner Apple Inc. - Exhibit 1074, p. v
`
`Petitioner Apple Inc. - Exhibit 1074, p. v
`
`

`

`
`
` vi Table of Contents
`
`5. Configuring and Testing Layer 2 CONNECTIONS .........c.cccc0cccscs00: 76
`Installing and Configuring PPTP on a Windows NT RAS Server.
`.........c00.0.. 77
`Configuring PPTP for Dial-up Networking on a Windows NTClient........ 84
`Configuring PPTP for Dial-up Networking on a Windows 95
`OF OB CHEME oo. ecsccccccecsesesesessteesvseseresassesevavsesessnavsssevsvavessuvsessvavevassevasaesevaseevavey 87
`Enabling PPTP on Remote Access Switches .........:.cccccscscesecseseeestsesesereseseeves 90
`MARIA(HG GANS vs covecerancconcnsesccnconssavsa cana acoustic SAS ANEa evo ooseaeesee 93
`Troubleshooting Problems .........ccccccccccccsesssscevsvsevssevssssvevsvsessvavavsevacassevevsevevee 93
`Using PPTP with Other Security Measures ..........cccccccccescseseesescsesevsvsesecsearsees 97
`
`6.
`
`Implementing the AltaVista Tunnel 98 ........ccccccccccccecsccsessessseeeeee OO
`Advantages ofthe AltaVista Tunnel System .......0.c.ccccccsscsescsesessesvecssesveneees 100
`AltaVista Tunnel Limitations .........0....c.000. ie WATE AN SLR 102
`Howthe AltaVista Tunnel Works .....00..cccccccccccseecscsccsesessevesscviseveecesceessceenes 103
`WPIMS Brac ANAVISA gcvssycessaiisisiieressrcasssneneneeesrsnseteneeangereneronnvorennnencsaonteeevasenne 108
`
`7. Configuring and Testing the AltaVista TUNNEL .........c.cccccccc0c000. 119
`COHN BUSY sswssssai iin gisisue abe PRWe siti widessernsnererees Br acovecumanene 119
`Installing the AlaVista Tisatel
`ssississsssciascccesssvacseavuscatenwewiaiasmasaseesiers 119
`Configuring the AltaVista Tunnel Extranet and TelecommuterServer ...., 123
`Configuring the AltaVista Telecommuter Client
`...0....0.cc0ccccsceeeeeeeeee DL
`TYOUDISSHOOHAS PIOBIOES s.ccvnmosascamccommnnicenmaenees TREE 131
`
`8 Creating a VPN with the Unix Secure Shell ......c.ccccccccccccccesveee 135
`The SSH Soft™Ware oo.c.ccccccceccccecscessscscssssessevassuesessavvssscssisvsevesvacvasrssectesesecesees 136
`Building and Installing SSH o....c...cccccccccseescsescescesceccesseseessssvsssseavsevatvaessenes 138
`SSEVCOMOMEMIS scsverupeasisgecyesia Saas WaisUiea aL Waieadssseaincsocearaceecsreereenneeeomeneeanses 139
`Creating a VPN with PRP atid SEU wswsssiiwavaassccoouauseremsracaenaieseeans 144
`Troubleshooting Problems .........cccccccccceesesessesvscsevsvsvecsesevscassevavsesevevavsevaeaes 157
`A: Pesformance Evahiation isssieciagiesteisesingscssesocsinisecenrsoreeaneceesecesemreracereanorreee 160
`
`BD TO Cleo PI TACa cesctcssccssvessecessecucswsaswsesssxntveaiviesssiesvasisespitils 162
`The Cisce PIX Pirswall)
`sc jsussiussesenursarisssseawinapisesanceareaenmaeeerorcomrerneeamces 162
`The PIX in Action ...ccccccccccccccscescescssessssscssvvsvsecsevesvssvsevvsvvessavsessssvseeseeeeess 163
`Configuring the PIX aS a Gateway ..c.c.ccccccccscscscscsssscsvevevavesereecavavsteveavavavavaes 169
`Configuring the Other VPN Capabilities .....0.0.00.0cccccccecccsesssesesecesesteeseenees 7s
`
`10. Managing and Maintaining YOuUr VPN ooccccccosccccsccssscsssscssscsssvsese 180
`ChGGSiNg BM ISP sessssesesseisceesy sensi eae RE Sati es iascsecig rece aeoneacouestaveareoes 181
`SOMiNg VPN PRODIGING osoccarsscsismccnnnennssvenaanainiureennaceariecacamnngaisadeuts 181
`
`Petitioner Apple Inc. - Exhibit 1074, p. vi
`
`Petitioner Apple Inc. - Exhibit 1074, p. vi
`
`

`

`
`Table of Contents
`
`-
`
`vit
`
`Deliveting Quality of Service: sencvoniminiinvunanimuc mania ans 186
`SECUTITY: SUBBESHONS|sc. ussescorcvenuaenencwaannercoenvernnenensantes janwenncenererncenanmnesten 187
`Keeping Yourself Up-to-Date 0... cccceccesecenseeteerseenseneeenennrensenernres ne eee 190
`
`sesessicstesstssscsssssoncrcccstreasuuvceaniiaissassen ct asiieaisaaesee. evar 191
`ET. 3 VEIN SCORQGVO:
`Thre TONGOy, cersneocnnearenrenrserserinsennpennernaarnnrcensyequnassaonsprnessasnassnianiiagtandynnetans 19]
`Canta OMCe: sacs: sutsrbmeestceacweranieeeconente 192
`
`Laree Branch QHGE cccsicneecrsssnssnnesnaniamrcunavevonmenesumencoreerearmenninnnanermrcaamenees 193
`Small Branch: OfCeS:.....iccsercersenserreeressesssntennagnaceesenesaniserineensenanment nngenasetneens 193
`Remote Access Users: scscauicuniennmnnas enti wansnnatnnenaeainn: 194
`
`A NEtWOrk DEABIEN cscccrerememnenniesonucserierayenseennceso.ciniacnuerennenmeacneenenss 195
`
`A. Emerging Internet TeCHNOlOIES .0......cccccssecsersssssersissnsesensereseaees 197
`
`B. Resources, Online ANd OfDerwitse oooccccccccccccccccccccececcecscseseeesesveresees 201
`
`HOO cesscsessscscscasssne ccs eieasiceahiutshu inks RO Ces iaNuNaeNiSaSUUU SN UiceNnEsloneTiN RCNA OHA SERENE 205
`
`Petitioner Apple Inc. - Exhibit 1074, p. vii
`
`Petitioner Apple Inc. - Exhibit 1074, p. vii
`
`

`

`
`66
`Chapter 4: Implementing Layer 2 Connections
`
`Essentially, this all takes place just as if she were dialing into the RAS server
`via a directly connected modem.
`
`3. The PPTP session can then tunnel the protocols that dial-up users are allowed
`to use. In Sara N.’s case, TCP/IP is one of those protocols, and the NT RAS
`server assigns her machine the internal corporate IP address of 2.1.1.129.
`
`Looking at Figure 4-1, you can follow these events and see where the client's orig-
`inal Point-to-Point Protocol (PPP) session is encapsulated by the PPTP tunnel. This
`figure is a simplified version of what the actual topology looks like—routers at the
`ISP and corporate LAN,for instance, have been removed,
`
`
`—_—>
`nee
`RemoteUser:
`
`PPTPCall
`
`“Saran”
`
`
`
`ISP Remote Access Switch
`
`(w/PPTP)
`
`
`RAS Server
`(PPTP-Enabied)
`
`
`
`Corporate LAN
`
`Figure 4-1, Dialing into an ISP that supports PPTP
`
`Once the PPTP is completed and the sales manager is authenticated, she has
`access to the corporate network as if she were on the LAN, She can then check
`her email and access files on her desktop machine usingfile sharing.
`
`
`
`
`
`[_This materi maybeprotectedbyCopyrhtiowTie Coe|Petitioner Apple Inc. - Exhibit 1074, p. 6617US
`
`
`
`
`
`Petitioner Apple Inc. - Exhibit 1074, p. 66
`
`

`

`
`
`How PPTP Works 67
`
`Dialing into an ISP That Doesn’t Support PPTP
`In order for an ISP to support PPTP, they must be using one of the remote access
`switches we mentioned at the beginning ofthis chapter. Not every ISP uses those
`brands of remote access switches, and some don't use these devices atall. Instead
`they might use modems connected to a multiport serial card in a Unix system, or
`some other terminal server device. Others might have the appropriate hardware,
`but choose not to implement PPTP because they don’t want to be forced to do
`technical support for tunneled connections. Whatever the reason, there’s a chance
`that your ISP maynot offer PPTP; however, that doesn’t mean that you can't use it.
`This scenario requires twothings: first, you again need to have a Windows NT 4.0
`RAS server with PPTP installed on your network, and it must be accessible from
`the Internet; second, your Windows NT Workstation, Windows 95, or Windows 98
`client machine must have the PPTP protocol and Dial-Up Networkinginstalled.
`We'll use Sara N. for this example as well. This time, however, she’s dialing into
`an ISP that doesn't support PPTP.
`In addition, she’s running Windows NT 4.0
`Workstation on her laptop computer. The sequence of events for a tunneling ses-
`sion with a non-PPTP-enabled provideris as follows:
`
`1, Sara dials into her ISP using a dial-up networking profile for her account and
`establishes a standard PPP connection.
`be . After the PPP connection has been made, Sara uses Dial-Up Networking again
`to “dial” into the PPTP RASserver at the corporate office. In this dial-up pro-
`file, however, she puts the IP address of the RAS server, 2.1.1.60, in the phone
`numberfield, and selects the dial device to be a VPN port set up through Dial-
`Up Networking (we'll explain in Chapter 5 howto setthis up).
`3. A PPTP connection is made through Sara’s PPP connection over the Internet
`and to the RAS server. The RAS server then logs her into the corporate net-
`work using the username and password she supplied. The RAS server assigns
`her the internal IP address of 2.1.1.129, and she is then granted access to the
`corporate network.
`
`Figure 4-2 shows how the second PPTP call is encapsulated through the initial PPP
`connection to the ISP,
`
`Again, once the PPTP connection is made, Sara N. will have access to the corpo-
`rate LAN just as if she were connected toit via a network card or dial-up RAS con-
`nection,
`
`Petitioner Apple Inc. - Exhibit 1074, p. 67
`
`Petitioner Apple Inc. - Exhibit 1074, p. 67
`
`

`

`68
`
`Chapter 4: Implementing Layer 2 Connections
`
`
`
`—_—
`nee
`
`Remote User:
`
`PPTP Gall
`
`ISP Remote Access Switch
`(without PPTP)
`
`
`
`
`
`
`
`RAS Server
`(PPTP-Enabled)
`
`
`
`Corporate LAN
`
`Figure 4-2. Connecting to a corporate RAS server via an ISP that doesn't support PPTP
`
`Where PPTP Fits into Our Scenario
`
`In Figure 4-3 we have a representation of a corporate office network with a T1
`connection to the Internet. The router that connects to the Internet
`is also a
`packet-filtration firewall. User Sara N, wants to check her corporate email, and is
`dialing into her ISP, which is using a PPTP-enabled remote access switch. After
`she connects to the switch, it starts a PPTP call to the RAS server specified in her
`user profile. In this figure, a lightly shaded line extends the PPTP session back to
`the client, rather than just to the remote access switch. Sara uses this line when
`she has to dial into an ISP that doesn’t support PPTP, and initiates the PPTP ses-
`sion on her workstation with a second RAScall.
`
`Petitioner Apple Inc. - Exhibit 1074, p. 68
`
`Petitioner Apple Inc. - Exhibit 1074, p. 68
`
`

`

`
`
`How PPTP Works 69 ;
`
`
`
`
`
`Virtual Private Network
`
`
`
`
`
`2.1.1.129
`(assigned by RAS)
`
`
`
`(PPTP continuesfo :
`‘client if ISP doesn't
`support it) ;
`
`Cc
`SsS$
`
`S=S3a= =S EO
`
`L
`
`TT Line 24.4.1
`
`Corporate LAN
`
`
`
`Figure 4-3. A full diagram of a PPTP connection overthe Internet
`
`On the corporate router and firewall, the TCP/IP port on which PPTP creates a
`socket (1723) must be open to both inbound and outbound traffic. If the rest of
`the network is protected by a firewall that disallows inbound and outbound Inter-
`net traffic, then a single point of entry to the LAN is established, which is pro-
`tected by the user-based authentication.
`
`Petitioner AppleInc. - Exhibit 1074,p. 69
`
`Petitioner Apple Inc. - Exhibit 1074, p. 69
`
`

`

`70
`
`Chapter 4:Implementing Layer 2 Connections
`
`Dissecting a PPTP Packet
`The PPTP encapsulation technique is based on another Internet standard called
`the Generic Routing Encapsulation (GRE) protocol, which can be used to tunnel
`protocols over the Internet. (If you're interested, see RFCs 1701 and 1702.) The
`PPTP version, known as GREv2, adds extensionsfor specific features such as Call
`ID and connection speed.
`
`A PPTP packet is made up of a delivery header, an IP header, a GREv2 header,
`and the payload packet. The delivery headeris the framing protocol for whatever
`medium the packet is traveling over, whetherit’s Ethernet, frame relay, or PPP.
`The IP header contains information essential
`to the IP datagram, such as the
`packet length and the source and destination addresses. The GREv2 header con-
`tains information on the type of packet encapsulated, as well as PPTP-specific data
`that pertains to the connection betweenthe client and server. Finally, the payload
`packet is the encapsulated datagram itself. In the case of PPP, this datagramis the
`original PPP session data that is sent between the client and server, and within it
`can be IP, IPX, or NetBEUIpackets. Figure 4-4 illustrates the layers of PPTP encap-
`sulation.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Figure 4-4. Thefour layers ofa PPTPpacket being transported across the Internet
`
`The encapsulation process
`The encapsulation process for a user dialing into an ISP that supports PPTP is as
`follows;
`
`1. The user dials into the ISP’s remote access switch using PPP. Between thecli-
`ent and the remote access switch flow PPP packets that are surrounded by the
`PPP protocol-specific frames being delivered.
`2. At the switch, the media-specific frames are stripped away, and the call trig-
`gers the remote access switch to open up a PPTP tunneling session over the
`Internet between itself and the PPTP-enabled NT RASserver specified in the
`user’s profile. The remote access switch encapsulates the PPP payload packet
`within a GREv2 header, then an IP header, Finally, the packet gets a delivery
`header before going out of the switch. Throughout the packet's journey, the
`
`Petitioner Apple Inc. - Exhibit 1074, p. 70
`
`Petitioner Apple Inc. - Exhibit 1074, p. 70
`
`

`

`
`
`HowPPTP Works 71 ; /
`
`
`
`
`
`delivery header may change depending on the type of media through which
`the packet is being sent. For instance, it may go from Ethernet, to framerelay,
`to Ethernet again, to PPP over ISDN, and to Ethernet yet again before finally
`reaching its destination at the RAS server.
`
`3. The RASserver treats the incoming PPTP connection as an incomingcall, just
`as if it were coming in over a modem, It strips off the delivery header, the IP
`header, and the GREv2 header from the payload packet. It then handles the
`PPP connection as it normally would if the user were coming in over a
`modem connection. The RAS server validates the PPP client using whatever
`authentication method is required on the RAS server: Microsoft encrypted
`authentication, encrypted authentication, or any authentication type (includ-
`ing clear text).
`ne . Before packets from the client reach the LAN, PPP framing is removed from
`the enclosed IP, NetBEUI, or IPX datagrams. Figure 4-5 is a diagram of those
`protocol layers that are active during each portion of the connection for dial-
`ing into ISPs that support PPTP.
`
`4
`
`Virtual Private Network
`
`
`
`
`
`
`
`
`
`
`<—_!—__+>
`
`Client System—Dial-up: | BS “The Internet” a Corporate
`
`
`ling
`|S
`ot
`LAN
`oY
`a:
`i a
`ow
`SS
`
`
`
`
` ieee)
`
`
`SF
`(GREW Header
`
`(PrPavnaaPacker>it Frama
`
`endercatgrams—S
`
`
`
`Figure 4-5. Active protocol layers during a PPTP connection
`
`In a situation where the RASuseris dialing into an ISP that doesn’t support PPTP,
`much ofthe process is the same. The only change would bein step 2. Instead of
`the remote access switch starting the PPTP session with the RAS server, the client
`makes a PPTP connection to the RAS server using Dial-Up Networking (as we said
`earlier). The PPTP packets are therefore sent through the standard PPP connec-
`tion the client is making with the ISP’s remote access switch. At that point in the
`connection, the client’s PPP datagram is encapsulated by PPTP which is, in turn,
`
`Petitioner Apple Inc. - Exhibit 1074, p. 71
`
`Petitioner Apple Inc. - Exhibit 1074, p. 71
`
`