1.4 VPN Operation Principle and Communication Method
This section contains a description of operation principle and
communication method of VPN that can be constructed by PacketiX VPN, an
overview of the modules and functions used by VPN communications and the
types of VPN that can be constructed using PacketiX VPN.
1.4.1 Conventional Ethernet Configuration
PacketiX VPN implements the mechanism of Ethernet communications as
it is by software and realizes VPN by creating a virtual network. The
following is a brief description of the mechanism by which Ethernet
operates.
Ethernet Basics
With LAN using common Ethernet standards (IEEE802.3) such as
conventional 100Base-TX or 1000Base-T, multiple computers equipped with
communications equipment (network adapter) that supports Ethernet are
connected by star connection to a central switching HUB (also referred
to as "layer 2 switching") and communicate freely with each other.
Switching HUB and Network Adapter
With Ethernet multiple computers can communicate with each other.
Here however the computers use a network adapter (also referred to as
"LAN Card") which is a special device for connecting to Ethernet, and
connect physically to Ethernet.
In specific terms, the computer connects from the network adapter to
the desired Ethernet switching HUB by a physical signal line called a
"network cable".
Fig. 1-4-1 Switching HUB and network adapter for Ethernet |
MAC Address
Computers participating in Ethernet must communicate with IDs to
prevent them from duplicating each other. Each network adapter is
assigned a unique 48-bit ID. This 48-bit ID is referred to as "MAC
address". As a rule, the MAC address of the physical network adapter is
assigned so computers are not duplicated anywhere in the world (in the
case of software network adapter such as PacketiX VPN Virtual Network
Adapter, a suitable algorithm whereby possibility of MAC address
actually being duplicated is extremely low is generated to prevent
duplication.
Communication Packets (Ethernet Frames) that Flow through Ethernet
Communication packets that flow through Ethernet are commonly
referred to as "Ethernet frames" or "MAC frame Ethernet packets" (in
this manual they are uniformly referred to as "Ethernet frames").
Ethernet frames contain several headers and the data to be actually
transmitted (payload). The following four items are the most important
of these.
Fig. 1-4-2 Ethernet frame (MAC frame) |
The destination MAC address (48 bits) is a field containing the MAC
address that of the recover indicating to which computer the Ethernet
frames of the computer sending the frames will be sent. Relaying devices
such as a switching HUB within Ethernet read the destination MAC address
and relay the Ethernet frames.
The source MAC address (48 bits) is the field containing the MAC
address of the network adapter of the computer sending the Ethernet
frames.
Protocol type (16 bits) indicates in a 16-bit value what protocol the
data contained in the Ethernet frame (payload) uses in layer 3. For
example the value is 0x0806 for IP and 0x0800 for ARP. In some cases the
field may contain a value that indicates the length of the payload
instead of the protocol type, but it is currently not used often.
The payload (maximum 1500 bytes) is the data to be actually
transmitted using Ethernet.
Unicast and Broadcast
There are two ways that Ethernet frames can be sent. "Unicast" is
when an Ethernet frame is sent by specifying the MAC address of a
certain network adapter and "broadcast" is when the frame is sent to all
network adapters participating in Ethernet other than your own.
If sending frames by unicast, the MAC address of the destination
network adapter is specified for destination MAC address and if sending
frames by broadcast, the special MAC address FF:FF:FF:FF:FF:FF is
specified as the destination MAC address. The frames of which the MAC
address is destination called FF:FF:FF:FF:FF:FF are called "broadcast
packets" and as a rule can be received by all computers (network
adapters) participating in the Ethernet network.
Switching HUB Mechanism
The switching HUB used by Ethernet (layer 2 switch) constructs a
network by Ethernet and is an important peripheral device for
communication. Switching HUBs have multiple ports (usually 8 ports, but
can have from tens to hundreds. By connecting a compute to the Ethernet
by network cable, etc., a physical network is connected between the
switching HUB and computer's network adapter, thus enabling Ethernet
communications by layer 2.
The ports of a switching HUB can also be connected to the ports of
another switching HUB. Even though the connected switching HUBs were
originally separate Ethernet networks, by connecting them by network
cable, they work like a single Ethernet network. This is called "cascade
connection".
The computers connected to the switching HUBs on the left and right
in the following figure can communicate freely with each other.
Fig. 1-4-3 Segment junction by cascade connection of
switching HUBs |
Frame Exchange and MAC Address Learning by Switching HUB
Switching HUBs constantly recognize in advance which computers with
what sort of MAC address are connected to the respective ports and
maintain the information in an internal database. This is called a "MAC
address table".
When a switching HUB receives an Ethernet frame, it reads the
destination MAC address of the Ethernet frame, and if the destination
MAC address is registered in the MAC address table, it is sent to the
concerned port. If the destination MAC address is not registered in the
MAC address table or the Ethernet frame is a broadcast frame, it is sent
to all ports.
The processing whereby a switching HUB learns new MAC addresses and
registers them in the internal MAC address table is carried out
automatically by reading the source MAC address each time a new Ethernet
frame is received.
This realizes function whereby unicast packets are sent only to required
ports, and are not sent to unnecessary ports. This is called the "Frame
exchange and MAC address learning by switching HUB function".
Ethernet Segment (Broadcast Domain)
In examples thus far, a single network through which computers
participating in an Ethernet network can communicate freely with each
other is called an "Ethernet segment," a "segment" or "broadcast
domain". An Ethernet configured of a switching HUB is usually one
segment. A segment can also be formed by connecting two originally
separate segments by network cable, etc., as was previously mentioned.
Cascade Connection
As was previously mentioned, the method of connecting two segments
configured of two switching HUBs and using as a single segment is called
"cascade connection". Cascade connection can consist of an unlimited
number of cascades provided the physical limit established for Ethernet
is not exceeded. The fact that cascade connection can be accomplished
easily is one of the greatest features of using Ethernet. By cascade
connecting another switching HUB to one for which the number of ports
has become insufficient, you can increase the number of available ports
and increase the number of computers that can be connected to the
network.
Bridge Connection
Bridge connection enables frames to be exchanged freely by cascade
connection of two physically separated Ethernet segments or similar
configuration.
Cascade connection and bridge connection are technically similar
connection methods, but whereas cascade connection indicates connecting
switching HUBs to construct a single large segment from the beginning,
bridge connection means connecting networks to be used as two segments
that are physically separate and are administered separately.
1.4.2 Virtual HUB
With PacketiX VPN by creating a virtual switching HUB and network
adapter, VPN communication that creates virtual Ethernet is realized.
This section contains a brief description of Virtual HUB. A more
concrete description of Virtual HUB is provided in 「1.6 VPN Communication Details」.
Virtual HUB Functions
Virtual HUB is one of the most important functions of PacketiX VPN.
Virtual HUB implements the same level of functions as the existing
common layer 2 switching HUB as software. Virtual HUB has a MAC address
learning function and frame exchange/delivery functions based on
learning. Whereas conventional switching HUBs used to handle this
processing as hardware, with Virtual HUB of PacketiX VPN, the processing
is handled as software.
For details concerning realization of VPN communications by Virtual
HUB, see 「1.6 VPN Communication Details」 and 「3.4 Virtual HUB Functions」.
PacketiX VPN Server can create multiple Virtual HUBs. You can create
as many Virtual HUBs as memory space, CPU speed and specifications will
permit. Each respective Virtual HUB conducts MAC address learning for
virtual Ethernet frames flowing through the VPN. As a result virtual
layer 2 Ethernet segments are realized by sending Ethernet frames to
computers participating in other VPNs.
Fig. 1-4-4 Connection between Virtual HUBs or between
Virtual Network Adapters |
Creation and Administration of Multiple Virtual HUBs
If multiple Virtual HUBs are created within a single VPN server,
those Virtual HUBs cannot communicate with each other. Consequently if
multiple Virtual HUBs are created, it means multiple Ethernet segments
are formed within the VPN Server.
Unlike the physical switching HUB in conventional Ethernet, the
Virtual HUB of PacketiX VPN is connected by TCP/IP-based tunneling
protocol ( PacketiX VPN protocol) via an existing IP network (such as
the Internet) rather than direct connection by network cable. In other
words, there is a function whereby a virtual port equal to port
connected to a physical switching HUB by network cable stands by for
connection to the Virtual HUB, enabling VPN connection by PacketiX VPN
protocol just like as if connected by network cable to virtual port from
another computer.
Fig. 1-4-5 Segment separation by Virtual HUB within VPN
Server |
Role of Administration Unit
As was previously mentioned, you can connect to Virtual
HUB from a remote location by PacketiX VPN protocol, but if connection
is permitted by anybody, a third party not permitted can connect to the
Virtual HUB. To prevent this the administrator defines users who can
connect to the Virtual HUB, and can set so that only users successfully
authenticated are accepted (either password authentication or
certificate authentication may be used). Concerning communication within
the Virtual HUB as well, permitting all communication contents by
default but applying packet filtering and security policy, some types of
communication can be blocked.
These setting contents are completely independent for
each Virtual HUB, and administration is divided into units so each
individual administrator can administrate separately. Administrators of
VPN Servers at large can manage all Virtual HUBs, but administrators
granted authority concerning some Virtual HUBs from the VPN Server
administrator can manage only those Virtual HUBs and are unable to
manage other Virtual HUBs.
Method of Connecting Virtual HUBs to each other
Virtual HUBs can be cascade connected to Virtual HUBs operating on
the same VPN Server or VPN Server operating on another computer, and the
cascade connected Virtual HUBs that were originally separate segments
are joined to work as a single segment.
For Virtual HUBs operating on the same VPN Server, via virtual layer
3 switch by IP routing, network among Virtual HUBs can be connected by
layer 3.
1.4.3 Virtual Network Adapter
With PacketiX VPN, a physical switching HUB can be made virtual to
realize Virtual HUB. Similarly, a physical network adapter can be made
virtual by software to realize a Virtual Network Adapter. Virtual
Network Adapter can connect to a Virtual HUB operating within PacketiX
VPN Server at a remote location through a network by TCP/IP-based
PacketiX VPN protocol.
For details concerning PacketiX VPN Client and Virtual Network
Adapter, see 「Chapter 4 PacketiX VPN Client 2.0 Manual」.
Fig. 1-4-6 PacketiX VPN Virtual Network Adapter recognized
as a network adapter by the operating system |
Virtual Network Adapter software is currently offered as a PacketiX
VPN Client for Windows and Linux. Computers installed with PacketiX VPN
Client can connect the VPN Server as a VPN client. Multiple Virtual
Network Adapters can be created on a client computer as a PacketiX VPN
Client setting. Because the created Virtual Network Adapter is
recognized as a network adapter just as physical network adapter by
almost any communications application running on the operating system,
as a rule almost all network protocols that support Ethernet
communications and TCP/IP protocol can communicate on VPN via Virtual
HUB.
Fig. 1-4-7 Property window of Virtual Network Adapter |
1.4.4 Cascade connection and virtual layer 3 switch
With PacketiX VPN Server, you can create multiple Virtual HUBs and
operate them together. In the initial state however Virtual HUBs have
only independent layer 2 segments, and although computers connected to
the same Virtual HUB can communicate freely, computers connected to
separate Virtual HUBs cannot communicate with each other.
Cascade Connection
Using the cascade connection function, you can connect to a Virtual
HUB on which the same VPN Server or other computer's VPN Server is
operating. By combining cascade connection and bridge connection
functions, you can easily construct base-to-base connection VPN. For
details on cascade connection, see 「3.4.11 Cascade Connection Functions」. For examples of VPN
construction combining cascade and bridge connection functions, see
"10.5#.
Virtual Layer 3 Switch
The virtual layer 3 switch function emulates a communications device
for IP routing by IP protocol called "layer 3 switch" or "IP router".
Layer 3 switches and IP routers can be joined as a layer 3 IP network
with physically separated layer 2 segments with split broadcast domain.
In this case layer 2 segments separated by IP routing that communicate
via layer 3 switch or router and IP packets can arrive at another
network across networks sequentially via 3 switch or router. Massive IP
networks such as the Internet are realized by combination of layer 3
switch and router.
Using the virtual layer 3 switch function of PacketiX VPN Server
enables IP routing among multiple Virtual HUBs. If conducting IP routing
among multiple Virtual HUBs with the previous version of SoftEther 1.0,
etc., you had to conduct IP routing with a physical layer 3 switch or
special router by bridge connecting each respective Virtual HUB segment
to a physical Ethernet segment. PacketiX VPN Server's support of virtual
layer 3 switch function enables network administrators to easily realize
communication among Virtual HUBs by IP routing among multiple Virtual
HUBs.
Fig. 1-4-8 IP routing among Virtual HUBs by virtual layer 3
switch |
When connecting multiple networks bases by VPN by PacketiX VPN, a
combination of local bridge function and cascade connection function is
usually sufficient, but if connecting networks to each other by VPN, you
might have to use a combination of IP routing by virtual layer 3 switch
function. For VPN construction examples using virtual layer 3 switch
function, see 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」.
1.4.5 Bridge Connection of Virtual Network and Physical Network
PacketiX VPN Server and PacketiX VPN Bridge are equipped with a local
bridge function. Using the local bridge function enables you to bridge
connect Virtual HUB and physical network adapter. In other words, you
can join two segments such as Virtual HUB and existing physical network
as a single segment. For details see 「3.6 Local Bridges」.
By connecting Virtual HUB and physical existing LAN by multiple bases
and by furthermore cascade connecting Virtual HUBs existing physical LAN
of multiple bases can be easily made a single segment via Internet to
realize base-to-base VPN.
Fig. 1-4-9 Example of base-to-base connection by PacketiX
VPN |
1.4.6 Computer-to-computer VPN
Networks that can realize PacketiX VPN can roughly be divided into
the following three forms:
- Computer-to-computer VPN
- Remote access VPN
- Base-to-base connection VPN
A sophisticated VPN can be constructed by separating or combining
these forms. For actual network construction examples, see 「Chapter 10 Instructions and Examples For Configuring a VPN」.
Computer-to-computer VPN is the simplest form of VPN built using
PacketiX VPN. The range of communication via VPN the can be constructed
extremely easily is not very wide.
With computer-to-computer VPN, for Virtual HUB of PacketiX VPN Server
established at one location, multiple computers connecting network
adapter of PacketiX VPN Client to Virtual HUB by VPN enable any Ethernet
frame to be sent or received among computers participating in VPN so
communication can be carried out freely and safely without depending on
physical network form. All VPN communication is encrypted to prevent
eavesdropping and tampering.
With computer-to-computer VPN, however, computers installed with
PacketiX VPN Client can communicate freely, but computers other than
these cannot participate in VPN.
For specific connection method, see 「10.3 Setting Up a PC-to-PC VPN」.
Fig. 1-4-10 Computer-to-computer VPN |
1.4.7 Remote Access VPN
Remote access VPN is a type of VPN that can be built using PacketiX
VPN. You can freely access computers out in the field or at home that
cannot be accessed from Internet such as common company LAN, and can
communicate with the application of your choice.
Remote access to company LAN used to frequently be accomplished using
PPP protocol by dial-up network such as telephone line or ISDN.
Communication speed for these methods is however low, and because it was
pay-as-you-go, it was difficult to send or receive large quantities of
data that took an extended amount of time.
With remote access VPN by PacketiX VPN, by installing PacketiX VPN
Client, as a rule, as long as you had an environment where the Internet
could be connected to, you could easily connect by VPN to a PacketiX VPN
Server set up in company LAN from anywhere in the world, thereby
enabling company LAN access. All VPN communication is also encrypted to
prevent eavesdropping and tampering.
In order to realize remote access VPN, a PacketiX VPN Server is
established in the company LAN and the Virtual HUB and existing physical
Ethernet segment created in VPN Server are connected by bridge
connection. Connecting by computer installed with VPN Client from remote
to concerned Virtual HUB enables remote access to company LAN.
With conventional VPN protocol, even protocols other than TCP/IP that
used to be hard to use in many cases can be used via virtual Ethernet.
VPN sessions can furthermore be easily established via proxy servers,
firewall or NAT that use to be hard for conventional VPN protocol to get
through.
For specific connection method, see 「10.4 Setting Up a Generic Remote Access VPN」
Fig. 1-4-11 Remote access VPN |
1.4.8 Base-to-Base VPN of Ordinary Scale
Remote access VPN is the form of VPN that enables multiple computers
installed with VPN Client to access one base via Internet or other bases
from a remote location.
Base-to-base VPN on the other hand is a VPN connection method whereby
multiple bases in physically separated locations can connect with each
other. It is probably the best way for companies or departments where
two or more bases already exist or are considering increasing the number
of bases.
With base-to-base VPN, set up computers installed with VPN Server or
VPN Bridge at multiple bases and connecting existing physical Ethernet
segments of each base and Virtual HUB within the VPN Server or VPN
Bridge by local bridge connection. Virtual HUB of another VPN Bridge,
etc., is connected by cascade connection to VPN Server of one of several
bases. By doing so, physical layer 2 segments of multiple separated
bases recognize each other as a single segment. After physical networks
among multiple bases are connected to each other so they can be used as
a single segment by PacketiX VPN, they are used just as if they are
physically connected by cascade connection using an extremely long
network cable. All VPN communication is also encrypted to prevent
eavesdropping and tampering.
Base-to-base connection VPN function to bridge bases can realize
economic and secure service through the Internet that is the same as
that of conventional broadband Ethernet service as communication
carriers.
For specific connection method, see 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」.
Fig. 1-4-12 Base-to-base VPN of ordinary scale |
1.4.9 Base-to-Base VPN of Large Scale
The method of connecting physical Ethernet segments of multiple bases
such as by the previously described base-to-base VPN connection of
ordinary scale works well if there are a total of several hundred
clients at each base connected by VPN, but if the number of computers
exceeds this when totaled and you want to connect respective computers
to each other, several limitations such as the following may occur.
- If the number of computers exceeds several hundred, the volume
of communication by protocol using broadcast frames such as ARP and
NetBIOS increases and increases the load of VPN connection among
bases.
- Because networks that were originally separate become a single
large network with the system of connecting layer 2 segments alike,
as a rule it is preferable that computers in the segments belong to
the same IP network, but if the total number of computers is large,
it costs a lot to alter the configuration.
In the case where such limitations may pose problems, by combining
the virtual layer 3 switch function, layer 2 local bridge function and
cascade connection function of PacketiX VPN Server, you can use IP
routing by layer 3 instead of direct cascade connection of base networks
by layer 2. Using this method is especially effective if realizing large
scale base-to-base connection VPN. This however requires knowledge of IP
routing for designing and building and improves level of difficulty. For
specific connection method, see 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」.
By this method, same or better base-to-base VPN communication
supported older VPN protocols such as PPTP and L2TP/IPSec can be easily
realized by PacketiX VPN software.
Fig. 1-4-13 Base-to-base VPN of large scale |
|