[go: up one dir, main page]
Skip to main content
SpringerLink
Log in

Avoiding VPN Bottlenecks: Exploring Network-Level Client Identity Validation Options

  • Conference paper
  • First Online:
Quality, Reliability, Security and Robustness in Heterogeneous Systems (QShine 2021)

Abstract

Virtual private networks (VPNs) allow organizations to support their remote employees by creating tunnels that ensure confidentiality, integrity and authenticity of communicated packets. However, these same services are often provided by the application, in protocols such as TLS. As a result, the historical driving force for VPNs may be in decline. Instead, VPNs are often used to determine whether a communicating host is a legitimate member of the network to simplify filtering and access control. However, this comes with a cost: VPN implementations often introduce performance bottlenecks that affect the user experience.

To preserve straightforward filtering without the limitations of VPN deployments, we explore a simple network-level identifier that allows remote users to provide evidence that they have previously been vetted. This approach uniquely identifies each user, even if they are behind Carrier-Grade Network Address Translation, which causes widespread IP address sharing. Such identifiers remove the redundant cryptography, packet header overheads, and need for dedicated servers to implement VPNs. This lightweight approach can achieve access control goals with minimal performance overheads.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Richter, P., et al.: A multi-perspective analysis of carrier-grade NAT deployment. In: ACM Internet Measurement Conference, pp. 215–29 (2016). https://doi.org/10.1145/2987443.2987474

  2. Carrier-Grade-NAT (CGN) Deployment Considerations (2021). https://tools.ietf.org/id/draft-nishizuka-cgn-deployment-considerations-00.html

  3. Atkinson, R.: Security Architecture for the Internet Protocol. RFC 1825, Internet Engineering Task Force (1995)

    Google Scholar 

  4. Sandvine Releases 2019 Global Internet Phenomena Report (2019). https://www.sandvine.com/press-releases/sandvine-releases-2019-global-internet-phenomena-report

  5. Rekhter, Y., Moskowitz, B., De Groot, G.: Address Allocation for Private Internets. RFC 1597, Internet Engineering Task Force (1994)

    Google Scholar 

  6. Kreibich, C., Weaver, N., Nechaev, B.: Netalyzr: illuminating the edge network. In: ACM Internet Measurement Conference, p. 246 (2010). https://doi.org/10.1145/1879141.1879173

  7. Mandalari, A., Lutu, A., Dhamdhere, A., Bagnulo, M., Claffy K.: Tracking the Big NAT across Europe and the U.S. ArXiv:1704.01296 (2017). arXiv.org, http://arxiv.org/abs/1704.01296

  8. Livadariu, I., Benson, K., Elmokashfi, A., Dhamdhere, A., Dainotti, A.: Inferring carrier-grade NAT deployment in the wild. In: IEEE Conference on Computer Communications, pp. 2249–2257 (2018). https://doi.org/10.1109/INFOCOM.2018.8486223

  9. Global Security Appliance Market Share 2012–2020 (2021). https://www.statista.com/statistics/235347/global-security-appliance-revenue-market-share-by-vendors/

  10. Cloudflare Blocking My IP? (2021). https://community.cloudflare.com/t/cloudflare-blocking-my-ip/65453

  11. Verizon to Launch 5G Residential Broadband Services in up to 5 Markets in 2018 (2021). https://www.verizon.com/about/news/verizon-launch-5g-residential-broadband-services-5-markets-2018

  12. Amazon Simple Email Service Classic (2021). https://docs.aws.amazon.com/ses/latest/DeveloperGuide/

  13. FCC Fines Verizon $1.35 Million over ‘Supercookie’ Tracking. https://www.theverge.com/2016/3/7/11173010/verizon-supercookie-fine-1-3-million-fcc

  14. Perkins, C.E.: Mobile IP. IEEE Commun. Mag. 35(5), 84–99 (1997). https://doi.org/10.1109/35.592101

    Article  Google Scholar 

  15. Simpson, W.: IP in IP Tunneling. Request for Comments, RFC 1853, Internet Engineering Task Force (1995)

    Google Scholar 

  16. Neuman, C., Ts’o, T.: The Kerberos Network Authentication Service (V5). RFC 1510, Internet Engineering Task Force (1993)

    Google Scholar 

  17. Craven, R., Beverly, R., Allman, M.: A middlebox-cooperative TCP for a non end-to-end internet. In: ACM SIGCOMM Conference, pp. 151–162 (2014). https://doi.org/10.1145/2619239.2626321

  18. Gont, F., Atkinson, R., Pignataro, C.: Recommendations on Filtering of IPv4 Packets Containing IPv4 Options. Request for Comments, RFC 7126, Internet Engineering Task Force (2014)

    Google Scholar 

  19. Open VSwitch (2021). https://www.openvswitch.org/

  20. Cisco-Security-Manager-4-1 (2021). https://www.cisco.com/c/en/us/obsolete/security/cisco-security-manager-4-1.html

  21. Bommareddy, S., Kale, M., Chaganty, S.: VPN Device Clustering Using a Network Flow Switch and a Different Mac Address for Each VPN Device in the Cluster. US6772226B1 (2004). https://patents.google.com/patent/US6772226B1/en

  22. Coronavirus Challenges Remote Networking (2021). https://www.networkworld.com/article/3532440/coronavirus-challenges-remote-networking.html

  23. Booth, S., Zorn, G., Patel, B., Aboba, B., Dixon, W.: Securing L2TP Using IPsec. Request for Comments, RFC 3193, Internet Engineering Task Force (2001)

    Google Scholar 

  24. Atkinson, R., Kent S.: IP Authentication Header. RFC 2402, Internet Engineering Task Force (1998)

    Google Scholar 

  25. Kent, S., Atkinson R.: IP Encapsulating Security Payload (ESP). RFC 2406, Internet Engineering Task Force (1998)

    Google Scholar 

  26. Nordmark, E, Bagnulo, M.: Shim6: Level 3 Multihoming Shim Protocol for IPv6. RFC 5533, Internet Engineering Task Force (2009)

    Google Scholar 

  27. Moskowitz, R., Nikander P.: Host Identity Protocol (HIP) Architecture. RFC 4423, Internet Engineering Task Force (2006)

    Google Scholar 

  28. Estes, A.: The Dangers of Supercookies (2011). https://www.theatlantic.com/technology/archive/2011/08/dangers-supercookies/354297/

  29. MacFarland, D., Shue, C, Kalafut, A.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Passive and Active Measurement Conference, pp. 15–27 (2015). https://doi.org/10.1007/978-3-319-15509-8_2

  30. McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008). https://doi.org/10.1145/1355734.1355746

    Article  Google Scholar 

  31. Komu, M., Sethi, M., Beijar, N.: A survey of identifier-locator split addressing architectures. Comput. Sci. Rev. 17, 25–42 (2015). https://doi.org/10.1016/j.cosrev.2015.04.002

    Article  MathSciNet  Google Scholar 

  32. Netfilter/Iptables Project Homepage - The “Xtables-Addons” Project (2021). https://www.netfilter.org/projects/xtables-addons/index.html

  33. Troubleshooting (2021). https://sendersupport.olc.protection.outlook.com/pm/troubleshooting.aspx

  34. Prevent Mail to Gmail Users from Being Blocked or Sent to Spam - Gmail Help (2021). https://support.google.com/mail/answer/81126

  35. Understanding the Cloudflare Security Level (2021). https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level

  36. Malis, A., Lin, A., Heinanen, J., Gleeson, B., Armitage, G.: A Framework for IP Based Virtual Private Networks. RFC 2764, Internet Engineering Task Force (2000)

    Google Scholar 

  37. Access Control - Apache HTTP Server Version 2.4 (2021). https://httpd.apache.org/docs/2.4/howto/access.html

  38. Benefits Of A VPN (2021). https://www.forbes.com/sites/tjmccue/2019/06/20/benefits-of-a-vpn/

  39. Benefits of a VPN You Might Not Know About (2021). https://us.norton.com/internetsecurity-privacy-benefits-of-vpn.html

  40. Dynamic IP Denylisting with NGINX Plus and Fail2ban (2021). https://www.nginx.com/blog/dynamic-ip-denylisting-with-nginx-plus-and-fail2ban/

  41. Google Transparency Report (2021). https://transparencyreport.google.com/https/overview?hl=en

  42. CUPS Plenary (2021). https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentations/cups-plenary-may-18.pdf

  43. What Is a Reverse Proxy Server? (2021). https://www.nginx.com/resources/glossary/reverse-proxy-server/

  44. Francisco, Shaun Nichols in San. Corporate VPN Huffing and Puffing While Everyone Works from Home over COVID-19? You’re Not Alone, Admins (2021). https://www.theregister.com/2020/03/11/corporate_vpn_coronavirus_crunch/

  45. Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN (2021). https://www.os3.nl/_media/2010-2011/courses/rp2/p09_report.pdf

  46. Liu, Y., Shue, C.: Beyond the VPN: practical client identity in an internet with widespread IP address sharing. In: IEEE Conference on Local Computer Networks, pp. 425–428 (2020). https://doi.org/10.1109/LCN48667.2020.9314846

  47. Savings Calculator, Pulse Secure (2021). https://www.pulsesecure.net/savings-calculator/

  48. Raumer, D., Gallenmuller S., Emmerich, P., Mardian L., Carle, G.: Efficient serving of VPN endpoints on COTS server hardware. In: IEEE International Conference on Cloud Networking (Cloudnet), pp. 164–169 (2016). https://doi.org/10.1109/CloudNet.2016.25

  49. Cisco ASR 1000 Series Embedded Services Processors Data Sheet (2021). https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/asr-1000-series-embedded-services-ds.html

  50. IP Security Features. Intel Ethernet Server Adapters (2021). https://docplayer.net/20618334-Ip-security-features-intel-ethernet-server-adapters.html

  51. Han, S., Jang, K., Park, K, Moon, S.: PacketShader: A GPU-Accelerated software router. In: ACM SIGCOMM Conference, p. 195 (2010). https://doi.org/10.1145/1851182.1851207

  52. Dobrescu, M., et al.: RouteBricks: exploiting parallelism to scale software routers. In: ACM Symposium on Operating Systems Principles, p. 15 (2009). https://doi.org/10.1145/1629575.1629578

  53. Pudelko M., Emmerich, P.: Performance analysis of VPN gateways. In: IFIP Networking Conference (Networking), pp. 325–333 (2020)

    Google Scholar 

  54. VPN Risk Report - Cybersecurity Insiders\(|\)Industry Report (2021). https://info.zscaler.com/resources-industry-reports-vpn-risk-report-cybersecurity-insiders

  55. Initial Credentials - MIT Kerberos Documentation (2021). https://web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html

  56. DeCusatis, C., Liengtiraphan, P., Sager, A., Pinelli, M.: Implementing zero trust cloud networks with transport access control and first packet authentication. In: IEEE International Conference on Smart Cloud (SmartCloud), pp. 5–10 (2016). https://doi.org/10.1109/SmartCloud.2016.22

  57. Hauser, F., Haberle, M., Schmidt, M., Menth, M.: P4-IPsec: site-to-site and host-to-site VPN With IPsec in P4-Based SDN. IEEE Access 8, 139567–139586 (2020). https://doi.org/10.1109/ACCESS.2020.3012738

    Article  Google Scholar 

Download references

Acknowledgements

This material is based upon work supported by the National Science Foundation under Grant No. 1651540.

Author information

Authors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, MA, 10609, USA

    Yu Liu & Craig A. Shue

Authors
  1. Yu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Craig A. Shue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yu Liu .

Editor information

Editors and Affiliations

  1. Monash University, Clayton, VIC, Australia

    Xingliang Yuan

  2. School of Computer Science, University of Sydney, Camperdown, NSW, Australia

    Wei Bao

  3. RMIT University, Melbourne, VIC, Australia

    Xun Yi

  4. University of Sydney, Camperdown, NSW, Australia

    Nguyen Hoang Tran

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, Y., Shue, C.A. (2021). Avoiding VPN Bottlenecks: Exploring Network-Level Client Identity Validation Options. In: Yuan, X., Bao, W., Yi, X., Tran, N.H. (eds) Quality, Reliability, Security and Robustness in Heterogeneous Systems. QShine 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 402. Springer, Cham. https://doi.org/10.1007/978-3-030-91424-0_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91424-0_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91423-3

  • Online ISBN: 978-3-030-91424-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation