Abstract
Virtual private networks (VPNs) allow organizations to support their remote employees by creating tunnels that ensure confidentiality, integrity and authenticity of communicated packets. However, these same services are often provided by the application, in protocols such as TLS. As a result, the historical driving force for VPNs may be in decline. Instead, VPNs are often used to determine whether a communicating host is a legitimate member of the network to simplify filtering and access control. However, this comes with a cost: VPN implementations often introduce performance bottlenecks that affect the user experience.
To preserve straightforward filtering without the limitations of VPN deployments, we explore a simple network-level identifier that allows remote users to provide evidence that they have previously been vetted. This approach uniquely identifies each user, even if they are behind Carrier-Grade Network Address Translation, which causes widespread IP address sharing. Such identifiers remove the redundant cryptography, packet header overheads, and need for dedicated servers to implement VPNs. This lightweight approach can achieve access control goals with minimal performance overheads.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Richter, P., et al.: A multi-perspective analysis of carrier-grade NAT deployment. In: ACM Internet Measurement Conference, pp. 215–29 (2016). https://doi.org/10.1145/2987443.2987474
Carrier-Grade-NAT (CGN) Deployment Considerations (2021). https://tools.ietf.org/id/draft-nishizuka-cgn-deployment-considerations-00.html
Atkinson, R.: Security Architecture for the Internet Protocol. RFC 1825, Internet Engineering Task Force (1995)
Sandvine Releases 2019 Global Internet Phenomena Report (2019). https://www.sandvine.com/press-releases/sandvine-releases-2019-global-internet-phenomena-report
Rekhter, Y., Moskowitz, B., De Groot, G.: Address Allocation for Private Internets. RFC 1597, Internet Engineering Task Force (1994)
Kreibich, C., Weaver, N., Nechaev, B.: Netalyzr: illuminating the edge network. In: ACM Internet Measurement Conference, p. 246 (2010). https://doi.org/10.1145/1879141.1879173
Mandalari, A., Lutu, A., Dhamdhere, A., Bagnulo, M., Claffy K.: Tracking the Big NAT across Europe and the U.S. ArXiv:1704.01296 (2017). arXiv.org, http://arxiv.org/abs/1704.01296
Livadariu, I., Benson, K., Elmokashfi, A., Dhamdhere, A., Dainotti, A.: Inferring carrier-grade NAT deployment in the wild. In: IEEE Conference on Computer Communications, pp. 2249–2257 (2018). https://doi.org/10.1109/INFOCOM.2018.8486223
Global Security Appliance Market Share 2012–2020 (2021). https://www.statista.com/statistics/235347/global-security-appliance-revenue-market-share-by-vendors/
Cloudflare Blocking My IP? (2021). https://community.cloudflare.com/t/cloudflare-blocking-my-ip/65453
Verizon to Launch 5G Residential Broadband Services in up to 5 Markets in 2018 (2021). https://www.verizon.com/about/news/verizon-launch-5g-residential-broadband-services-5-markets-2018
Amazon Simple Email Service Classic (2021). https://docs.aws.amazon.com/ses/latest/DeveloperGuide/
FCC Fines Verizon $1.35 Million over ‘Supercookie’ Tracking. https://www.theverge.com/2016/3/7/11173010/verizon-supercookie-fine-1-3-million-fcc
Perkins, C.E.: Mobile IP. IEEE Commun. Mag. 35(5), 84–99 (1997). https://doi.org/10.1109/35.592101
Simpson, W.: IP in IP Tunneling. Request for Comments, RFC 1853, Internet Engineering Task Force (1995)
Neuman, C., Ts’o, T.: The Kerberos Network Authentication Service (V5). RFC 1510, Internet Engineering Task Force (1993)
Craven, R., Beverly, R., Allman, M.: A middlebox-cooperative TCP for a non end-to-end internet. In: ACM SIGCOMM Conference, pp. 151–162 (2014). https://doi.org/10.1145/2619239.2626321
Gont, F., Atkinson, R., Pignataro, C.: Recommendations on Filtering of IPv4 Packets Containing IPv4 Options. Request for Comments, RFC 7126, Internet Engineering Task Force (2014)
Open VSwitch (2021). https://www.openvswitch.org/
Cisco-Security-Manager-4-1 (2021). https://www.cisco.com/c/en/us/obsolete/security/cisco-security-manager-4-1.html
Bommareddy, S., Kale, M., Chaganty, S.: VPN Device Clustering Using a Network Flow Switch and a Different Mac Address for Each VPN Device in the Cluster. US6772226B1 (2004). https://patents.google.com/patent/US6772226B1/en
Coronavirus Challenges Remote Networking (2021). https://www.networkworld.com/article/3532440/coronavirus-challenges-remote-networking.html
Booth, S., Zorn, G., Patel, B., Aboba, B., Dixon, W.: Securing L2TP Using IPsec. Request for Comments, RFC 3193, Internet Engineering Task Force (2001)
Atkinson, R., Kent S.: IP Authentication Header. RFC 2402, Internet Engineering Task Force (1998)
Kent, S., Atkinson R.: IP Encapsulating Security Payload (ESP). RFC 2406, Internet Engineering Task Force (1998)
Nordmark, E, Bagnulo, M.: Shim6: Level 3 Multihoming Shim Protocol for IPv6. RFC 5533, Internet Engineering Task Force (2009)
Moskowitz, R., Nikander P.: Host Identity Protocol (HIP) Architecture. RFC 4423, Internet Engineering Task Force (2006)
Estes, A.: The Dangers of Supercookies (2011). https://www.theatlantic.com/technology/archive/2011/08/dangers-supercookies/354297/
MacFarland, D., Shue, C, Kalafut, A.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Passive and Active Measurement Conference, pp. 15–27 (2015). https://doi.org/10.1007/978-3-319-15509-8_2
McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008). https://doi.org/10.1145/1355734.1355746
Komu, M., Sethi, M., Beijar, N.: A survey of identifier-locator split addressing architectures. Comput. Sci. Rev. 17, 25–42 (2015). https://doi.org/10.1016/j.cosrev.2015.04.002
Netfilter/Iptables Project Homepage - The “Xtables-Addons” Project (2021). https://www.netfilter.org/projects/xtables-addons/index.html
Troubleshooting (2021). https://sendersupport.olc.protection.outlook.com/pm/troubleshooting.aspx
Prevent Mail to Gmail Users from Being Blocked or Sent to Spam - Gmail Help (2021). https://support.google.com/mail/answer/81126
Understanding the Cloudflare Security Level (2021). https://support.cloudflare.com/hc/en-us/articles/200170056-Understanding-the-Cloudflare-Security-Level
Malis, A., Lin, A., Heinanen, J., Gleeson, B., Armitage, G.: A Framework for IP Based Virtual Private Networks. RFC 2764, Internet Engineering Task Force (2000)
Access Control - Apache HTTP Server Version 2.4 (2021). https://httpd.apache.org/docs/2.4/howto/access.html
Benefits Of A VPN (2021). https://www.forbes.com/sites/tjmccue/2019/06/20/benefits-of-a-vpn/
Benefits of a VPN You Might Not Know About (2021). https://us.norton.com/internetsecurity-privacy-benefits-of-vpn.html
Dynamic IP Denylisting with NGINX Plus and Fail2ban (2021). https://www.nginx.com/blog/dynamic-ip-denylisting-with-nginx-plus-and-fail2ban/
Google Transparency Report (2021). https://transparencyreport.google.com/https/overview?hl=en
CUPS Plenary (2021). https://ftp.pwg.org/pub/pwg/liaison/openprinting/presentations/cups-plenary-may-18.pdf
What Is a Reverse Proxy Server? (2021). https://www.nginx.com/resources/glossary/reverse-proxy-server/
Francisco, Shaun Nichols in San. Corporate VPN Huffing and Puffing While Everyone Works from Home over COVID-19? You’re Not Alone, Admins (2021). https://www.theregister.com/2020/03/11/corporate_vpn_coronavirus_crunch/
Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN (2021). https://www.os3.nl/_media/2010-2011/courses/rp2/p09_report.pdf
Liu, Y., Shue, C.: Beyond the VPN: practical client identity in an internet with widespread IP address sharing. In: IEEE Conference on Local Computer Networks, pp. 425–428 (2020). https://doi.org/10.1109/LCN48667.2020.9314846
Savings Calculator, Pulse Secure (2021). https://www.pulsesecure.net/savings-calculator/
Raumer, D., Gallenmuller S., Emmerich, P., Mardian L., Carle, G.: Efficient serving of VPN endpoints on COTS server hardware. In: IEEE International Conference on Cloud Networking (Cloudnet), pp. 164–169 (2016). https://doi.org/10.1109/CloudNet.2016.25
Cisco ASR 1000 Series Embedded Services Processors Data Sheet (2021). https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/asr-1000-series-embedded-services-ds.html
IP Security Features. Intel Ethernet Server Adapters (2021). https://docplayer.net/20618334-Ip-security-features-intel-ethernet-server-adapters.html
Han, S., Jang, K., Park, K, Moon, S.: PacketShader: A GPU-Accelerated software router. In: ACM SIGCOMM Conference, p. 195 (2010). https://doi.org/10.1145/1851182.1851207
Dobrescu, M., et al.: RouteBricks: exploiting parallelism to scale software routers. In: ACM Symposium on Operating Systems Principles, p. 15 (2009). https://doi.org/10.1145/1629575.1629578
Pudelko M., Emmerich, P.: Performance analysis of VPN gateways. In: IFIP Networking Conference (Networking), pp. 325–333 (2020)
VPN Risk Report - Cybersecurity Insiders\(|\)Industry Report (2021). https://info.zscaler.com/resources-industry-reports-vpn-risk-report-cybersecurity-insiders
Initial Credentials - MIT Kerberos Documentation (2021). https://web.mit.edu/kerberos/krb5-latest/doc/appdev/init_creds.html
DeCusatis, C., Liengtiraphan, P., Sager, A., Pinelli, M.: Implementing zero trust cloud networks with transport access control and first packet authentication. In: IEEE International Conference on Smart Cloud (SmartCloud), pp. 5–10 (2016). https://doi.org/10.1109/SmartCloud.2016.22
Hauser, F., Haberle, M., Schmidt, M., Menth, M.: P4-IPsec: site-to-site and host-to-site VPN With IPsec in P4-Based SDN. IEEE Access 8, 139567–139586 (2020). https://doi.org/10.1109/ACCESS.2020.3012738
Acknowledgements
This material is based upon work supported by the National Science Foundation under Grant No. 1651540.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liu, Y., Shue, C.A. (2021). Avoiding VPN Bottlenecks: Exploring Network-Level Client Identity Validation Options. In: Yuan, X., Bao, W., Yi, X., Tran, N.H. (eds) Quality, Reliability, Security and Robustness in Heterogeneous Systems. QShine 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 402. Springer, Cham. https://doi.org/10.1007/978-3-030-91424-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-91424-0_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91423-3
Online ISBN: 978-3-030-91424-0
eBook Packages: Computer ScienceComputer Science (R0)