not symmetric. In this example an
employee’s laptop using the private
IP network in a coffee shop is connected to the public Internet through
bridging. At a higher level, using virtual private network (VPN) technology layered on top of the previous networks, the laptop joins the employer’s
private enterprise network, and ac-cesses a compute server within it. We
will look at the bridging first.
It has been a long time since there
has been enough room in the IPv4 32-
bit namespace to give every networked
machine a unique name. Outright
exhaustion of the namespace was delayed by the fact that most private networks reuse the same set of private IP
addresses. The cost of this strategy is
that private IP addresses are ambiguous except in their local context, and a
machine with a private address cannot
be reached from outside its local network except with a compound session.
In Figure 4, the joinbox for the
compound session is the coffee
shop’s IP router, which incorporates
the functionality of network address
translation (NAT). The bidirectional
compound session is initiated from
the private address X, to public address S. Upon receiving the session-initiating packet, the NAT/router
alters it before forwarding, thus making an outgoing session with its own
public address N as the source. When
S accepts this session and sends
packets in the reverse direction, it
uses reachable N as the destination
rather than unreachable X. In this
figure, the dark-gray box represents
the public Internet as one network,
ignoring the fact it is really a bridging
of many networks. Bridging is shown
explicitly by the link and session
across a network boundary. In the usage hierarchy, the enterprise network
uses both lower-level networks.
At the higher level of Figure 4, the
enterprise network is also a private IP
network, with private addresses U and
W, and public address S. The laptop
joins the enterprise network by creat-
ing a dynamic link to the VPN server.
The link is implemented by the IPsec
session, so that packets are transmit-
ted in encrypted and authenticated
form. The VPN server authenticates the
laptop, which has secret credentials is-
sued by the enterprise, and gives it tem-
porary address U within the enterprise
network. At this point the laptop can
initiate a session with compute server
W, using TCP as the session protocol in
the higher-level IP network.
Verification of trustworthy services.
To prove security properties, some enti-
ties must have responsibilities and be
trusted to fulfill them. Normally the en-
tity that is trusted is a machine because
the whole machine has a single owner,e
but trusted to do what, and by whom?
A machine can have members of mul-
tiple networks, and in each network its
member can play a different role.
In networks bridged together in
and with the public Internet, as on
the lower level of Figure 4, a network’s
administrative authority owns routers
(and other infrastructure machines)
and trusts them to behave as specified.
Because the administrative authority
does not trust the user members (end-
points), the behavior of the routers and
other infrastructure machines should
be sufficient to provide the specified
services in cooperation with well-be-
haved endpoints, and to protect the
network from ill-behaved endpoints.
Beyond the technical sources of trust,
economic relationships provide in-
centives for administrative authorities
to ensure that networks satisfy their
In Figure 4, the employee’s laptop
e These terms must be refined slightly to apply
to clouds, in which a machine hosts virtual
and enterprise gateway have network
members that are not trusted by their
Internet providers, but are trusted by
the enterprise. The VPN server does
not allow the laptop’s member U to
join the enterprise network until it
shows that it is trustworthy by sending
This VPN architecture enforces two
• Only packets originating at members of the enterprise network should
be allowed to reach W.
• All enterprise data being transmitted outside the walls of the enterprise
should have confidentiality and integrity, meaning that no external agent
can read or alter the data.
The second property is guaranteed
by the IPsec implementation of dynamic links outside enterprise walls.
To prove the first property, it is necessary to establish that only packets
transmitted on links in the enterprise
network (which is not bridged to other networks) are forwarded to W. The
easiest way to prove this is to rely on
the fact that dynamic links of the enterprise network are associated with
specific lower-level sessions. Then it
is only necessary to check—no matter
what packets the public Internet delivers to its member S—that the member
drops all received packets unless they
belong to sessions implementing dynamic links.
The VPN example is especially simple because the security mechanisms
at both levels are implemented on the
Figure 4. VPN architecture.
Public names are in boldface red, while private names are not. Light-gray boxes
show attachments of members within the same machine.
Dynamic, Encrypted Link
S Nat/ Router N
Private IP Network in a Coffee Shop
Private Enterprise IP Network
Source = X, Dest = S
Source = U, Dest = W
Source = N, Dest = S IPec Two-way