In its simplest form, a virtual private network (VPN) allows two or more sites to establish private IP connectivity through a common, network infrastructure. As deployed on the Internet, VPNs provide ...reachability between geographically disparate sites, without requiring the provisioning of expensive, private leased lines between isolated networks. VPNs on the Internet are implemented through various mechanisms. Virtual private LAN service (VPLS) and virtual private wire service (VPWS) are two Layer 2 VPN mechanisms that enable customer sites to participate in a VPN, through a service provider's (SP 's) IP backbone. Request for comments (RFC) 4364 provides an alternate, Layer 3 solution to establishing a VPN between two sites, through the use border gateway protocol and multi-protocol label switching (BGP/MPLS). The networks that constitute the United States Department of Defense (DoD) global information grid (GIG) offer another venue where VPN services may be applied. However, although the aforementioned VPN technologies are feasible on the Internet, scalability issues may arise when applying VPNs between components of the GIG, as the network architectures of GIG may significantly deviate from the SP-customer network topologies found on the Internet. This paper details 4364 VPN operation and explores several use-cases for application between various components of the GIG. In addition, this paper presents various 4364 VPN architecture alternatives and enhancements, which will help scaling and deployment of 4364 VPNs in large-scale IP networks
In Its simplest form, a virtual private network (VPN) allows two or more sites to establish private IP connectivity through a common, IP-based network infrastructure. As deployed on the Internet, ...VPNs provide IP reachability between geographically disparate sites, without requiring the provisioning of expensive, private leased lines between isolated networks. VPNs on the Internet are implemented through various mechanisms. Virtual private LAN service (VPLS) and IP only LAN service (IPLS) are two Layer 2 VPN mechanisms which enable customer sites to participate in a VPN, through a service provider's (SP's) IP backbone. Request for comments (RFC) 2547 provides an alternate, layer 3 solution to establishing a VPN between two sites, through the use border gateway protocol and multi-protocol label switching (BGP/MPLS). The networks of the global information grid (GIG) offer another venue where VPN services may he applied. For example, VPNs can be used between a tactical network and its provider network, to help maintain connectivity between tactical network nodes during a network split event. However, although the aforementioned VPN technologies are feasible on the Internet, scalability issues may arise when applying VPNs between components of the GIG, as the network architectures of GIG may significantly deviate from the SP-customer network topologies found on the Internet. This paper investigates 2547bis VPN operation and details use-cases for application between various components of the GIG. Furthermore, this paper presents various 2547bis VPN architecture alternatives and enhancements, which helps the scaling and deployment of 2547bis VPNs in large-scale IP networks
Integrating Header Compression with IPsec Brower, E.; Jeffress, L.; Pezeshki, J. ...
MILCOM 2006 - 2006 IEEE Military Communications conference,
2006-Oct.
Conference Proceeding
The global information grid (GIG) will leverage Internet protocol security (IPsec) tunnel mode security associations (SAs) to secure IP traffic. Tunnel mode SAs require the use of an additional IP ...header per packet, which significantly increases the amount of overhead added to traffic profiles characterized by small packet payloads. This effect is further magnified with the United States department of defense (DoD) transition to Internet protocol version 6 (IPv6), as IPv6 requires twice the packet overhead of Internet protocol version 4 (IPv4). Traditional Internet engineering task force (IETF) header compression (HC) algorithms, such as IP header compression (IPHC), compressed real time transport protocol (CRTP), enhanced compressed real time transport protocol (ECRTP), and robust header compression (ROHC), have been developed to help minimize packet overhead on a hop-by-hop basis. If these HC algorithms are extended to operate over IPsec, improvements in network performance and efficiency of IP sec-protected traffic can be attained. This paper provides an overview of the extensions required to achieve HC over IPsec (HCoIPsec), an emerging protocol currently being defined in the IETF. By integrating the IPsec architecture with HC algorithms, the size of packet headers flowing over IPsec tunnel mode SAs can be reduced, providing efficiency gains in bandwidth-constrained networks
As government networks migrate towards an Internet protocol version 6 (IPv6) based infrastructure, there is growing concern over the increased operational overhead required by IPv6 packets. IPv6 has ...twice the overhead of its predecessor, Internet protocol version 4 (IPv4), mainly due to a larger address space. Overhead concerns are further magnified in encrypted networks that employ IP security protocol (IPsec) tunnel-mode security associations (SAs). For example, global information grid (GIG) tactical networks, which are characterized by both bandwidth-constrained and high bit error rate (BER) links, may significantly be impacted by the additional IP header required by IPsec for traffic flow confidentiality. The Internet engineering task force (IETF) has developed various header compression algorithms to reduce the overhead associated with IP packets. Robust header compression (ROHC) and enhanced compression of the real-time transport protocol (ECRTP) mitigate the impact of the IPv6 overhead at the network layer, and help reduce overhead at the transport layer. In this paper, we evaluate the benefits of instantiating header compression in encrypted networks characterized by bandwidth-constrained, high BER links. The results will highlight the benefits of integrating ROHC and ECRTP with IPsec devices for compression of the plaintext upper layer protocols (ULP) headers of IP packets.
Self-assembly templates, consisting of micropatterned hydrophobic and hydrophilic regions, are fabricated using a plasma surface modification technique. With exposure to O/sub 2/ plasma, photoresist, ...silicon, and glass can be modified to hydrophilic surfaces. When followed by SF/sub 6/ or CF/sub 4/ plasma, the photoresist surface can be modified to hydrophobic while silicon and glass surfaces are not affected. The difference in surface energy between the hydrophilic and hydrophobic regions is large, as indicated by the differential contact angle of 120/spl deg/ between the two regions for wetting with water. Photonic crystals are made from colloidal solutions and protein patterning is demonstrated using self-assembly templates made by selective plasma surface modification. The maximized surface energy difference between substrate and template patterning allows ideal self-assembly of photonic crystals and selective attachment of proteins.
IPv6 extends capabilities of legacy IPv4 networks. The advantages of IPv6, however, come at the cost of increased operational overhead. As government networks providing services to the global ...information grid (GIG) migrate toward an IPv6-based infrastructure, the implications of an expanded packet header must be analyzed. This article describes two IPv6 applicable header compression schemes developed by the IETF, and how networks across the GIG infrastructure can adopt them in an effort to reduce IPv6 expanded overhead requirements.
PDF
