Beyond the VPN: Practical Client Identity in an Internet with Widespread IP Address Sharing

2020 IEEE 45th Conference on Local Computer Networks (LCN) Pub Date : 2020-11-16 DOI:10.1109/LCN48667.2020.9314846

Yu Liu, Craig A. Shue

{"title":"Beyond the VPN: Practical Client Identity in an Internet with Widespread IP Address Sharing","authors":"Yu Liu, Craig A. Shue","doi":"10.1109/LCN48667.2020.9314846","DOIUrl":null,"url":null,"abstract":"To support remote employees, organizations often use virtual private networks (VPNs) to provide confidential and authenticated tunnels between the organization’s networks and the employees’ systems. With widespread end-to-end application-layer encryption and authentication, the cryptographic features of VPNs are often redundant. However, many organizations still rely upon VPNs. We examine the motivations and limitations associated with VPNs and find that VPNs are often used to simplify access control and filtering for enterprise services.To avoid limitations associated with VPNs, we propose an approach that allows straightforward filtering. Our approach provides evidence a remote user belongs in a network, despite the address sharing present in tools like Carrier-Grade Network Address Translation. We preserve simple access control and eliminate the need for VPN servers, redundant cryptography, and VPN packet headers overheads. The approach is incrementally deployable and provides a second factor for authenticating users and systems while minimizing performance overheads.","PeriodicalId":245782,"journal":{"name":"2020 IEEE 45th Conference on Local Computer Networks (LCN)","volume":"54 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 45th Conference on Local Computer Networks (LCN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LCN48667.2020.9314846","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

To support remote employees, organizations often use virtual private networks (VPNs) to provide confidential and authenticated tunnels between the organization’s networks and the employees’ systems. With widespread end-to-end application-layer encryption and authentication, the cryptographic features of VPNs are often redundant. However, many organizations still rely upon VPNs. We examine the motivations and limitations associated with VPNs and find that VPNs are often used to simplify access control and filtering for enterprise services.To avoid limitations associated with VPNs, we propose an approach that allows straightforward filtering. Our approach provides evidence a remote user belongs in a network, despite the address sharing present in tools like Carrier-Grade Network Address Translation. We preserve simple access control and eliminate the need for VPN servers, redundant cryptography, and VPN packet headers overheads. The approach is incrementally deployable and provides a second factor for authenticating users and systems while minimizing performance overheads.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

超越VPN:具有广泛IP地址共享的Internet中的实用客户端身份

为了支持远程员工，组织经常使用虚拟专用网络(vpn)在组织的网络和员工的系统之间提供机密和经过身份验证的隧道。随着端到端应用层加密和身份验证的广泛应用，vpn的加密特性往往是冗余的。然而，许多组织仍然依赖vpn。我们研究了与vpn相关的动机和限制，发现vpn通常用于简化企业服务的访问控制和过滤。为了避免与vpn相关的限制，我们提出了一种允许直接过滤的方法。我们的方法提供了远程用户属于网络的证据，尽管在诸如运营商级网络地址转换之类的工具中存在地址共享。我们保留了简单的访问控制，消除了对VPN服务器、冗余加密和VPN数据包头开销的需求。该方法是可增量部署的，并为在最小化性能开销的同时验证用户和系统提供了第二个因素。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

2020 IEEE 45th Conference on Local Computer Networks (LCN)

自引率

0.00%

发文量