@@ -35,7 +35,7 @@ algorithm; if one of your cryptographic algorithms turns out to be
3535flawed, it would be great if your entire security architecture didn’t
3636need an immediate redesign.
3737
38- 7.1 Pretty Good Privacy (PGP)
38+ 7.1 Pretty Good Privacy
3939------------------------------------------
4040
4141Pretty Good Privacy (PGP) is an approach to providing authentication,
@@ -113,7 +113,7 @@ the application works can you make the right choices about which attacks
113113to defend against (like forged email) versus which to ignore (like
114114delayed or replayed email).
115115
116- 7.2 Secure Shell (SSH)
116+ 7.2 Secure Shell
117117------------------------
118118
119119The Secure Shell (SSH) protocol provides a remote login service,
@@ -264,7 +264,7 @@ it is also the case that corporate firewalls often block port 22 (SSH's
264264well-known port), limiting the situations in which SSH works as a
265265VPN-like tunnel.
266266
267- 7.3 IP Security (IPsec)
267+ 7.3 IP Security
268268--------------------------------
269269
270270One of the earliest efforts to integrate security into the Internet
@@ -388,7 +388,7 @@ such tunnels can be used to implement an entire virtual private
388388network. But there is more to VPNs than just tunneling mechanisms, as
389389we discuss below.
390390
391- 7.4 Virtual Private Networks (VPNs)
391+ 7.4 Virtual Private Networks
392392------------------------------------
393393
394394A virtual private network (VPN) can be built using a wide variety of
@@ -401,13 +401,12 @@ users, even though the underlying infrastructure is shared more
401401widely. In practice, this means that a VPN is almost always built as
402402some sort of overlay on shared infrastructure.
403403
404- The type of VPN that we will focus on here uses
405- tunneling technologies such as IPsec or SSL to provide private
406- connectivity across the shared infrastructure of the Internet. We have
407- already seen how encrypted tunnels can be established, but tunnels are
408- just a building block for VPNs. VPN requirements vary among
409- different use cases, so we begin our discussion by looking at some of
410- the most common uses for VPNs.
404+ The type of VPN that we focus on here uses tunneling technologies such
405+ as IPsec or SSL to provide private connectivity across the shared
406+ infrastructure of the Internet. We have already seen how encrypted
407+ tunnels can be established, but tunnels are just a building block for
408+ VPNs. VPN requirements vary among different use cases, so we begin our
409+ discussion by looking at some of the most common uses for VPNs.
411410
412411*Remote Access VPNs * are commonly used to support remote workers,
413412telecommuters, or contractors who need access to corporate
@@ -455,21 +454,21 @@ TLS. Client certificates may be used, but this raises the issue of how
455454certificates can be reliably distributed to client devices. One option
456455is that they are provisioned by a corporate IT department as part of
457456setting up client devices. OpenVPN also allows for other
458- authentication methods including username plus password and optionally
457+ authentication methods, including username plus password and optionally
459458multi-factor authentication.
460459
461460WireGuard is a more recent implementation of encrypted tunnels that
462461aims to address some shortcomings that have emerged over years of
463462using IPsec and OpenVPN tunnels. The paper below from NDSS 2017 lays
464463out the design philosophy of WireGuard. Compared to OpenVPN, it is
465464less complex by virtue of reducing the set of cryptographic algorithms
466- that it supports. It establishes "stateless" tunnels that are more like
467- IPsec than TLS—that is, there is no transport connection to
465+ that it supports. It establishes "stateless" tunnels that are more
466+ like IPsec than TLS—that is, there is no transport connection to
468467establish. It also uses the idea of pre-shared public keys for mutual
469468authentication, similar to the approach used in SSH. Finally, it is
470469implemented in the operating system kernel, another contrast to
471- OpenVPN that improves performance. For further details we refer you to
472- the paper.
470+ OpenVPN, so as to improve performance. For further details we refer
471+ you to the paper.
473472
474473.. admonition :: Further Reading
475474
@@ -485,7 +484,7 @@ administrative controls for managing user accounts and interfaces for
485484passing the VPN traffic on to the corporate network. Note that a
486485remote access VPN will almost always have to solve the problem of how
487486to get traffic through the corporate firewall. We cover firewalls in a
488- later chapter, but it is generally the case that VPN traffic will be
487+ later chapter, but it is generally the case that VPN traffic is
489488allowed to traverse the firewall so that the VPN user can access
490489corporate resources. The problems of this approach are discussed in
491490the firewalls chapter.
@@ -509,12 +508,17 @@ configuring routing protocols to forward traffic across the mesh of
509508tunnels becomes significant.
510509
511510The complexity of configuring and managing a VPN comprised of
512- encrypted tunnels is one reason why MPLS VPNs, which outsource
513- most of the complexity of VPN management to a service provider, became
514- such a successful service offering in the early 2000s. MPLS does not
515- protect privacy using encryption, but it does solve the issues of routing
516- traffic among large numbers of sites and ensures that the traffic
517- belonging to one customer from does not leak to the network of another.
511+ encrypted tunnels is one reason why MPLS VPNs, which outsource most of
512+ the complexity of VPN management to a service provider, became such a
513+ successful service offering in the early 2000s. MPLS does not protect
514+ privacy using encryption, but it does solve the issues of routing
515+ traffic among large numbers of sites, and with respect to security,
516+ ensures that the traffic belonging to one customer does not leak to
517+ the network of another. Said another way, MPLS isolates users (private
518+ networks) from each other, but users trust that the service provider
519+ does not snoop on the traffic they carry. This is a trust assumption
520+ that typically does not hold for a VPN that traverses the public
521+ Internet.
518522
519523Several approaches to reduce the configuration overhead for VPNs using
520524encrypted tunnels have appeared in recent years. With the rise of
@@ -618,7 +622,7 @@ to a VPN concentrator with a public IP address, or between a pair of
618622edge routers, but it has to be solved if you want to build
619623client-to-client tunnels. There are quite a few details to getting
620624this to work, especially given that NAT devices don't all behave the
621- same way, and there may be firewalls to travese as well. An IETF
625+ same way, and there may be firewalls to traverse as well. An IETF
622626standard called STUN (Session Traversal Utilities for NAT) plays an
623627important part, and the centralized control plane helps to resolve
624628some of the more difficult corner cases. You can read more about the
@@ -639,7 +643,7 @@ networking, a topic we discuss in chapter 9.
639643 Tailscale blog, 2020.
640644
641645
642- 7.5 Web Authentication (WebAuthn) and Passkeys
646+ 7.5 Web Authentication and Passkeys
643647----------------------------------------------------------------
644648
645649While public key cryptography has been well understood for decades,
@@ -804,7 +808,7 @@ redundant. Not all users are that careful, of course, but there are
804808also control packets exchanged between the wireless device and the
805809wired infrastructure, and that communication must be secured.
806810
807- 7.6.1 Wi-Fi (802.11i)
811+ 7.6.1 Wi-Fi
808812~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
809813
810814It has long been understood how easy it is for an employee of a
0 commit comments