Padding
This field has a variable length and is used as a filler to guarantee that the data starts on a 32-bit boundary.
Data
This field contains the data in the datagram and is passed to a higher level protocol, as specified in the protocol field.
3.4 Internet Protocol Version 6 (IPv6)
Due to the fact that the Internet is growing extremely rapidly, the Internet Engineering Task Force (IETF) began looking at the problem of expanding the IP address space in 1991. The effort to define a new version of IP is now known as IPv6, which provides a 128-bit address space, as opposed to the 32 bits of version 4. This means that IPv4 can potentially provide 4 billion possible addresses while IPv6 can provide 3.4 × 1038. IPv6 retains many of the design features that have made IPv4 so successful. For example, both of them are connectionless, which means that each datagram contains a destination address and each datagram is routed independently.
Despite retaining the basic concepts from IPv4, IPv6 changes all the details. For example, it uses larger addresses and an entirely new datagram header format. It uses a series of fixed length headers to handle optional information instead of a single header with a variable length options field [PETER00] and [COMER99].
But in this report the currently deployed version, IPv4 is the chosen environment.
4. Virtual Private Network (VPN)A VPN is a private data network that makes use of the public telecommunication infrastructure, the Internet. It transports IP packets across the Internet backbone by establishing endpoints that negotiate a common encryption and authentication scheme prior to the transport.
Using the Internet to create VPNs enables effective communication for companies to compete and serve customers where timely access to business information is essential. It provides access to information at a reasonable cost compared to leased lines, which is far too expensive today.
In VPNs, “virtual” implies that the network is dynamic, with connections set up according to the organisational needs. Unlike the least line links used in traditional VPNs, dynamic VPNs do not maintain permanent links between the endpoints that make up the corporate network. Instead, a connection is created between two sites when it is needed. When the connection is no longer needed, it is terminated, making the bandwidth and other network resources available for other uses. A properly designed VPN enables an appropriate medium for business communications by guaranteeing reliability and quality of service, operational manageability and security [Hurwi97], [VPNet00], [Virtu98] and [KOSIU98].
4.1 Common VPN situations
Three commonly used methods of creating VPNs [KOSIU98], [Virtu98], [VPNet00] and [Hurwi97] are as follows:
- Remote user access over Internet. Provides remote access to the destination host over the Internet, while maintaining privacy of information as shown by Figure 4.
Rather than making leased line, the source host first calls the local Internet Service Provider (ISP). The VPN software uses the local ISP connection and the public Internet to create a virtual private network between the dial up user and the destination VPN server [Virtu98].
- Connecting networks over Internet. Provides connection for Local Area Networks (LAN) at remote sites as shown by Figure 4.1.
By having the destination host router connected to its local ISP using a dedicated line, it will be able to listen 24 hours for incoming VPN traffic. The source host routers can either have a dedicated line to its local ISP or call its local ISP using Dial-Up connection. The VPN software uses the connections to the local ISPs to create a virtual private network between the source host router and the destination host router across the Internet. Note that in both cases, the facilities that connect the source host router and destination host router to the Internet are local [KOSIU98], [Virtu98] and [VPNet00].
- Connecting computers over an intranet. Provides connection between two computers on the same Local Area Network (LAN) as shown by Figure 4.2.
In some corporate internetworks, data is so sensitive that the LAN is physically disconnected from the rest of the corporate internetwork. While this protects the department's confidential information, it creates information accessibility problems for those users not physically connected to the separate LAN.
VPNs allow the department's LAN to be physically connected to the corporate internetwork but separated by a VPN server. Note that the VPN server is NOT acting as a router between the corporate internetwork and the department LAN. A router would interconnect the two networks, allowing everyone access to the sensitive LAN [KOSIU98], [Virtu98] and [VPNet00].
4.2 VPN Encapsulation
For VPNs, the encapsulation may include encrypting the original packet and adding a new IP header to the packet. At the receiving end, the security gateway, router or firewall, removes the IP header and decrypts the packet if necessary, forwarding the original packet to its destination. The Authentication Header (AH) is used to provide integrity and authentication to IP datagrams. The Encapsulating Security Payload (ESP) is used to provide integrity check, authentication and encryption to IP datagrams [MURHA 98] and [KOSIU 98].
This is illustrated in Figure 4.3 [KOSIU 98].
This will be described in more detail further on in the report.
4.3 Security in VPN
A prime requirement for creating Internet based VPN is security. This is due to the fact that Internet is a large cloud of interconnected networks, with most of its traffic being transmitted as open, or unencrypted data [KOSIU98].
VPNs need to provide four critical functions to ensure security for the data being send over the tunnel [ATKIN95]. These functions are as follows:
-
Authentication. Ensuring that the data is coming from the source from which it claims to come.
-
Access control. Restricting unauthorised users from gaining admission to the network.
-
Confidentiality. Preventing anyone from reading or copying your data as it travels across the Internet.
-
Data integrity. Ensuring that no one tampers with data as it travels across the Internet.
Deploying security services at the lowest layer of the Open Systems Interconnection (OSI) model, the Physical Network layer, makes much of the security services transparent to the user. Instead the focus while describing Internet VPNs will be at layer 2 and 3, the Data-Link and Network layers of the OSI model. Services such as authentication, encryption and data integrity are offered at these layers [ATKIN95], [KOSIU98] and [MURHA98].
4.3.1 Implementation of Security In VPN
Implementation of security in VPNs can take two forms, which affect the individual’s responsibility for securing his own data. They are as follow:
-
End-to-end communication, which can take form between two computers.
-
Node-to-node communication, which can take form between other network components, such as firewalls or routers.
In node-to-node communication, the security requires that the subnetworks behind the node must be trusted/protected subnetworks. Trusted/protected subnetwork means that it is secure against other attacks that unauthorised users might try. Using security on a node-to-node basis can make the security service more transparent to the en-users and relieve them of some of the heavy-duty computational requirements, such as for encryption.
The security in end-to-end communication is inherently more sound than node-to-node security due to the fact that the sender and the receiver are directly in contact. But is does have a disadvantage of increasing complexity for the en-user and it can be more challenging to manage [KOSIU98], [MURHA98], [ATKIN95], [Virtu98] and [Cheng97].
5. Tunnelling Technology
5.1 Tunnelling
Using the tunnelling technology, which is a virtual connection between locations that are connected in a VPN, allows a network transport protocol to carry information for other protocols within its own packets. This means that the datagram or payload to be transferred can be the frames or packets of another protocol [BEYDA96], [PETER00] and [Virtu98].
To create a tunnel the source host encapsulates its datagram in an additional header for transit across the Internet. The additional header provides routing information so that the encapsulated datagram can traverse the Internet. The encapsulated packets are then routed between tunnel endpoints over the Internet. The logical path through which the encapsulated packets travel through the Internet is called a tunnel. Once the encapsulated frames reach their destination on the Internet, the frame is decapsulated and forwarded to its final destination [Virtu98], [BEYDA96] and [KOSIU98].
Tunnelling includes the entire process of encapsulation, transmission and decapsulation of packets [Virtu98].
Tunnels can consist of two types of endpoints, either an individual computer or a LAN with a security gateway, such as a router or firewall as shown by Figure 5. The two most used [KOSIU98] endpoint combinations in VPNs are:
-
LAN-to-LAN tunnelling, where a security gateway at each endpoint serves as the interface between the tunnel and the private LAN.
-
Client-to-LAN tunnelling is usually set up for a mobile user with the special client software on his computer who wants to connect to the corporate LAN.
5.2 Two Categories of Tunnels
Tunnels are usually divided in two categories, permanent or temporary. Permanent, or static tunnels as they often are called, are of little use for VPNs, because they will tie up bandwidth even if it is not being used. Temporary, or dynamic tunnels are much more interesting and useful for VPNs, cause they do not require constant reservation of bandwidth. By setting up dynamic tunnels when needed and then torn down after they are no longer needed, it reduces the bandwidth utilisation and provides lower costs [KOSIU 98], [Virtu98] and [BEYDA96].
5.3 The tunnelling protocols behind Internet VPNs
For a tunnel to be established, both the tunnel client (source host) and the tunnel server (destination host) must be using the same tunnelling protocol.
Tunnelling technology can be based on either a Layer 2 or Layer 3 tunnelling protocol. These layers correspond to the Open Systems Interconnection (OSI) Reference Model. Layer 2 protocols correspond to the Data Link layer, and use frames as their unit of exchange. Layer 3 protocols correspond to the Network layer, and use packets [KOSIU98], [Virtu98] and [SIMPS95].
There are three major protocol technologies proposed for building VPNs [KOSIU98], [TOWNS99], [SIMPS94] and [VALEN98]:
-
Internet Protocol Security (IPSec) is a Layer3 solution standard, created to add security to TCP/IP networking. It is a collection of security measures that address data privacy, integrity, authentication and key management, in addition to tunnelling.
-
Point-to-Point Tunnelling Protocol (PPTP) is a Layer2 solution created to support packet tunnelling. It is strictly a tunnelling protocol and does not include encryption or key-management mechanisms.
-
Layer 2 Tunnelling Protocol (L2TP) was created as the successor to the two tunnelling protocols, PPTP created by Microsoft, and Layer2 Forwarding (L2F) created by Cisco. It is strictly a tunnelling protocol and does not include encryption or key-management mechanisms.
Like mentioned above, PPTP and L2TP are Layer 2 tunnelling protocols. Both encapsulate the payload in a point-to-point protocol frame to be sent across an internetwork. IPSec tunnel mode is an example of Layer 3 tunnelling protocol. It encapsulates IP packets in an additional IP header before sending them across an IP internetwork [TOWNS99], [KOSIU98], [SIMPS94] and [Virtu98].
IPSec is often considered the best VPN solution for IP environments, because it includes strong security measures, notably encryption authentication and key management in its standards set. Due to the fact that neither PPTP nor L2TP include encryption or key-management mechanisms, IPSec is recommended to handle only IP packets, while PPTP and L2TP are more suitable for use in multiprotocol non-IP environments, such as NETBEUI, IPX and Apple Talk [KOSIU98].
5.3 How Tunnelling Works
For Layer 2 tunnelling technologies such as PPTP and L2TP, a tunnel is similar to a session; both of the tunnel endpoints must agree to the tunnel and must negotiate configuration variables, such as address assignment or encryption or compression parameters. In most cases, data transferred across the tunnel is sent using a datagram-based protocol. A tunnel maintenance protocol is used as the mechanism to manage the tunnel [KOSIU98], [SIMPS94] and [Virtu98].
Layer 3 tunnelling technologies generally assume that all of the configuration issues have been handled out of band, often by manual processes. For these protocols, there may be no tunnel maintenance phase. For Layer 2 protocols such as PPTP and L2TP a tunnel must be created, maintained, and then terminated.
Once the tunnel is established, tunnelled data can be sent. The tunnel client or server uses a tunnel data transfer protocol to prepare the data for transfer. For example, when the tunnel client sends a payload to the tunnel server, the tunnel client first appends a tunnel data transfer protocol header to the payload. The client then sends the resulting encapsulated payload across the internetwork, which routes it to the tunnel server. The tunnel server accepts the packets, removes the tunnel data transfer protocol header, and forwards the payload to the target network. Information sent between the tunnel server and the tunnel client behaves similarly [SIMPS94] and [Virtu98].
5.4 Tunnel Types
Tunnels can be created in different ways:
-
Voluntary tunnels. A user or client computer can issue a VPN request to configure and create a voluntary tunnel. In this case, the user's computer is a tunnel endpoint and acts as the tunnel client.
-
Compulsory tunnels. A VPN-capable dial-up access server configures and creates a compulsory tunnel. With a compulsory tunnel, the user's computer is not a tunnel endpoint. Another device, the remote access server, between the user's computer and the tunnel server is the tunnel endpoint and acts as the tunnel client.
Voluntary tunnels are created at the request of the user for a specific use. Compulsory tunnels are created automatically without any action from the user. Because compulsory tunnel has predetermined endpoints and the user cannot access other parts of the Internet, these tunnels offer better access control than voluntary tunnels. Another advantage to a compulsory tunnel is that multiple connections can be carried over a single tunnel. But one disadvantage is the non-protected initial link of the connection, which is outside the tunnel and therefore more vulnerable to attack[SIMPS94]. This will be explained in details further in the report.
6. Internet Protocol Security (IPSec)
The Internet Protocol version 4 (IPv4) does not inherently provide any protection to the transferred data. It does not even guarantee that the sender is who he says he is.
To address the issue of providing packet-level security in IP-based communication, the Internet Engineering Task Force (IETF) developed the first protocols comprising the Layer 3 protocol, IPSec. IPSec tries to remedy the security problems by providing the following services [KENTS98], [03ATK95], [02ATK95] and [Virtu98]:
Makes sure it is hard for anyone but the receiver to understand what data has been communicated. For example, no body will be able to see the password typed when logging into a remote machine over the Internet.
Guarantees that the data will not be modified on the way. For example, when invoicing data online, the user would like to know that the amounts and account numbers are correct and not altered while in-transit.
Signing the data being send enables the receiver to recognise that it is the right one.
Different methods are necessary to ensure that a transaction is only carried out once unless the user is authorised to repeat it. For example, it should not be possible for someone to record a transaction, and then replaying it verbatim, in order to get an effect of multiple transactions being received by the peer.
The services mentioned above are considered distinct, but the IPSec supports them in a uniform manner. As defined by the IETF, IPSec provides confidentiality, integrity, authenticity, and replay protection through two new protocols.
Confidentiality means that the contents are not visible to third parties, even if they have access to the data in transit. Authenticity means that you can be sure that the data came from whom it says it came from. Integrity means that you can be sure that it hasn't been altered. The two protocols providing these traffic security services are called AH, Authentication header, and ESP, Encapsulated security payload [FRATT00], [KENTS98], [03ATK95], [02ATK95] and [Virtu98].
6.1 Authentication Header and Encapsulated Security Payload
Authentication Header (AH) provides authentication, integrity, and replay protection, but not confidentiality. Its main difference with Encapsulated Security Payload (ESP) is that AH also secures parts of the IP header of the packet, for example the source or destination addresses. ESP on the other hand can provide authentication, integrity, replay protection, and confidentiality of the data. This means that it secures everything in the packet that follows the header [MURHA 98], [KENTS98] and [03ATK95].
To be able to provide confidentiality, data integrity and authentication, IPSec is built around a number of standardised cryptographic technologies. For example, IPSec uses the following [KOSIU98]:
-
Diffic-Hellman key exchanges to deliver secret keys between peers on a public net
-
Public-key cryptography for signing Diffic-Hellman exchanges to guarantee the identities of the two parties and avoid man-in-the-middle attacks
-
DES and other bulk-encryption algorithms for encrypting data
-
Keyed hash algorithms (HMAC, MD5 and SHA) for authenticating packets
-
Digital certificates for validating public keys
The use of all the technologies mentioned above within IPSec has been carefully laid out in architectural documents like RFC 1825 and newer versions. For more information about them refer to the RFC 1825 and 1826 documents.
The protocols, AH and ESP need to set up the desired cryptographic technologies for each connection, telling exactly how the wanted protection will be added. For example, the two parties have to be using the same cryptographic algorithm, the same key length and the same keys for exchange of secure data. These parameters are collected in an entity called a Security Association (SA). When two peers have set up matching SAs at both ends, packets protected with one end's SA, will be enable to verify and/or decrypt using the other end's SA. The only problem left is to see that both ends have matching SAs, which can be done manually, or automatically with a key management mechanism. Although IPSec specifies default algorithms for authentication and encryption, it also allows for other algorithms to be used. To help simplify and organise many of the parameters that need to be specified for the SA, IPSec uses a Domain of Implementation (DOI) to standardise the expected parameters for a given protocol’s SA [KENTS98], [MURHA 98], [03ATK95], [KOSIU98] and [FRATT00].
Figure 6 illustrates the IPSec architecture, showing the relationship between the different components of IPSec. The AH protocol, the ESP protocol, the SA, the DOI and key management [KOSIU98].
Each of these components will be further described in the following sections. But for better understanding on how they operate, the two different modes of IPSec must be covered.
6.2 Two Modes of IPSec
There are two modes of IPSec applied depending on whether the endpoint doing the IPSec encapsulation is the original source of the data or a gateway [FRATT00]:
-
Transport mode simply applies IPSec protocols to an IP packet and leaves the original IP headers visible. Transport mode can be used only in host-to-host IPSec VPN.
-
Tunnel mode IPSec encapsulates the original IP packets into an IPSec packet with new IP headers. Tunnel mode effectively hides the original IP packets from view. Tunnel mode IPSec must be used in host-to-gateway IPSec, the common remote-access scenario.
By leaving the IP packet original IP header visible in transport mode, enables the source and destination IP address to be modified if the packet is intercepted [KOSIU98].
6.3 Security Association
As mentioned earlier in Section 6 of the report, IPSec VPNs exchange information through logical connections called SAs. An SA is simply a definition of the protocols, algorithms and key validity time period used by endpoints. Each IPSec VPN has two SAs, one in each direction. SAs are identified by three identifiers. One of them is a unique number called the Security Parameter Index (SPI), which is assigned by destination to each SA. The other two identifiers are the destination address and the protocol. The uniqueness of the SPI is guaranteed because a destination endpoint may have a manually configured SPI defined that the originator would not know about [FRATT00].
Finally, the Internet Key Exchange (IKE) is a separate SA that is used to negotiate the other IPSec protocol parameters. IKE is active during the entire lifetime of the lower-level SA [FRATT00]. For more detailed information about IKE, refer to RFC 1825 document.
SAs are good for building multiple secure VPNs. It enables the business to give access to their network by linking two or more VPNs together, but not giving them full access to the headquarters network’s resources. This is accomplished by setting up specific SAs between them.
SAs are good for only one-way communications due to the fact that they are defined for transferring data between a sender and a receiver but not for any exchanges in the opposite direction. If two-way communications is necessary, two SAs must be agreed upon [KOSIU98].
6.4 Authentication Header (AH) in Transport Mode
As mentioned earlier in Section 6.1 of the report, AH provides most of the authentication service for IP data. It contains a cryptographic checksum for the packet’s contents and is inserted into the packet between the IP header and any subsequent packet’s data as shown by Figure 6.1 on the next page [02ATK95] and [KOSIU98]. The cryptographic checksum is the output of the authentication algorithm calculated over the entire IP datagram.
The IP AH contains five fields. The Next Header field found in all IP headers, a Payload Length, the Security Parameter Index (SPI), a sequence number and authentication data [02ATK95] and [KOSIU98]. Two items are of particular note in the AH:
-
Security Parameter Index (SPI), which specifies to the device receiving the packet what group of security protocol the sender is using for communications
-
The authentication data itself, which is obtained by applying the cryptographic algorithm defined by the SPI to the packet’s payload
For more detailed information about how each field of the AH operates, refer to the RFC1826 document.
Note that the AH does nothing to keep the data confidential. An attacker will be able to read the content of the packet, but will not be able to resend it again. To prevent the data against eavesdropping, the second component of IPSec, the ESP is necessary [02ATK95] and [KOSIU98].
6.5 Encapsulating Security Payload (ESP) in Transport Mode
ESP is responsible for encrypting the packet including the payload/data. It is inserted into the packet between the IP header and any subsequent packet content as shown by Figure 6.2. Like AH, the ESP header contains an SPI to indicate to the receiver what security association is appropriate for processing the packet providing protection against replay attacks. Replay attacks are when attacker copies a packet and sends it out of sequence to confuse communicating nodes [03ATK95].
The remaining parts of the packet, except for the authentication data, are encrypted prior to transmission across the network [KOSIU98] and [03ATK95].
Any number of encryption protocols is supported by ESP and can be set by the user. But, IPSec specifies a basic DES with Cipher Block Chaining (DES-CBC) cipher as its default, to guarantee a minimal interoperability among IPSec networks. For more information about DES-CBC, refer to RFC 2401 document.
ESP is also used for authentication. The ESP authentication field is an optional field in the ESP header containing a cryptographic checksum. This checksum varies in length depending on the authentication algorithm used. It may also be omitted entirely, if authentication services are not selected for the ESP.
The authentication provided by the AH differs from that provided in the ESP. The ESP authentication services do not protect the IP header that precedes the ESP, although they do protect an encapsulated IP header in tunnelling mode. The AH services protect this external IP header, along with the entire contents of the ESP packet.
A major question that needs to be answered here is; if AH was already assigned for authenticating packets, why include an authentication option in ESP? The answer lies in the theory of using ESP for encryption and authentication, rather than ESP and AH together. This reduces the amount of copying done during packet processing and requires only one transform operation, rather than one each for ESP and AH, enabling packet processing to be more efficient. AH is meant for occasions when only packet authentication is needed. ESP, on the other hand is required when authentication and privacy is needed [KOSIU98] and [03ATK95].
6.6 AH and ESP in Tunnel Mode
As mentioned earlier in Section 6.2 of the report, there are two different modes of IPSec where AH and ESP is applied to an IP packet. The two different modes are called transport mode, where only the Transport Layer segment of an IP datagram is processed and tunnel mode, where the entire IP packet is authenticated or encrypted.
The process of AH and ESP in transport mode is described in Sections 6.4 and 6.5 earlier of this report.
In tunnel mode, the inner IP header contains the ultimate source and destination address, while the outer header contains other IP addresses for example, those of the security gateway. In tunnel mode AH protects the entire IP packet, including the inner IP header as shown by Figure 6.3 below. Because AH only protects the packet’s contents against modification, other means are needed to ensure the data’s privacy. The idea in tunnel mode is to extend such protection to the IP header’s contents, particularly the source and destination addresses [KOSIU98] and [03ATK95].
Tunnel mode ESP provides security for each IP packet by also encrypting the entire packet as shown by Figure 6.4. After the packet’s contents including the original header are encrypted, tunnel mode ESP generates a new IP header for routing the secured datagram from sender to receiver. But this does not guard against all types of traffic analysis on the Internet. This is due to the fact that IP addresses of the sending and receiving gateways can still be determined by examining the packet headers [03ATK95].
To be able to provide the best security offered the idea is to use tunnel mode to authenticate or encrypt a packet and its header by applying AH or ESP. Note that they are not used together in tunnel mode due to the fact that ESP provides its own authentication option. On the other hand both AH and ESP must be provided in transport mode to enable the best security offered [03ATK95] and [KENTS98].
One of the advantages of IPSec is that it operates at the network layer, whereas other approaches insert security at the application layer. The benefit of network layer security is that it can be deployed independently of applications running on the network. This means that organizations are able to secure their networks without deploying and coordinating security on an application-by-application basis.
But, not all VPNs need to be so involved. Smaller businesses can also use other solutions, such as PPTP and L2TF, which are similar and do not offer all the options, or protections that IPSec does [KOSIU98].
The following chapters describe these protocols used in VPN.
7. Point-to-Point Tunnelling Protocol (PPTP)
The PPTP was first created by a group of companies consisting of Microsoft, 3Com, ECI Telematics and US Robotics. The basic idea behind PPTP is to enable remote users to dial into the local number of their Internet Service Provider (ISP) and take advantage of the Internet’s infrastructure to securely tunnel into their corporate network. In other words, instead of having to dial up the corporate network directly, a remote user could log in to a local ISP, and PPTP will make the connection from that provider to the corporate network's Internet connection. From there, it continues into the corporate network the same as if the user dialled in directly. Using a service provider lets remote users call a local number or use a network they are already connected to, while having to dial up via a phone connection usually means having to pay for long-distance calls and making the information technology department keep a bank of dial-up modems in operation [GURMA99], [HAMEZ96] and [KOSIU98].
One of the main advantages with PPTP is that it is designed to run at Layer 2, or the Link layer, as opposed to IPSec, which runs at Layer 3. By supporting data communication at Layer 2, PPTP can transmit protocols other than IP packets over its tunnel [HAMEZ96].
7.1 PPP and PPTP
The most commonly used protocol for direct dial-up access to the Internet is the Point-to-Point Protocol (PPP) used by Microsoft Windows. PPTP is based on the PPP functionality to provide dial-up access that can be tunnelled through the Internet to a destination site. PPTP encapsulates PPP packets using a modified version of the Generic Routing Encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP, such as IPX and NETBEUI for example.
This enables the “non-IP protocols” to travel through an IP network, without user intervention. That's key, because it saves companies the need to build proprietary and dedicated network connections for their remote users and instead lets them use the Internet as the conduit [GURMA99], [SIMPS94] and [KOSIU98].
PPTP is dependent on PPP because of its authentication mechanism. A secure authentication scheme provides protection against replay attacks and remote client impersonation. Most implementations of PPP provide limited authentication methods [Hurwi97], [HAMEZ96] and [KOSIU98], such as:
- Password Authentication Protocol (PAP)
PAP is clear text authentication scheme. The Network Access Server (NAS) requests the user name and password, and PAP returns them in unencrypted text providing no protection against replay attacks or remote client impersonation once the user's password is compromised.
- Challenge Handshake Authentication Protocol (CHAP)
CHAP is an encrypted authentication mechanism that avoids transmission of the actual password on the connection. It is a more robust method of authentication, using a three-way handshake. It protects against playback attacks by using a variable challenge value that is unique and unpredictable.
PAP and CHAP have definite disadvantages when secure authentication is desired. Both rely on a secret password that must be stored on the remote user’s computer and the local computer. If either computer comes under the control of a network attacker, then the secret password is compromised [01ATK95].
Although CHAP is a stronger method than PAP for authenticating dial-up users, CHAP may not meet the scalability requirements of large organisations. This is due to the fact that many dial-up users have to maintain very large databases to accommodate the large number of shared secrets that needs to go through the hash function. Another fact is that PPTP has weak encryption technology and its authentication features are not good for highly secure transmission over the Net [KOSIU98], [HAMEZ96], [GURMA99] and [KENTS98].
7.2 Establish PPTP Tunnel
As mentioned earlier in Section 7.1 of the report, PPTP depends on the PPP protocol to create the dial-up connection between the client and a network access server. After PPP has established the connection, PPTP encapsulates the PPP packet for transmission over a tunnel. Based on the capabilities of the end user’s computer and the ISP’s support for PPTP there are a variety of different tunnels. The end user’s computer determines where the transmission point of the tunnel is located. It is either located on the end user’s computer if it is running a PPTP client or at the ISP’s Remote Access Server (RAS) if the computer supports only PPP and not PPTP. This will result in two types of tunnels, voluntary and compulsory. Voluntary tunnels are created at the request of the user for a specific use. Compulsory tunnels are created automatically without any action from the user. Because compulsory tunnel has predetermined endpoints and the user cannot access other parts of the Internet, these tunnels offer better access control than voluntary tunnels. Another advantage to a compulsory tunnel is that multiple connections can be carried over a single tunnel. But one disadvantage is the non-protected initial link of the connection, which is outside the tunnel and therefore more vulnerable to attack [KOSIU98], [HAMEZ96] and [KENTS98].
After the PPTP tunnel is established, user data is transmitted between the client and PPTP server. By using modified version of the Generic Routing Encapsulation (GRE) protocol the data is created and transmitted in IP datagrams containing PPP packets. The GRE includes information on the host’s Call ID, which can be used to control access rights and an acknowledgement capability, which is used to monitor the rate at which data packets are transmitted over the tunnel for a given session [GURMA] and [HAMEZ96].
The GRE header is used to encapsulate the PPP packet within the IP datagram as shown by Figure 7. The payload packet is essentially the original PPP packet sent by the client, missing only framing elements that are specific to the media. Due to the fact that PPTP operates as a Layer2 protocol, it must include a media header in the packet description to indicate how the tunnel is being transmitted. The method is different depending on the ISP’s infrastructure, for example Ethernet or frame relay [KOSIU98] and [HAMEZ96].
8. Layer 2 Tunnelling Protocol (L2TP)
The Layer 2 Tunnelling protocol is an extension to PPP that enables remote users to access corporate networks, using public networks such as the Internet. L2TP is an emerging Internet Engineering Task Force (IETF) standard protocol. It is an evolution of the earlier Layer 2 Forwarding Protocol (L2F) proposed by Cisco and the Point to Point Tunnelling Protocol (PPTP) proposed by Microsoft [Virtua98].
As mentioned earlier in Section 7.2 of the report, PPTP uses its own definition of an encapsulation header for transmitting packets at Layer2. L2P is very similar to PPTP with the major difference that it is not dependent on IP and GRE, enabling it to work with other physical media [KOSIU98].
Because L2TP is a Layer2 protocol, it offers users the same flexibility as PPTP for handling protocols other than IP, such as IPX and NETBEUI for example.
Like PPTP, the L2TP utilises the functionality of PPP to provide dial-up access that can be tunnelled through the Internet to a destination site. But, L2TP defines its own tunnelling protocol allowing it to transport the encapsulated PPP frames to be sent over a variety of networks such as X25, Frame Relay and Asynchronous Transfer Mode (ATM). Although many of the initial implementations of L2TP focus on using the transport protocol, User Datagram Protocol (UDP), which provides a connectionless datagram, it is possible to set up a L2TP system without using IP as a tunnel protocol at all. A network using ATM or Frame Relay can also be deployed for L2TP tunnels [TOWNS99], [VALEN98] and [Layer00].
The authentication mechanism used within L2TP is PAP and CHAP due to the fact that PPP is used for dial-up links. But it differs when end-to-end authentication and data integrity is concerned. IPSec-based authentication and encryption across the PPP link is invoked. Using IPSec at the end user’s workstation provides stronger security than simply replying on PPP-based authentication and encryption, as PPTP does [KOSIU98] and [VALEN98].
Before moving on with the L2TP details, lets have a look at the major differences between PPTP and L2TP.
8.1 PPTP compared to L2TP
Both PPTP and L2TP use PPP to provide an initial envelope for the data, and then append additional headers for transport through the internetwork. The two protocols are very similar. However, there are differences between PPTP and L2TP as shown by Table 8 [TOWNS99], [VALEN98], [KOSIU98] and [Layer00].
8.2 Establish L2TP Tunnel
As mentioned earlier in Section 8 of the report, L2TP depends on the PPP protocol to create the dial-up connection between the client and a network access server. PPP will establish the physical connection, perform the first authentication phase of the end user, create PPP datagrams and close the connection when the session is finished [KOSIU98] and [TOWNS99].
After PPP establishing the connection, L2TP takes over and determines whether the network server at the corporate site recognises the end user and is willing to serve as an endpoint for a tunnel. If the tunnel can be created, L2TP encapsulates the PPP packets for transmission over the medium that the ISP has assigned to the tunnel as shown by Figure 8 [KOSIU98].
L2TP utilizes two different types of messages, control messages and data messages. Control messages are used in the establishment, management and release of sessions carried through the tunnel. Data messages are used to encapsulate PPP frames being carried over the tunnel. Because L2TP operates as a Layer2 protocol it includes a media header in the packet description to indicate how the tunnel is being transmitted. Depending on the ISP’s infrastructure it might be Ethernet, Frame Relay, X25 or ATM links [TOWNS99], [VALEN98] and [Layer00].
L2TP uses the same tunnel classes as PPTP, voluntary and compulsory tunnels. This is illustrated in Figure 8.1 on next page. Voluntary tunnels are created at the request of the user for a specific use. Compulsory tunnels are created automatically without any action from the user. Because compulsory tunnel has predetermined endpoints and the user cannot access other parts of the Internet, these tunnels offer better access control than voluntary tunnels. Another advantage to a compulsory tunnel is that multiple connections can be carried over a single tunnel. But one disadvantage is the non-protected initial link of the connection, which is outside the tunnel and therefore more vulnerable to attack. Attacks may be carried out on PPP packets sent over the non-protected link between the dial-up client and the Network Access Server, prior to encapsulation of the packets within an L2TP tunnel. Due to this fact L2TP includes provisions for using IPSec to encrypt and protect data from end-to-end [KOSIU98] and [TOWNS99].
8.3 L2TP Using IPSec
As mentioned earlier in Section 8 in the report, IPSec has been specified as the security system of choice for use with L2TP. IPSec would be implemented within L2TP for compulsory and voluntary tunnels [TOWNS99], [VALEN98] and [KOSIU98].
In the case of a compulsory tunnel the end user would not be aware of what security services are in place between the ISP Access Remote Server and the L2TP Network Server. Due to this fact, the end user relies on which IPSec is used. But not all of the endpoints are IPSec compatible, which will force renegotiations for using only PPP encryption. This is illustrated in Figure 8.2. In both cases IPSec AH is applied for the traffic to travel through the tunnel, but the encryption choice is left up to the end user. It will be either ESP for IPSec-capable destinations or PPP’s encryption scheme for non-IPSec destinations [TOWNS99].
In the case of a voluntary tunnel, the end user serves as one endpoint of the L2TP tunnel and negotiates a Security Association with the L2TP Network Server at the corporative site. Similarly to compulsory tunnels, negotiation of SA in voluntary tunnels depend on whether both endpoints are IPSec-capable or not. This is illustrated in Figure 8.3. Because the end user’s computer serves as the endpoint of voluntary tunnels, the IPSec AH is applied at this workstation, not at the ISP’s device. If the destination is not IPSec-compatible, the ESP encryption will only protect the packets until they reach the L2TP Network Server on the corporative site [TOWNS99], [VALEN98], [KOSIU98] and [Layer00].
9. Software Application Tools Towards The Project
9.1 Macromedia Flash or Director
At the same time a great amount of time has been used for research within the area, significant amount of time has also been used for learning Macromedia Flash and Director.
Both Director and Flash could be used for the project. They both had the functions needed to complete the project. But the main distinction is that Director executable files will only work on one platform, that is the one used to design it on. For example if the animation is designed on a Microsoft Windows platform, then the executable Director file can only be viewed on that platform. That will cut out all Macintosh and UNIX users.
An executable presentation created in Flash will be suitable for all platforms, Windows, Macintosh or UNIX, and illuminate any need to download a plug-in.
9.2 Programming in Flash and Director
Lingo is Director’s scripting language, which adds interactivity to a movie. It is used to control a movie in response to specific conditions and events. For example, Lingo can play a sound after a specified amount of the sound has streamed from the Internet. The flow of the scripts always executes Lingo statements starting with the first statement and continuing in order until it reaches the final statement or a statement that instructs Lingo to go somewhere else.
Like any programming language, Lingo uses specific terminology and has rules of grammar and punctuation, which the user must follow.
ActionScript is Flash's scripting language, which also adds interactivity to a movie. When setting up a movie the user events, such as button clicks and key-presses, can trigger scripts that tell the movie what action to perform. For example, a specific script can tell Flash to load different movies into the Flash Player depending on which navigation button the user chooses.
It has many new features and syntax conventions that make it similar to the core JavaScript programming language. The European Computers Manufacturers Association (ECMA) wrote a document called ECMA-262 that was derived from JavaScript to serve as the international standard for the JavaScript language. ActionScript is based on the and can be viewed at the following URL, .
Both ActionScript and Lingo could be used for the animations within the project. But ActionScript was chosen, due to the fact that the animations are not advanced and I am familiar with JavaScripts.
9.3 Learning and Applying Macromedia Flash
Macromedia Flash consists of three applications in one: an authoring environment, an animation sequencer and a vector based drawing program.
The authoring program enables the user to create interactive multimedia files, which are called movies in Flash. Movies, as it sounds, incorporate graphics and sound, which to some degree let the user determine the course of action.
The animation sequencer enables the user to create or simulate motion or movements on screen. Flash uses a series of frames and a sequence of scenes to make its movies. Each frame of the movie can have one or more elements that can change position, size and/or colour from the previous frame to create an animated effect. The sequences of the frames within the movie are organised by using the scenes. For example, in this project digitised sounds have been imported into Flash and synchronised to specific events. The voice was recorded at 44,000 Hz stereo. The flash compression was ADPCM at 22,000 Hz.
Flash has a built in drawing tool as well, the vector based drawing program. The program draws pictures on screen using points with specific coordinate values (vectors) to define curves. Vectors that connect together in a sequence describe a path. Graphics created as collections of vector information are mathematical equations, which provides the vector graphics an advantage over bitmaps. The file size of an uncompressed bitmap image links directly to the size that it appears on the screen. In a bitmap image, the image is stored in the computer’s memory as a series of numbers with one or more numerical values representing a single pixel on screen. In a vector graphic, the pixels are calculated every time the image is rendered to the screen. Images created with vectors typically require much less storage space than bitmap images and can be resized without any loss of resolution [LENTS99].
All animations within this project are drawn as vector arts. Consideration should be given the processor of the computer running the program. It is best viewed using a 16-bit graphics card with a million colours.
The interactive movie files created within Flash can be viewed by using an application called the Flash Player. Movies can also be viewed in web browser or as part of HyperText Markup Languages (HTML) pages. Stand alone projectors that play a movie without the need for a player or a browser can also be created. The latter mentioned option is implemented for this project enabling the application to be viewed at all platforms, for example Windows and Macintosh.
By assigning action commands to specific frames or symbols provides Flash with interactivity. If an action is attached to a movie frame, Flash executes the action when it reaches that frame during playback. If attached to a symbol, the action executes when the user clicks the symbol. Within this project action commands are attached to both symbols and frames. For a detailed description of the commands generated by Flash and explanations/comments added refer to Coding in Appendix D.
9.3.1 Rendering Images Within Flash
Most multimedia animation programs depend on bitmap images for every element of an animation. If an image changes in size, shape or rotation, it needs to be pre-rendered before the animation displays. A graphic that rotates 180 degrees in 6 separate steps would require 12 separate bitmap images, each rotated 30 degrees from the previous image.
But Flash renders its images on-the-fly, as it needs them. When a movie plays Flash uses the vectors of the objects in a frame to draw the picture immediately. Flash then transforms the vector data into bitmap images for onscreen display only when needed [PLANT98].
9.4 Microsoft Word
To improve the pedagogical purpose of the application created within Macromedia Flash, the “View animation as web-page” function was added. It enables the user to view the image used for the animation and a summery of its process in a web browser. The web pages were created in Microsoft Words and saved as htm files. The images for each animation were copied from the Flash movie.
10. The result of the research
10.1 Macromedia Flash Illustration
The outcome of the research is presented in a pedagogical way by animations created in Flash. The user will have thirteen different topics of animations to choose from. The topics are designed as links on the right hand side of the page. When a link/topic is chosen, the user will be enable to view the specific animation in the “Animation Screen” as shown by Figure 10 on the next page. Each topic has a specific audio file attached to it describing the animation process in details. The audio file is also being displayed in the “Information Box” in text format as shown by Figure 10. The text moves down at the same speed as the audio file is being played. By using the two green arrows located on the right hand side of the “Information Box” enables the user to scroll the text if necessary.
A printing function is also available to print out the current animation for further studies. The printing will include the animation image and its process description. The “View Animation As Web-Page” function enables the user to view the animation image and its description in a Web browser as a summery for each topic. Four buttons enabling the user to PLAY, PAUSE, REWIND, RESET and QUIT the current animation is also included.
The main topics that are covered within the Flash presentation are as follows:
- The encapsulation process
- Datagram transmitted across Internet
- The IP datagram format
- Virtual Private Network (VPN)
- VPN encapsulation
- Tunnelling protocols used in VPN
- IPSec
- L2TP
The IPSec and L2TP topics are provided with further six subheadings illustrating the two different modes of tunnels within VPNs. For more details on what each topic includes, refer to Topic Description in Appendix B where each topic can be viewed as in Web browser mode.
The animations for each topic are built on the image and the text illustrated in the Web browser. Every object within the animation that is being mentioned in the audio file is provided with one or two behaviours within Flash. This drags the user’s attention to that specific part of the screen. Examples of behaviours attached to the objects are: zooming in/out, changing position, changing colour, fading, playing sounds and changing fonts etc.
10.2 Testing
After creating the presentation every animation and its behaviour/functions has been tested. The testing method used in this case is the black-box testing method. Black-box testing involves testing of “pure” function, where the expected result depends only on the arguments of the function without any side effects. The Final Testing of the application can be viewed in Appendix C.
The final testing strongly indicates that all the object behaviours and button functions are functioning correctly. The only problem is the REW button, which required adjustments. It is still not functioning satisfactory due to the fact that the function is limited when in used for streaming animations.
10.3 Product Evaluation
The main purpose of the project is to illustrate the encapsulation process and the tunnelling protocols used in VPNs in a pedagogical way for a final year Computer Science student. To receive an indication on if the presentation is created in an educational way, final year Computer Science students have been asked to view the presentation.
The result of this task and the comments from the students are then used as an indicator of the success of the pedagogical presentation. The task consists of viewing every animation within the application and later complete a questionnaire. The Product Evaluation in Appendix D details the tests carried out and the comments given by the applicants.
The tests carried out strongly indicates that the application is pedagogical for a final year Computer Science student who wish to make further studies within the topic of encapsulation and tunnelling protocols used in VPNs.
11. Conclusion and Evaluation
11.1 Conclusion
Today’s business focuses on the creation, analysis and distribution of information. The preoccupation with information as a source of revenue has led to the exchange of information between business partners and its workers.
Private networks designed to link together a number of corporate sites have been using dedicated leased lines over the past 30 years. But today are the expensive leased lines replaced with less expensive, dynamic links such as Virtual Private Networks (VPN).
VPN makes use of the public telecommunication infrastructure, the Internet and provides businesses the dynamic links over a variety of different transmission media. It transports IP packets across the Internet backbone by establishing endpoints that negotiate a common encryption and authentication scheme prior to the transport. The encryption and authentication process is necessary due to the fact that Internet is an open communication environment that can be subject to unauthorised interception and access.
At the moment Internet Protocol Security (IPSec) is the most complete protocol for VPNs, especially when coupled with Oakley for managing cryptographic keys. Other protocols used within VPN are Point-to-Point Tunnelling Protocol (PPTP) and Layer 2 Tunnelling Protocol (L2TP). IPSec includes a great deal of flexibility in authentication and encryption algorithms. The protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP) are responsible for that. They can be applied either to authenticate and/or encrypt the packet’s payload. PPTP is based on the dial-up protocol Point-to-Point Protocol (PPP) and is well-suited to handle multi-protocol network traffic, particularly IP, IPX and NETBEUI protocols. L2TP offers a number of the advantages of PPTP, for example handling multiple sessions over a single tunnel. It is also capable to transmit IP datagrams over non-IP media, for example X.25 and Frame Relay. By using IPSec’s ESP for encrypting packets, L2TP also provides stronger security and a great flexibility in designing VPNs.
One of the advantages of IPSec is that it operates at the network layer, whereas other approaches insert security at the application layer. The benefit of network layer security is that it can be deployed independently of applications running on the network. This means that organizations are able to secure their networks without deploying and coordinating security on an application-by-application basis. But, not all VPNs need to be so involved. Smaller businesses can also use other solutions, such as PPTP and L2TF, which are similar and do not offer all the options, or protections that IPSec does. L2TP allows for the use of multiple tunnels between end points while PPTP does not. With L2TP, different tunnels for different qualities of service can be created.
Basically, the right choice of a tunnelling protocol for a specific business depends on the businesses structure such as remote employees, business partners and customers.
The outcome of the project research, that is the topics mentioned in this section are all illustrated by using Macromedia Flash as a software-developing tool in a pedagogical way for a final year Computer Science student.
11.2 Evaluation of Objectives
The aim of this project were to illustrate the encapsulation and tunnelling technology used in VPNs in a pedagogical way for a final year Computer Science student. To meat this aim a detailed research within the wide area of VPN technology was undertaken. Using the outcome of the research, the core and advanced objectives were all met to one extend or another. The only advanced objective that is not achieved and is left for further development is the online help system.
11.3 Project Management
During the first stage of the project much research was undertaken to ascertain a suitable project area. Once a basic idea of the content of the project was obtained, a project plan was produced that outlined the structure of the report. These tasks were decomposed into smaller manageable sub-tasks and estimations for their completion derived. From this plan, deadlines were set throughout the year and the plan was adjusted according to progress.
During the initial phase of the report, the time allocated study and background material was underestimated. To compensate for this, additional hours were necessary to complete the project. This allowed me ensure the timely completion of this report.
11.4 Personal Development
After initial research into the wide area of VPNs and the tunnelling protocol technology has provided me with an appreciation of their complex issues, such as security, threats and solutions. Also a great amount of understanding and developing skills in the multimedia software tool, Macromedia Flash has been accomplished.
During the period of the project, several non-technical skills were developed as well, such as the ability to summarise technical reports. My project management skills have also developed.
11.5 Future Development
Considering the evaluation of the project, the REWIND button needs to be adjusted in much more advanced way in order to satisfy the users need. Perhaps a “seek bar” would be satisfactory.
The application illustrates the tunnelling protocols IPSec and L2TP used in an IPv4 environment. A future development could consist of illustration of the above-mentioned protocols used in an IPv6 environment as well.
Bibliography
Books
Internet
Appendix A – Definition of Terms
Appendix A – Definition of Terms
Appendix B – Topic Description
Appendix B – Topic Description
The following pages illustrate the thirteen different topics within the presentation.
The animations for each topic are built on the image and the text illustrated in the Web browser. Every object within the animation that is being mentioned in the audio file is provided with one or two behaviours within Flash. This drags the user’s attention to that specific part of the screen. Examples of behaviours attached to the objects are: zooming in/out, changing position, changing colour, playing sounds and changing fonts etc.
The Encapsulation Process
Datagram Transmitted Across Internet
The IP Datagram Format
Virtual Private Network (VPN)
IPSec Architecture
AH in Transport Mode
ESP in Transport Mode
AH in Tunnel Mode
ESP in Tunnel Mode
Establish L2TP Tunnel
L2TP Compulsary Tunnel
L2TP Voluntary Tunnel
Appendix C – Final Testing
Appendix C – Final Testing
The following tests are carried out by clicking on the different buttons and links and observing the process taking place.
Appendix D – Product Evaluation
Appendix C – Product Evaluation
The evaluation process consisted of viewing every animation within the application and later complete a questionnaire. The three applicants for the evaluation process where three final year Computer Science students. Figure C.1 illustrates the questionnaire given to the applicants.
The evaluation results and the questionnaires received from the applicants are illustrated in Table C.1 below and continuous to the next page.
Appendix E – Coding
Appendix E – Coding
Within this project action commands are attached to both symbols and frames. Below is a detailed description of the commands generated by Flash for Scene1. Explanations and comments are added to illustrate my understanding of the codes generated by Flash itself.
Scene 1
actions for frame 1 (intro frame)
stop ();
fscommand ("fullscreen", "true"); (plays the animation at full screen)
actions for frame 10 (disclaimer frame)
stop ();
actions for disagree (buttons, if disagree chosen, then quit application)
on (release) {
fscommand ("quit");
}
actions for agree (buttons, if agree chosen, then proceed)
on (release) {
play ();
}
actions for frame 20 (animation frame)
stop ();
fscommand ("showmenu", "false"); (This locks the keyboard and the Flash menu thereby keeping viewers attention)
fscommand ("trapallkeys", "true");
actions for encapsu... (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation1");
}
}
actions for datagram trans... (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation2");
}
}
actions for the ip header (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation3");
}
}
actions for virtual privat netw... (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation4");
}
}
actions for vpn encapsulation (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation5");
}
}
actions for QUIT-home (buttons)
on (release) {
tellTarget ("exit") {
play ();
}
}
actions for Symbol 245 (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation6");
}
}
actions for Symbol 302 (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation7");
}
}
actions for Symbol 312 (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation6-");
}
}
actions for Symbol 313 (buttons)
on (release) {
tellTarget ("screen") {
gotoAndPlay ("animation7-");
}
}
Symbol Definition(s)
Exit -(this is the symbol or script used for the exit animation)
actions for frame 1
stop ();
actions for frame 5
stop ();
stopAllSounds ();
actions for Symbol 232 (when “NO” is selected)
on (release) {
gotoAndStop (1);
}
actions for Symbol 233 (when “YES” is selected)
on (release) {
play ();
}
actions for frame 14- (last frame in the “EXIT” animation)
stop ();
fscommand ("quit");
actions for cont...
on (release) {
tellTarget ("../") {
play ();
}
PRINT (these are the buttons for the print actions and webpage)
actions for frame 1
stop ();
WEBPAGE
actions for frame 1
stop ();
ani-screen (the animation screen)
actions for reset home (button for reset all info box animations)
on (release) {
tellTarget ("/info box/info 1") {
gotoAndStop ("1");
tellTarget ("/info box/info 2") {
gotoAndStop ("1");
tellTarget ("/info box/info 3") {
gotoAndStop ("1");
tellTarget ("/info box/info 4") {
gotoAndStop ("1");
}
}
}
}
}
on (release) {
tellTarget ("/info box/info 5") {
gotoAndStop ("1");
tellTarget ("/info box/info 6") {
gotoAndStop ("1");
tellTarget ("/info box/info 6-1") {
gotoAndStop ("1");
tellTarget ("/info box/info 6-2") {
gotoAndStop ("1");
tellTarget ("/info box/info 6-3") {
gotoAndStop ("1");
tellTarget ("/info box/info 6-4") {
gotoAndStop ("1");
}
}
}
}
}
}
}
on (release) {
tellTarget ("/info box/info 7") {
gotoAndStop ("1");
}
tellTarget ("/info box/info 7-1") {
gotoAndStop ("1");
}
tellTarget ("/info box/info 7-2") {
gotoAndStop ("1");
}
gotoAndStop ("HOME");
}
actions for frame 1
stop ();
actions for frame 5
stop ();
stopAllSounds ();
actions for print5675
on (release) {
print ("animation 1", "bmax");
}
actions for print5675 (buttons)
on (release) {
}
on (release) {
getURL ("IP Datagram.htm", "_self");
}
actions for frame 6
stop ();
stopAllSounds ();
actions for print5675 (buttons)
on (release) {
print ("screen2-ani", "bframe");
}
actions for print5675 (buttons)
on (release) {
getURL ("Datagram Transmitted.htm");
}
actions for frame 7
stop ();
stopAllSounds ();
actions for print5675 (buttons)
on (release) {
print ("DTgram format", "bframe");
}
