1 / 47

Virtual Private Networks

Virtual Private Networks. Network Based IP VPN 03/10/2002. Agenda. Introduction VPN – Introduction, Requirements, Categories and Types Virtual Private Routed Networks – Introduction, Features, Requirements Virtual Private Routed Networks – Architecture

tess
Download Presentation

Virtual Private Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Private Networks Network Based IP VPN 03/10/2002

  2. Agenda Introduction VPN – Introduction, Requirements, Categories and Types Virtual Private Routed Networks – Introduction, Features, Requirements Virtual Private Routed Networks – Architecture Virtual Router – Concept, Objectives, Characteristics VR Based Solution for IP VPN VPN support on Linux

  3. Introduction - Types of Private Networks A Private network is a collection of hosts belonging to a common administration or organization. Private connectivity between geographically scattered networks is done through • Dedicated WANs - permanently connected to multiple sites • Dial Networks - on demand connections through PSTN to sites High cost and complexity is involved in multi-site WAN services. In order to overcome this constraint, the Internet is used to provide the connectivity between private networks.

  4. Introduction - Motivation and History Some other factors that motivate in migrating to an Internet based connectivity are as follows • A need to extend the private network to offer services or connectivity that is invisible to the external observers. • Economics, in terms of aggregating the costs of individual components or set ups into a single infrastructure and offer services collectively over the public domain. • Source of revenue generation for the ISPs.

  5. What Is a VPN? “A VPN is a communications environment in which access is controlled to permit peer connections only within a defined community of interest, and is constructed through some form of partitioning of a common underlying communications medium, where this underlying communications medium provides services to the network on a non-exclusive basis." “A VPN is a private network constructed within a public network infrastructure, such as the global Internet." A Virtual Private Network is a connectivity object between two or more private entities. It uses the Internet or public domain infrastructure and connects private networks.

  6. VPN Requirements Opaque Transport VPN traffic may be unrelated to the traffic in IP backbone • Traffic can be multi-protocol • Customer may be using IP addresses not related to backbone. These addresses may be private and non-unique Data Security • No misdirection, misrouting, snooping • Security against modification of traffic in transit • Unauthorized analysis of traffic

  7. VPN Requirements QoS Guarantee Need for IP based QoS similar to dedicated or dial lines or ATM/Frame Relay • Opaque transport requirement is fulfilled by using tunnels for transport. Some tunneling mechanisms provide support for data security and QoS. • Some tunneling mechanisms are IP/IP, IPSec, GRE, L2TP, MPLS

  8. VPN Requirements Private connectivity between networks is an inherent characteristic of a VPN implementation. This is achieved through the following requirements • Opaque transport • Data Security • QoS guarantee • Tunneling mechanism

  9. VPN Requirements Tunneling Protocol Requirements • Support for Multiplexing • Signaling • Security • Multi-protocol traffic • Frame Sequencing • Maintenance • Large MTUs • Minimization of tunnel overhead • Flow/Congestion control • QoS/traffic management

  10. VPN Requirements

  11. VPN Categories VPN services are provided at layer 2 and layer 3. IP based layer 3 VPN implementations are broadly classified as follows • Customer Premises Equipment (CPE) based Model • Network based or Provider Provisioned Model

  12. smitha: change CPE Based Model Some characteristics of CPE based VPN model are as follows • Provides VPN capabilities on firewalls, WAN edge routers and specialized VPN termination devices • Handles security, tunneling between customer ends, management of services and devices, administrative responsibility and operational costs • Uses the ISP only for transmission of data over the backbone

  13. Network Based Model Some characteristics of network based VPN model are as follows • ISPs provide services with no change in the subscriber equipment. Services like fire-walling, data security, routing configuration, QoS, tunnel establishment, management and maintenance are handled by the provider • No extra investment is needed, at the customer end, on dedicated expensive CPE gear while subscribing to a VPN service • Customer is provided the option of choosing various services at various costs

  14. Network Based Model • Customer follows a trust model for security, where it trusts or does not trust the provider • Trust model extends across multiple providers if the VPN spans the domain of multiple providers • Forwarding of data between the provider edges takes place through tunnels • The complexity of operation and administrative responsibility rests with the provider

  15. Types of VPNs • Virtual Leased Lines • Virtual Private Dial Networks • Virtual Private LAN Segment • Virtual Private Routed Networks

  16. Virtual Leased Lines IP Backbone ATM VCC ATM VCC ISP Edge Router ISP Edge Router CPE CPE 10.0.0.5 10.0.0.6 Provides a point to point link between customer’s CPE devices ISP edge binds ATM VCC to a tunnel in IP backbone e.g. AAL5 payload is encapsulated in an IPSEC tunnel in backbone IP Tunnel 10.0.0.4/30

  17. Virtual Private Dial Networks 10.0.0.6 CPE L2TP – Layer 2 Tunneling Protocol LAC - L2TP Access Concentrator LNS – L2TP Network Server IP Backbone Dial Up Connection NAS Gateway LNS LAC Corporate Network L2TP Tunnel 10.0.0.0 / 16 PPP frames are tunneled across IP backbone using L2TP L2 connection terminating at LAC avoids long distance dialup connection PPP session terminates at LNS

  18. Virtual Private LAN Segment- Transparent LAN Service Stub Link Stub Link ISP Edge Router IP Tunnel ISP Edge Router CPE CPE 10.0.0.5 IP Backbone 10.0.0.6 IP Tunnel ISP Edge Router IP Tunnel • Emulation of LAN over internet • CPE can be a bridge or a router • Full mesh connectivity between edge routers • Bridge CPE • ISP edge routers do flooding and MAC learning • Router CPE • Explicit link layer routes to CPE routers Stub Link CPE 10.0.0.9

  19. Virtual Private Routed Networks Provider Backbone CPE 1 CPE 1 10.1.1.0 / 30 10.5.5.0 / 30 Stub Link 10.0.0.1 157.0.0.1 Stub Link 10.1.1.1 PE Router IP Tunnel PE Router 10.5.5.1 Encapsulation in IP/IP Stub Link CPE 2 IP Backbone Stub Link CPE 2 10.2.2.0 / 30 10.6.6.0 / 30 Outer IP Header Destination Address 157.0.0.1 P Inner IP Header Destination Address 10.5.5.1 P P IP Tunnel PE Router IP Tunnel Customer data PE – Provider Edge CPE – Customer Premises Equipment P – Provider/Interior Stub Link CPE 1 10.3.3.0 / 30

  20. Virtual Private Routed Network (VPRN) • VPRN is an IP based layer 3 VPN. • Both CPE and network based implementations are possible. • A VPRN is an emulation of a multi-site wide area routed network using IP facilities • VPN specific forwarding tables called the VPN Routing and Forwarding tables or VRFs are present at the provider routers on a per VPN basis. They contain network reachability information. • VPRN operation is de-coupled from the mechanism used by the customer to access the Internet

  21. VPRN Generic Requirements • Use of a globally unique identifier for each VPN • VPN ID is a Globally Unique Identifier, which uniquely identifies an instance of a VPRN. • VPN ID can be used for management purposes in a MIB • Used for tunnel establishment, to bind a VPRN to a particular tunnel etc. • Same ID can be used across different technologies e.g., IP and ATM

  22. VPRN Generic Requirements • VPRN membership determination • Determination of stub link belonging to a VPRN • Through configuration for Static links e.g. ATM VCC • As part of authentication for Dynamic Links e.g. PPP • PEs participating in a particular VPRN must be known to each other • Membership determination is done using • Directory Lookup • Explicit Management Configuration • Piggybacking in Routing Protocols

  23. VPRN Generic Requirements • Stub link reachability information • Determine the set of VPRN addresses and address prefixes or destinations reachable at each stub site or customer site This exchange of information between the CE and PE can be through • Routing Protocol Instance on CE - PE • Configuration • ISP Administered Addresses • MPLS Label Distribution Protocol

  24. VPRN Generic Requirements • Intra - VPN reachability information • Exchange of stub link reachability information between the provider edges • Set of reachable addresses within a VPRN are unique Information dissemination is done through • Directory Lookup • Explicit Configuration • Local intra-VPRN Routing Instantiations • Link Reachability Protocol • Piggybacking in IP backbone Routing Protocols e.g. BPG/MPLS VPN

  25. VPRN Generic Requirements • Tunneling Mechanisms • Tunnels comprising the VPRN cores, are established between PEs, after membership determination • Various mechanisms can be used for tunneling with the requirements of security, authentication, confidentiality, sharing etc • Tunneling mechanisms – IP/IP, IPSec, GRE, MPLS, L2TP etc

  26. Implementation Issues Summarizing some issues involved in building VPRNs • Initial configuration • Determining the set of links in each VPRN • Identifying the member routers belonging to a VPRN • Determining the set of IP addresses or address prefixes reachable via each 'stub' link or customer

  27. Implementation Issues • Disseminate the 'stub' reachability information to the appropriate set of PE routers • Set of IP addresses reachable from the provider that is to be given to the customer • Establish, maintain, and manage the tunnels needed to carry the data • Provide secure data transfer and other features based on customer requirements

  28. VPRN Architecture There are two fundamental architecture models for implementing VPRNs. • Overlay • Piggyback • The models differ in methods used to determine and disseminate membership and reachability • Overlay model constructs multiple routing protocol instances e.g., Multiple OSPF instances on a per VPRN basis, which overlay the IP backbone • Piggyback models make use of the existing routing protocol and extend it to carry information e.g., BGP/MPLS in the backbone

  29. IP VPN - Virtual Router Model "A Virtual Router is an emulation of a physical router at the software and/or hardware level." • The overlay VPRN model uses the concept of Virtual Routers • Each VR runs an instance of the routing protocol for determining and exchanging reachability information with peer VRs

  30. VR Model CPE 1 S T U B L I N K S CPE 1 VPRN 1 PE Router PE Router VPRN 2 CPE 2 CPE 2 VPRN 3 CPE 3 CPE 3 VRF VRF Backdoor Link PE Router VRF – VPN Routing and Forwarding Table VR Instance for CE 1 VR Instance for CE 2 VR Instance for CE 3 CPE 1 CPE 3

  31. VR Objectives • The objective of this mechanism is to provide per-VPN routing, forwarding, QoS, and service management capabilities • To leverage and make use of the existing protocols for implementing VPN functionality • To isolate different VPN instances • To isolate the underlying backbone protocol from the VPN protocols

  32. VR Characteristics • VRs that are members of a particular VPN must share the same VPN ID. • The VR architecture supports overlapping address spaces in separate VPNs • Each VPN can have its own routing protocol in the provider backbone or the customer end if needed

  33. VR Characteristics • Supports VR to VR connectivity • Over Layer 2 connections (ATM or Frame relay) • Over IP based or MPLS tunnels • Any routing protocol instance can be run between the PE and CE to determine stub link reachability. • CE – PE routing protocol is independent of routing protocol in the backbone.

  34. VR Advantages • The Provider (P) routers or non-edge backbone routers need not be VPN aware. In piggyback models, the provider/intermediate routers may be VPN aware to determine if the packets sent belong to the VPN or the backbone routing • Backbone protocol can be independent of the VR protocol used • No changes to existing protocols. In piggyback models, the routing protocol for VPN must extend to accommodate information about VPN membership, reachability etc. • No changes are needed while deployment

  35. VR Based Solution for IP VPN • OSPF is run as a VR protocol for PE - PE routing • For each VPN, towards the provider edge, an OSPF instance is run on the Provider Edge router over tunnels in the backbone • Routing protocol updates are exchanged between the PE routers participating in a given VPN

  36. Membership • Membership information is used to identify and determine which VPN a given VR belongs to • Membership information is disseminated statically or dynamically • A VPN Manager can have pre-configured or dynamically learnt VPN IDs, which are assigned to each of the VR instances • This can be used to map the VPN ID to the resources used by the instance like the routing table associated with the interface

  37. Routing • The "stub link reachability", is learnt by the VR instance on the PE associated with that customer end of the VPN site • VRs belonging to the same VPN exchange this reachability information with the help of the VR routing protocol • Redistribution takes place at the Provider Edge Router between the customer and the provider edges on a per-VR basis • Each VR instance is associated with a routing table called the VRF. Each VPN is mapped to a VRF

  38. Routing • Multiple routing tables are used to isolate routing information between the VRs • Multiple routing tables support on Linux is provided by the Advanced Routing option • On Linux, the input interface(s) from the customer end is/are mapped to a VRF using 'ip rule' command

  39. Routing • VR instance on the customer end and provider end share the routing table. Any addition/deletion of new routes is redistributed to the other corresponding instance of routing protocol • CE-CE or CE-PE routing is independent of the VR routing • Multiple routing tables concept can be extended to support Traffic Engineering

  40. Tunneling • The exchange of control and data plane information is done using tunnels, established between member routers of a VPN • Tunnels on Linux can be established by configuring the tunnel device tunl0. This feature is provided using 'ip tunnel' commands • Multiple VPNs can be mapped to a single tunnel depending on the security constraints • Tunnel aggregation can be done to minimize overhead in tunnel establishment and maintenance

  41. VPN Support On LINUX • Multiple Routing table support • A compile time Advanced Routing option • Up to 255 routing tables • Netlink support for associating network interfaces or tunnels with routing tables • IP/IP and GRE tunneling mechanism.

  42. VPN Support On LINUX • IP utility • To configure IP/IP and GRE tunnels • ip tunnel add mode ipip local 10.0.0.1 remote 10.0.0.2 • To configure routes in different routing tables • ip route add 10.0.0.0/24 via 192.168.221.254 table 50 • To associate interfaces with routing tables • ip rule add iif eth0 table 50

  43. Issues in OSPF VR Model Depending on configuration of customers, various issues related to connectivity and duplication of information arise. Examples of configuration scenarios are • Each customer belonging to a particular VPN • Customer belongs to multiple VPRNs over multiple stub links • Customer belongs to multiple VPRNs over a single stub link • Multiple VPRNs are established over a single stub link

  44. Issues in OSPF VR Model Stub information exchanged is AS External information. The routing information or updates are exchanged as AS External information between the customer ends Membership information is statically configured by a VPN manager. Manager must keep track of change in membership and disseminate this information appropriately Static configuration of tunnels, maintenance and management is also done by the manager, which must keep track of changes and handle the OSPF instances accordingly

  45. Issues in OSPF VR Model Various configuration scenarios of connection between CE-PE and the way routing information is re-distributed between the customer and provider edge of the PE router influences the kind of information exchanged E.g., if the customer ends are treated as belonging to same area or different areas but belonging to the same AS, then the routes exchanged become intra or inter area routes, which gain preference over AS External routes according to OSPF protocol. In this case, the VPN serves to seamlessly transfer the OSPF/routing information between the customer ends.

  46. Summary • VPN is a connectivity object • Objective of VPN is to provide private connectivity between customer ends, over a public infrastructure • VPN features and requirements include opaque transfer, security, QoS etc • Layer 3 VPN implementations are considered • Different types of VPN types exist, of which VPRN is a IP-network based layer 3 VPN implementation • VR is an overlay concept for implementing VPRN • OSPF is used as a VR protocol. Linux based model uses IP tunnels and Advanced Routing options to build rule based routing tables

  47. References [VPN-RFC2764] Gleeson, B., et al, “A Framework for IP Based Virtual Private Networks”, RFC 2764, February 2000. [PPVPN] Ould-Brahim, H., et al., “Network based IP VPN Architecture using Virtual Routers”, work in progress. [PPVPN] Nagarajan Ananth., et al, “Applicability Statement for Virtual Router-based Layer 3 PPVPN approaches”, August 2002 [RFC2685] Fox B., et al, “Virtual Private Network Identifier”, RFC 2685, September 1999 [RFC2547bis] Rosen E., et al, “BGP/MPLS VPNs”, work in progress. [VPN-BGP] Ould-Brahim, H., et al, “Using BGP as an Auto-Discovery Mechanism for Network-based VPNs”, work in progress.

More Related