1 / 22

Virtual Private Networks

Virtual Private Networks. Juha Heinänen jh@song.fi Song Networks. What is an IP VPN?. an emulation of private (wide area) network facility using provider IP facilities provides permanent connectivity between multiple customer sites implementation can be either customer or provider based

helmut
Download Presentation

Virtual Private Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Private Networks Juha Heinänen jh@song.fi Song Networks

  2. What is an IP VPN? • an emulation of private (wide area) network facility using provider IP facilities • provides permanent connectivity between multiple customer sites • implementation can be either customer or provider based • can span multiple providers

  3. CEs VPN Example SP1 SP2 SP3 PE PE PE PE P P P PE PE PE RAS Two VPNs spanning three SPs

  4. VPN Requirements • support for customer addressing • non-unique, overlapping address spaces • support for data security • authenticity, privacy, integrity • support for QoS assurances • bandwidth, latency

  5. VPN Classification • Who implements the VPN • CE or PE based • at which layer the VPN operates • Layer 2 or Layer 3 • how the VPN is implemented • membership discovery, signaling, tunneling protocol, ...

  6. CE Based VPNs • integrate VPN capabilities in CE devices • CEs are connected via IPSec tunnels over the Internet (available everywhere) • provide site-to-site security • require networking skills and a key management system • the only choice if security of the VPN service is a concern

  7. A CE Based VPN Telecommuter Internet RAS IPSec Tunnel

  8. PE Based VPNs • Outsource the VPN operation to SPs • PEs appear as router peers or bridges to CEs • works with conventional access routers • simplified CE operation • brings new revenue sources to SPs • suitable when the SPs and local loops can be trusted

  9. A Network Based VPN Telecommuter ”Virtual” RAS Internet ”Virtual”Router or Bridge VPN Tunnel

  10. Layer 2 vs. Layer 3 VPNs • Layer 2 VPNs • provide Virtual Private Wire Service (VPWS) or Virtual Private LAN Service (VPLS) • PEs not aware of customer’s Layer 3 protocols, addresses, or routing • Layer 3 VPNs • provide Virtual Routing Service • PEs participate as routing peers in customers’ Layer 3 protocols

  11. Virtual Private Wire Service VPN Tunnel Internet Access Connection AC can be physical PPP or Ethernet link, FR or ATM VC, VLAN, MPLS LSP, etc.

  12. Virtual Private LAN Service Virtual Learning Bridge Internet AC can be physical Ethernet link or VLAN

  13. Layer 3 VPN Internet Virtual Router Dynamic or Static Routing AC can be physical PPP or Ethernet link, FR or ATM VC, VLAN, MPLS LSP, etc.

  14. Generic VPN Problems • how to discover which other CEs or PEs belong to the same VPN • how to setup VPN tunnels and which tunneling protocols to use • how to advertise end-point reachability within a VPN

  15. VPN Membership Discovery • a CE or a PE port is configured to belong to a given VPN • CE or PE learns about other members via • configuration (CEs) • BGP piggy packing (PEs) • DNS (CEs and PEs) • DNS vs. BGP for discovery is currently a hot issue

  16. VPN Tunneling • choices for VPN tunneling protocols • MPLS (over MPLS or GRE), L2TPv3, IPSec • choices for tunnel setup protocols • LDP, BGP piggy packing, L2TPv3, IPSec • tunneling protocol can be chosen independently of discovery protocol

  17. Advertising Reachability • Layer 2 VPNs • VPLS has no need to advertise reachability • VPWS can piggy pack Layer 3 reachability into tunnel setup • Layer 3 VPNs • via IGP over VPN tunnels between VRs • via BGP extended with VPN addresses

  18. BGP Piggy Packing • Assumes that each PE runs (extended) BGP • difficulties with multiprovider VPNs • all transit SPs need to be trusted • VPN information visible at boarder routers • advertisement scope is difficult to control • OK for single SP VPNs where customer sites can be backhauled to BGP speaking PEs

  19. BGP/MPLS Model SP1 SP2 SP3 MPLS LSPs for the VPN

  20. IP tunnels for the VPN DNS/GRE/MPLS Model SP1 SP2 SP3

  21. PE2 <xyz.vpn.sp.net> PE1 <xyz.vpn.sp.net> <xyz.vpn.sp.net> PE3 <xyz.vpn.sp.net> DNS Based VPLS Example xyz.vpn.sp.net IN A PE1 IN A PE2 IN A PE3

  22. Summary • Frame Relay and ATM based VPNs are migrating to IP based VPNs • a secure VPN can only be implementing using IPSec between CEs • Layer 2 VPNs (especially VPLS) is becoming an alternative to Layer 3 VPNs • jury is still out regarding the discovery and tunneling protocols

More Related