130 likes | 213 Views
CPE-based VPNs. Hans De Neve Alcatel Network Strategy Group. Customer Premises Equipment based Virtual Private Networks. Contents. Global VPN requirements Deployment View What does a typical CPE VPN look like ? Network View What sort of connectivity does it provide ?
E N D
CPE-based VPNs Hans De Neve Alcatel Network Strategy Group
Customer Premises Equipment based Virtual Private Networks Contents • Global VPN requirements • Deployment View • What does a typical CPE VPN look like ? • Network View • What sort of connectivity does it provide ? • Technology View • What are the underlying technologies ? • Differentiation and Success Factors • Where are the factors today, what will they be in future ?
Customer Premises Equipment based Virtual Private Networks Global VPN requirements • Connectivity • IP connectivity between geographically dislocated sites using private addressing • transparent to underlying shared infrastructure • => tunnelling mechanism • Security • data privacy (e.g. encryption) • authentication and integrity • Scalability • Management • ...
Customer Premises Equipment based Virtual Private Networks Proposed Technology :IPsec • IP security offers • tunnelling (forwarding in shared internet is normal IP forwarding) • authentication and integrity • cryptographic encryption • IPsec can be used with IKE • IKE = Security Association negotiation and Key Exchange Protocol
Customer Premises Equipment based Virtual Private Networks CPE VPN Deployment View Corp. server Branch Office Headquarters Finance server Domestic Sales Policy manager VPN gateway Dial-up VPN clients LAN-based VPN client VPN gateway ASP Data center Internet Uplink PVC International Sales 256k 256K Dial-up VPN clients Policy manager 512K 128K 512K Web Surfers VPN gateway VPN Site-Site Business Partner LAN-based VPN client Customer
Customer Premises Equipment based Virtual Private Networks new IP header IPsec header IP header IP data IP header IP data possibly encrypted CPE VPN Network View IPSEC Connectivity IP routing / MPLS Traffic Engineering Service Provider Network L3 Access + Distribution + L3 Edge L3 Access + Distribution + L3 Edge L2 AccessNetwork CPE L2 AccessNetwork CPE
Customer Premises Equipment based Virtual Private Networks Internet CPE VPN Network Topologies HUB and SPOKE topology Site 2 Site 1 Site 3 IPsec tunnel Site 4
Customer Premises Equipment based Virtual Private Networks Internet CPE VPN Network Topologies Full Mesh topology Site 2 Site 1 Site 3 Site 4 IPsec tunnel
Customer Premises Equipment based Virtual Private Networks CPE VPN - Dial up VPN Client IP over PPP Option 1 L2TP Service Provider Network L3 Access + Distribution + L3 Edge L3 Access + Distribution + L3 Edge L2 AccessNetwork L2 AccessNetwork CPE Dial Up Client IP over PPP IP Option 2 IPSEC
Customer Premises Equipment based Virtual Private Networks CPE VPN Gateway Technologies • IKE Daemons • Phase I, Phase II negotiations to generate/update IPSEC keys and setting up of Security Associations (IPsec tunnels) • Use of certificates v/s shared secret for authentication • Proposal exchange and agreement, exchange of proxy ids • IPSEC Drivers • Handling of IP packets based on IP header and proxy ids • Encryption using IKE negotiated keys and encryption algorithm • Encapsulation of IP packets using IPSEC headers
Customer Premises Equipment based Virtual Private Networks CPE VPN Gateway Differentiation & Success Factors - Today • Number of concurrent IPSEC tunnels supported • Maps to memory and CPU required to maintain state for tunnels • Critical for dial up scenarios and large number of branch offices • Critical for multi tenant MAN service networks • Throughput over the IPSEC tunnels • Maps to encryption/decryption speeds of the CPU/ASIC • Critical for the HUB site or in case of gigabit campus networks • Critical for gigabit IP access service networks • Restoration of tunnels in case of VPN gateway failure
Customer Premises Equipment based Virtual Private Networks CPE VPN Gateway Differentiation & Success Factors - Future • Enterprise market as a pure IP overlay VPN solution • Number of IPSEC tunnels, throughput over IPSEC tunnels, recovery • Dynamic membership of sites to a VPN for Site-Site VPNs • Integration with PKI infrastructure, AAA for VPN Clients • Carrier/Service Provider market as a vehicle for IPVPN services • Integration of configuration with service provisioning solutions • Integration with IPVPN service functionality such as Firewall, QoS • Integration with data collection for services (assurance + billing)
Customer Premises Equipment based Virtual Private Networks Internet New York Headquarters Web server Geneva office Policy router Policy router • HR: • WW users • adds/changes Corp. server Tokyo office • IS Dept: • US security policy mgmt. Policy router CPE IPVPN Vehicle for IPVPN Services Service provider management Billing data SLA info. Installation team Network team Security team Policy server Policy router • IS Dept: • Europe security policy mgmt. • IS Dept: • Asia security policy mgmt. IS enterprise management