Vpn1
-
Upload
mayank-vora -
Category
Technology
-
view
1.320 -
download
0
Transcript of Vpn1
04/12/23
Virtual Private NetworksVirtual Private Networks
Chen-Nee Chuah
Network Reading Group, Spring 99
04/12/23
VPNsVPNs
• Definition: A VPN is an emulation of a private wide area network (WAN) facility using IP facilities (including the public Internet, or private IP backbones).
• VPNs can be implemented in many ways:– Customer Premises Equipment (CPE) based solutions
– Network based solutions
04/12/23
MotivationsMotivations
• Need private communication networks for multiple sites => “private WANs”
• Two types of existing private networks:– dedicated WANs (permanently connected)
– dial network (on-demand connections through leased lines from PSTN network or dedicated ATM circuits).
• Running VPNs across Internet offers a cost-effective solution.
04/12/23
Can Internet Support VPNs?Can Internet Support VPNs?
• Customer requirements for VPNs– Support for opaque packet transport
– Support for data security
– Support for Quality of Service Guarantees
• Need some form of IP tunneling
04/12/23
CPE Vs. Network Based VPNsCPE Vs. Network Based VPNs
• Most current VPN implementations are based on CPE devices:– Firewalls
– WAN edge routers
– Specialized VPN termination devices
• Network based solution: VPN is implemented on network by Internet service provider (ISP)– Some mechanisms leverage tools that are applicable
only to ISPs rather than individual customers running special CPE devices.
04/12/23
Different VPN typesDifferent VPN types
• Virtual Leased Lines (VLLs)• Virtual Private Routed Networks (VPRNs)• Virtual Private LAN Segment (VPLSs)• Virtual Private Dial Networks (VPDNs)
04/12/23
Type I: Virtual Leased Lines (VLLs)Type I: Virtual Leased Lines (VLLs)
• VLL = IP tunnel forming a point-to-point link to emulate a physical leased line or dedicated connection.
• Require IP tunneling mechanism– forwarding disjoint from the address fields of the
encapsulated packets, allow opaque transport of frames as packet payload.
– e.g. IP/IP, GRE tunnels, L2TP (PPP packets), MPLS, and IPSec
04/12/23
VLLs: Tunneling Protocol Requirements VLLs: Tunneling Protocol Requirements
• Support for VLL Multiplexing– e.g. tunnel-id & call-id for L2TP, MPLS labels
• Support for a Signaling protocol– to negotiate tunnel attributes such as security level, IP
address of remote end points (e.g. MPLS’s LDP).
• Support for Data Security– allow customers to specify levels of security
• Support for Multi-protocol Transport• Support for Frame Sequencing
– required to guarantee in-order delivery of packets
04/12/23
VLLs:Protocol Requirements (continued)VLLs:Protocol Requirements (continued)
• Support for Tunnel Maintenance– establish, maintain and delete tunnel instances
• Support for Large MTUs– must allow frame fragmentation, either at IP level, or
within the tunnel (tunnel sequence number)
• Minimization of Tunnel Overhead– important for small, jitter and latency sensitive traffic
• Flow and congestion control issues– currently only L2TP does this, still open to research
• Traffic management issues– deliver guarantees e.g. loss rates, latency & bandwidth
04/12/23
VLLs: RecommendationsVLLs: Recommendations
• A modification of IKE/IPSec may be an optimal choice as a standard VLL tunneling mechanism– it has well defined signaling & multiplexing
capabilities
– it supports security
– close competitor: MPLS
• Using a single signaling protocol and associated data encapsulation is better than using multiple protocols in parallel.
04/12/23
Type II:Virtual Private Routed NetworksType II:Virtual Private Routed Networks
• A VPRN emulates a multi-site wide area routed network over IP, consisting of– a mesh of IP tunnels btw ISP routers & routing capabilities
– “stub” links connecting CPE routers to ISP routers
CPE
ISPISP
ISP
CPE
ISP edge router
IP tunnel
Stublink
Backuplink
Backdoor link
CPE
04/12/23
VPRNs (continued)VPRNs (continued)
• Benefit: Configuration of the CPE router is simplified. ISP edge router appears to be a “neighbor” router.
• The burden of tunnel establishment, maintenance and routing is on ISPs. Forwarding is done at the network layer (Layer 3).
• Each customer side CPE router is connected to an ISP edge router through one or more stub links (leased lines, ATM or Frame Relay)
• Each VPRN supports only a single network layer protocol.
04/12/23
VPRNs (continued)VPRNs (continued)• Issues need to be addressed
– Initial configuration/topology: need to determine set of routers that have members in VPRNs
– CPE routers need to determine set of IP address prefixes to be forwarded to an ISP edge router.
– ISP edge routers • need to determine the set of IP address prefixes that are
reachable via each stub link
• need to learn and disseminate stub reachability information among themselves.
• need VPN specific forwarding mechanisms to forward ingress traffic from stub links to next hop router, and to forward egress traffic from core network to stub links.
• Note: similar issues applied to VPLSs.
04/12/23
VPRN Generic RequirementsVPRN Generic Requirements• Unique VPN identifier to refer to a particular VPN
– unique across different ASs
• VPRN membership – configuration
– dissemination (directory lookup, explicit management configuration, piggybacking in routing protocols).
• Stub link reachability information– edge router must learn set of addresses/address prefixes
reachable via each stub link.
– Each CPE router needs to learn the destinations reachable by each stub link.
04/12/23
VPRN Generic Requirements (continued)VPRN Generic Requirements (continued)
• Intra-VPRN reachability information– need to be disseminated to other edge routers via one of
the following ways• directory lookup
• explicit configuration
• local intra-VPRN routing instantiations
• link reachability protocol
• piggybacking in IP backbone routing protocols.
• Tunneling mechanism (like VLLs)– Edge router must construct necessary tunnels to other
routers in the VPRN, encapsulate/decapsulate and send/receive packets over the tunnel
04/12/23
VPRNs: Multicast supportVPRNs: Multicast support
Multicast & broadcast traffic can be supported by• Edge replication:
– edge router replicates multicast traffic for transmission across each link in the VPRN
• Native multicast support– VPRN edge routers map intra-VPN multicast traffic
onto a native IP multicast distribution mechanism across the backbone.
04/12/23
VPRNs: RecommendationsVPRNs: Recommendations
• There are proposals to adapt routing protocols to carry VPN information to support router piggybacking mechanisms. (e.g. MPLS)
• Downside: some ISPs prefer not to couple VPN membership and reachability with backbone routing protocols.
04/12/23
Type III:Virtual Private LAN SegmentType III:Virtual Private LAN Segment
• A VPLS emulates a LAN segment over IP. – equivalent to VPRN, except now IP tunnels extend all
the way to CPE routers, and ISP edge routers provide Link Layer bridging (layer 2 connectivity alone).
ISPISP
ISP
CPE
ISP edge router
IP tunnel
Backdoor link
CPE
CPE
04/12/23
VPLS: Requirements & RecommendationsVPLS: Requirements & Recommendations
• Very similar to VPRNs • Unlike VPRNs, CPE nodes can either be bridges
or routers– nature of CPE (bridge Vs router) impacts nature of
encapsulation, addressing, forwarding and reachability protocols within the VPLS.
• Advantage: protocol transparency. • Commonality btw VPRNs and VPLSs can be
exploited to reduce complexity.
04/12/23
Type IV: Virtual Private Dial NetworksType IV: Virtual Private Dial Networks
• A VPDN allows for remote users to connect on demand into remote sites through an hoc tunnels.– E.g. PPP connections to network access server
• Strong binding btw a particular user and a central side requires authentication & security
• L2TP (Layer 2 Tunneling Protocol) allows user PPP sessions from L2TP access concentrator (LAC) to a remote L2TP network server (LNS)
04/12/23
VPDNs (continued)VPDNs (continued)
• Support compulsory tunneling– a dial or network access server (LAC), extends a PPP
session across a backbone using L2TP to a remote LNS.
• Other issues:– Call Routing
– Security mechanism
– Traffic management
– Call multiplexing
– Address management
– Support for large MTUs
04/12/23
VPDNs (continued)VPDNs (continued)
• Voluntary Tunnels– an individual host connects to a remote site using a
tunnel originating on the host, with no involvement from intermediate network nodes.
• Networked Host Support– existing PPP based dial model assumes connection
oriented dial access network
– want to accommodate existing AAAA infrastructure within service providers
• extend PPP to hosts through L2TP
• extend PPP directly to hosts
• use of IPSec
04/12/23
VPDNs: RecommendationVPDNs: Recommendation
• L2TP specifications are being finalized to support VPDNs using compulsory tunneling.
• Further study need to be done to determine the best solution for voluntary tunneling– PPP based solution or
– IPSec based mechanism.
04/12/23
SummarySummary
• Further standardization efforts needed in defining– a generic VPN tunneling protocol
– a globally unique VPN identifier
– a VPN membership information configuration and dissemination mechanism
• Further study is needed to address– security issues
– scalability of membership configuration and dissemination mechanism
04/12/23
QoS Guarantees in VPNsQoS Guarantees in VPNs
• Goal: obtain differentiated & dependable QoS for flows belonging to a VPN
• 2 performance service abstractions: Pipe & Hose– A pipe provides performance guarantees for traffic btw
A specific origin and destination pair
– A hose provides performance guarantees btw an origin and a set of destinations, and btw a node and a set of origins, i.e. it’s characterized by the “aggregate” traffic coming from or going into the VPN.
04/12/23
QoS SupportQoS Support
• Service Level Agreement (SLA) btw a customer & a service provider– traffic characteristics and QoS requirements
• Two ways to support different QoS classes within VPN:– resources are managed on a VPN specific basis, i.e.
SLAs would be for the overall VPN rather than for each specific QoS class
• Schedule only at the edges
• Mark packets and schedule within the core
– resources are managed on an individual QoS basis
04/12/23
SummarySummary
• Different choices for the implementation of hoses in VPNs– integrated service framework (controlled load,
guaranteed load) with signaling protocol like RSVP
– differentiated service framework (DS byte of IP header)
– MPLS environment (LSP tree)
• Security– IPSec is recommended. The only limitation is
scalability.