Virtual Private Network - the Netgroup at Politecnico di Torino
Virtual Private Network - the Netgroup at Politecnico di Torino
Virtual Private Network - the Netgroup at Politecnico di Torino
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
VPN<br />
<strong>Virtual</strong> <strong>Priv<strong>at</strong>e</strong> <strong>Network</strong><br />
Mario Bal<strong>di</strong> & Luigi Ciminiera<br />
<strong>Politecnico</strong> <strong>di</strong> <strong>Torino</strong><br />
VPN - 1 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Nota <strong>di</strong> Copyright<br />
This set of transparencies, hereinafter referred to as slides, is protected by<br />
copyright laws and provisions of Intern<strong>at</strong>ional Tre<strong>at</strong>ies. The title and copyright<br />
regar<strong>di</strong>ng <strong>the</strong> slides (inclu<strong>di</strong>ng, but not limited to, each and every image,<br />
photography, anim<strong>at</strong>ion, video, au<strong>di</strong>o, music and text) are property of <strong>the</strong><br />
authors specified on page 1.<br />
The slides may be reproduced and used freely by research institutes, schools<br />
and Universities for non-profit institutional purposes. In such cases, no<br />
authoriz<strong>at</strong>ion is requested.<br />
Any total or partial use or reproduction (inclu<strong>di</strong>ng, but not limited to,<br />
reproduction on magnetic me<strong>di</strong>a, computer networks, and printed reproduction)<br />
is forbidden, unless explicitly authorized by <strong>the</strong> authors by means of written<br />
license.<br />
Inform<strong>at</strong>ion included in <strong>the</strong>se slides is deemed as accur<strong>at</strong>e <strong>at</strong> <strong>the</strong> d<strong>at</strong>e of<br />
public<strong>at</strong>ion. Such inform<strong>at</strong>ion is supplied for merely educ<strong>at</strong>ional purposes and<br />
may not be used in designing systems, products, networks, etc. In any case,<br />
<strong>the</strong>se slides are subject to changes without any previous notice. The authors do<br />
not assume any responsibility for <strong>the</strong> contents of <strong>the</strong>se slides (inclu<strong>di</strong>ng, but not<br />
limited to, accuracy, completeness, enforceability, upd<strong>at</strong>ed-ness of inform<strong>at</strong>ion<br />
hereinafter provided).<br />
In any case, accordance with inform<strong>at</strong>ion hereinafter included must not be<br />
declared.<br />
In any case, this copyright notice must never be removed and must be reported<br />
even in partial uses.<br />
VPN - 2 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
A Definition<br />
<strong>Virtual</strong> <strong>Priv<strong>at</strong>e</strong> <strong>Network</strong><br />
Customer connectivity deployed on a shared infrastructure<br />
such th<strong>at</strong> policies can be enforced as in a priv<strong>at</strong>e network<br />
• Shared infrastructure:<br />
• <strong>Priv<strong>at</strong>e</strong>/public network<br />
• e.g., <strong>the</strong> one of an Internet Service Provider<br />
• IP<br />
• Frame Relay<br />
• ATM<br />
• The Internet<br />
• Policies<br />
Secure<br />
communic<strong>at</strong>ion<br />
• Security, Quality of Service (QoS), reliability,<br />
addressing, etc.<br />
VPN - 3 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
An example<br />
Tra<strong>di</strong>tional solution<br />
VPN solution<br />
VPN - 4 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Why VPN?<br />
VPNs enable cutting costs with respect to<br />
expensive connectivity solutions<br />
<strong>Priv<strong>at</strong>e</strong> <strong>Network</strong>s are based on<br />
• <strong>Priv<strong>at</strong>e</strong> leased lines<br />
• Long <strong>di</strong>stance <strong>di</strong>al-up solutions<br />
VPN - 5 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
An example<br />
VPN - 6 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Why VPN?<br />
VPN enable selective and flexible access to<br />
corpor<strong>at</strong>e network<br />
• Limited services available to external users<br />
• High security<br />
• Few services allowed through firewall<br />
• All intranet functionalities available to<br />
corpor<strong>at</strong>e users accessing from <strong>the</strong> Internet<br />
• VPN connection allowed through firewall<br />
• Services available as on <strong>the</strong> corpor<strong>at</strong>e network<br />
VPN - 7 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Example<br />
VPN - 8 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Example<br />
VPN - 9 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN Flavors<br />
• Access VPN or remote VPN or virtual <strong>di</strong>al in<br />
• Connect terminal to remote network<br />
• <strong>Virtual</strong>izes (<strong>di</strong>al-up) access connection<br />
• e.g., ISDN, PSTN, cable, DSL<br />
• PPTP, L2TP<br />
• Site-to-site VPN<br />
• Connect remote networks<br />
• <strong>Virtual</strong>izes leased line<br />
• IPsec, GRE, MPLS<br />
VPN - 10 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN Deployment Scenarios<br />
• Intranet VPN<br />
• Interconnection of corpor<strong>at</strong>e headquarters,<br />
remote offices, branch offices<br />
• Extranet VPN<br />
• Interconnection of customers, suppliers,<br />
partners, or communities of interest to a<br />
corpor<strong>at</strong>e intranet<br />
• Remote user access<br />
• Telecommuter<br />
• Traveling employee<br />
• Customer/partner/provider<br />
VPN - 11 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Intranet VPN and Extranet VPN<br />
• Site-to-site VPN<br />
• Shared infrastructure<br />
• Nework of a service provider<br />
• Two or more service provider networks<br />
• The Internet<br />
• Access to shared infrastructure<br />
• ADSL<br />
• Leased line<br />
• Fiber<br />
• E<strong>the</strong>rnet<br />
• Technologies<br />
• IPsec<br />
• GRE<br />
• MPLS<br />
VPN - 12 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Intranet characteristics<br />
• Secure communic<strong>at</strong>ion<br />
• Secure communic<strong>at</strong>ion channels between <strong>the</strong><br />
<strong>di</strong>fferent sites<br />
• Strong d<strong>at</strong>a encryption<br />
• To protect inform<strong>at</strong>ion transmitted over <strong>the</strong><br />
shared infrastructure<br />
• Reliability<br />
• Inclu<strong>di</strong>ng prioritiz<strong>at</strong>ion of mission critical traffic<br />
• Scalability<br />
• To accommod<strong>at</strong>e new sites, new users and<br />
new applic<strong>at</strong>ions<br />
VPN - 13 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN implementing an intranet<br />
Public server<br />
• email<br />
•File server<br />
•WWW<br />
sales<br />
Remote site<br />
finance<br />
IT<br />
Internet<br />
VPN - 14 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Extranet VPN<br />
• Restricted access to network resources from<br />
interconnected networks<br />
• Firewall <strong>at</strong> <strong>the</strong> VPN<br />
• Address clash<br />
• <strong>Network</strong> address transl<strong>at</strong>ion<br />
• Open, standard-based solution<br />
• Enables interoperability among <strong>di</strong>fferent<br />
organiz<strong>at</strong>ions<br />
• Traffic control<br />
• To elimin<strong>at</strong>e bottlenecks <strong>at</strong> network access<br />
points<br />
VPN - 15 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN implementing an extranet<br />
Customers<br />
Public server<br />
• email<br />
•File server<br />
•WWW<br />
sales<br />
finance<br />
suppliers<br />
Internet<br />
IT<br />
VPN - 16 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Remote User Access<br />
• Shared infrastructure<br />
• Nework of a service provider<br />
• The Internet<br />
• Access to <strong>the</strong> shared infrastructure<br />
• ISDN, PSTN<br />
• Cable modem, DSL<br />
• Wireless LAN (host spot)<br />
• Technologies<br />
• PPTP<br />
• L2TP<br />
• IPsec<br />
• Implemented by user’s access device<br />
VPN - 17 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Remote access VPN characteristics<br />
• Strong au<strong>the</strong>ntic<strong>at</strong>ion<br />
• to verify mobile users’ identity as much<br />
accer<strong>at</strong>e as possible<br />
• Centralized management<br />
• because all <strong>the</strong> remote users belong to <strong>the</strong><br />
same organiz<strong>at</strong>ion<br />
• Scalability<br />
• for managing a very large number of users<br />
VPN - 18 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Example of intranet VPN<br />
VPN - 19 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Example of extranet VPN<br />
VPN - 20 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Internet Access<br />
• Centralized (compulsory connection)<br />
• Remote branches use IP network only to reach<br />
headquartes<br />
• Internet access only from headquarters<br />
• VPN carries also traffic to and from <strong>the</strong> Internet<br />
• Centralized access control<br />
• Firewall<br />
• Distributed (voluntary connection)<br />
• Any branch accesses Internet through <strong>the</strong> IP<br />
network<br />
• VPN is deployed only for corpor<strong>at</strong>e traffic<br />
VPN - 21 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Centralized Internet Access<br />
INTERNET<br />
Headquarters<br />
RouterA<br />
ISP Backbone<br />
Router<br />
B<br />
Router<br />
C<br />
Remote branch<br />
VPN - 22 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Distributed Internet Access<br />
INTERNET<br />
Headquarters<br />
RouterA<br />
ISP Backbone<br />
Router<br />
B<br />
Remote branch<br />
VPN - 23 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN Models<br />
• Overlay Model<br />
• IPSec-based (managed) service<br />
• Many separ<strong>at</strong>e highly meshed tunnels<br />
• Each VPN g<strong>at</strong>eway must know every<br />
o<strong>the</strong>r VPN g<strong>at</strong>eway<br />
• Routing is performed by <strong>the</strong> VPN<br />
g<strong>at</strong>eways<br />
• The network oper<strong>at</strong>or does not know <strong>the</strong><br />
actual destin<strong>at</strong>ion of VPN packets<br />
• The oper<strong>at</strong>or just provides <strong>the</strong><br />
possibility to move <strong>the</strong> packet to <strong>the</strong><br />
next VPN g<strong>at</strong>eway<br />
VPN - 24 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN Models<br />
• Peer Model<br />
• MPLS network<br />
• Each VPN g<strong>at</strong>eway knows only its peer public<br />
router<br />
• Exchange of routing inform<strong>at</strong>ion<br />
• Service provider network <strong>di</strong>ssemin<strong>at</strong>es routing<br />
inform<strong>at</strong>ion<br />
• Public network routes traffic between g<strong>at</strong>eways<br />
of <strong>the</strong> same VPN<br />
Model Overlay Peer<br />
Access<br />
L2TP, PPTP<br />
Site-to-site IPSec, GRE MPLS<br />
VPN - 25 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Provi<strong>di</strong>ng a VPN<br />
Site 3<br />
CE Customer Edge<br />
PE Provider Edge<br />
CE<br />
Site 1<br />
CE<br />
PE<br />
PE<br />
PE<br />
CE<br />
Site 5<br />
Backdoor<br />
link<br />
PE<br />
PE<br />
CE<br />
CE<br />
Site 2<br />
Site 4<br />
VPN - 26 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Provider provisioned and customer<br />
provisioned VPN<br />
• Provider provisioned<br />
• VPN st<strong>at</strong>e maintained by <strong>the</strong> provider<br />
• Different VPNs are separ<strong>at</strong>ed by <strong>the</strong> provider<br />
• CE may behave as if it were connected to a<br />
priv<strong>at</strong>e network<br />
• PE tunnel endpoints<br />
• Customer provisioned<br />
• <strong>Network</strong> provider is not aware th<strong>at</strong> <strong>the</strong> traffic<br />
gener<strong>at</strong>ed by CE is VPN<br />
• All VPN procedures implemented in CEs<br />
VPN - 27 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Multiple VPNs<br />
Site 3<br />
CE<br />
Site 1<br />
CE<br />
PE<br />
PE<br />
PE<br />
CE<br />
Site 5<br />
PE<br />
PE<br />
CE<br />
CE<br />
Site 2<br />
Site 4<br />
VPN - 28 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Layer 2 VPNs<br />
• <strong>Virtual</strong> <strong>Priv<strong>at</strong>e</strong> LAN Service<br />
• Emul<strong>at</strong>es full functionalities of LAN<br />
• Several LAN segments are connected and behave<br />
as single LAN over a packet-switched network<br />
• Provider emul<strong>at</strong>es learning bridges, and forwar<strong>di</strong>ng<br />
decisions on MAC addr. & VLAN tag<br />
• <strong>Virtual</strong> <strong>Priv<strong>at</strong>e</strong> Wire Service<br />
• Emul<strong>at</strong>es a leased line over packet switched net<br />
• IP-Only LAN-like Service<br />
• CEs are routers or hosts and not switches<br />
• Only IP (ICMP and ARP) packets allowed<br />
VPN - 29 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Layer 3 and 4 VPNs<br />
• Layer 3<br />
• Forwar<strong>di</strong>ng decisions based on layer 3<br />
addresses<br />
• CEs are ei<strong>the</strong>r routers or hosts<br />
• Layer 4<br />
• VPN built using TCP connections<br />
• Security achieved with SSL or similar<br />
techniques<br />
VPN - 30 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
A Tassonomy of VPN Technologies<br />
VPN<br />
Overlay Model<br />
Peer Model<br />
Layer 2<br />
VPN<br />
Layer 3<br />
VPN<br />
Layer 4<br />
VPN<br />
De<strong>di</strong>c<strong>at</strong>ed<br />
Router<br />
MPLS<br />
Shared<br />
Router<br />
Frame<br />
Relay ATM MPLS IPsec PPTP<br />
GRE L2TP<br />
SSL<br />
BGP<br />
VR<br />
CE Based<br />
Provider Provisioned<br />
VPN - 31 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
(<strong>Virtual</strong>) VPN Topologies<br />
• Hub and spoke<br />
• Each branch communic<strong>at</strong>es <strong>di</strong>rectly with<br />
headquarters<br />
• Fits to d<strong>at</strong>a flow of many corpor<strong>at</strong>ions<br />
• Mainframe or d<strong>at</strong>a-center centered<br />
• Routing is sub-optimal<br />
• Small number of tunnels<br />
• Hard to manually configure<br />
• Hub could become bottleneck<br />
• Mesh<br />
• Larger number of tunnels<br />
• Easier to manually configure<br />
• Optimized routing<br />
VPN - 32 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN Components<br />
VPN - 33 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Tunneling<br />
A packet (or frame) is carried through an IP<br />
network within an IP packet<br />
IP network<br />
(e.g., Internet)<br />
Tunnel end-point X<br />
Tunnel<br />
Tunnel end-point Y<br />
IP Header<br />
from X to Y<br />
Header<br />
Payload<br />
• An IP packet within an IP packet (IP-in-IP)<br />
• GRE, IPsec<br />
• A layer 2 frame, within an IP packet<br />
• PPTP, L2TP<br />
VPN - 34 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Tunneling<br />
• A and B are enterprise addresses<br />
• Not necessarily public<br />
• Tunneling enables oper<strong>at</strong>ion<br />
• Tunneling by itself does not ensure security<br />
A<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
VPN g<strong>at</strong>eway X<br />
Internet<br />
Tunnel<br />
VPN g<strong>at</strong>eway Y<br />
B<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
IP Header<br />
from X to Y<br />
Header<br />
from A to B<br />
Payload<br />
VPN - 35 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Tunnel to End-Systems<br />
10.1.1.2<br />
130.192.3.2<br />
corp. net<br />
VPN GW assigns<br />
10.2.1.3<br />
Public<br />
internet<br />
tunnel<br />
30.1.1.1<br />
Tunnel endpoints: 130.192.3.2 – 30.1.1.1<br />
Connection endpoints: 10.2.1.3 – 10.1.1.2<br />
10.2.1.3<br />
VPN - 36 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
GRE<br />
• Generic Routing Encapsul<strong>at</strong>ion<br />
• Encapsul<strong>at</strong>ion (tunneling) of any<br />
protocol (inclu<strong>di</strong>ng IP) into IP<br />
• Header version 0<br />
MAC header IP header GRE header D<strong>at</strong>a :::<br />
IP Protocol 47<br />
0 8 16 24 31<br />
C R K S s Recur Flags Version Protocol<br />
Checksum (optional)<br />
Key (optional)<br />
Sequence Number (optional)<br />
Routing (optional)<br />
Protocol Family<br />
PTYPE<br />
--------------- -----<br />
Reserved 0000<br />
SNA 0004<br />
OSI network layer<br />
00FE<br />
PUP 0200<br />
XNS 0600<br />
IP 0800<br />
Chaos 0804<br />
RFC 826 ARP 0806<br />
Frame Relay ARP 0808<br />
VINES<br />
0BAD<br />
VINES Echo<br />
0BAE<br />
VINES Loopback<br />
0BAF<br />
DECnet (Phase IV) 6003<br />
Transparent E<strong>the</strong>rnet Bridging 6558<br />
Raw Frame Relay 6559<br />
Apollo Domain 8019<br />
E<strong>the</strong>rtalk (Appletalk)<br />
809B<br />
Novell IPX 8137<br />
RFC 1144 TCP/IP compression 876B<br />
IP Autonomous Systems<br />
876C<br />
Secure D<strong>at</strong>a<br />
876D<br />
Reserved<br />
FFFF<br />
Offset (optional)<br />
VPN - 37 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Header fields<br />
• C, R, K, S<br />
• Flags in<strong>di</strong>c<strong>at</strong>ing <strong>the</strong> presence/absence of optional<br />
fields<br />
• s<br />
• strict source routing flag (if <strong>the</strong> destin<strong>at</strong>ion is not<br />
reached when <strong>the</strong> source route list end, <strong>the</strong> packet<br />
is dropped)<br />
• Recur<br />
• Max. number of ad<strong>di</strong>tional encapsul<strong>at</strong>ion permitted<br />
(must be 0)<br />
• Protocol<br />
• ID of <strong>the</strong> payload protocol<br />
• Routing<br />
• Sequence of IP addr. or ASs for source routing.<br />
VPN - 38 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IPv4 Encapsul<strong>at</strong>ion and Routing<br />
Inform<strong>at</strong>ion<br />
• IP Address List: source routing<br />
inform<strong>at</strong>ion<br />
• List of routers or ASs to traverse<br />
• SRE Offset: byte of IP address of current<br />
next hop<br />
• Upd<strong>at</strong>ed <strong>at</strong> each source route hop<br />
• SRE Length: total address list length (in<br />
bytes)<br />
0 8 16 24 31<br />
C 0( reserved) 0 (ver) Protocol Type<br />
Checksum (Optional)<br />
Address Family SRE Offset SRE Length<br />
IP Address List :::<br />
Reserved (Optional)<br />
VPN - 39 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Enhanced GRE (version 1)<br />
• Deployed by PPTP<br />
• Acknowledgment Number<br />
• Delivery of packets by remote end-point can be<br />
notified<br />
ack. flag<br />
0 8 16 24 31<br />
C R K S s Recur A Flags 1 (ver) Protocol Type<br />
Key (HW) Payload Length<br />
Key (LW) Call ID<br />
Sequence Number (Optional)<br />
Acknowledgment Number (Optional)<br />
VPN - 40 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
New fields<br />
• Key (high 16 bit)<br />
• Payload length: no. of bytes exclu<strong>di</strong>ng GRE<br />
header<br />
• Key (low 16 bit)<br />
• Call ID: session ID for this packet<br />
• Sequence number<br />
• Present if <strong>the</strong> S flag is set<br />
• Acknowledge number<br />
• Highest sequence number of a GRE packet<br />
received for this session (cumul<strong>at</strong>ive ack)<br />
VPN - 41 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
O<strong>the</strong>r mechanisms in GRE<br />
• Flow control<br />
• Sli<strong>di</strong>ng window mechanism<br />
• Out-of-order packets<br />
• Discarded, because PPP admits lost packets,<br />
but cannot handle out-of-order packets<br />
• Timeout values<br />
• Re-computed each time an ack packet is<br />
received<br />
• Congestion control<br />
• Timeouts do not cause re-transmission<br />
• Used only to move sli<strong>di</strong>ng window<br />
• Their value should be rapidly increased<br />
VPN - 42 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Access VPN: Two Deployment Modes<br />
VPN - 43 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Provider Provisioned Deployment Mode<br />
1. Remote user initi<strong>at</strong>es PPP connection with<br />
NAS th<strong>at</strong> accepts <strong>the</strong> call<br />
2. NAS identifies remote user<br />
3. NAS initi<strong>at</strong>es L2TP or PPTP tunnel to desired<br />
corpor<strong>at</strong>e g<strong>at</strong>eway (access server)<br />
4. Corporare g<strong>at</strong>eway au<strong>the</strong>ntic<strong>at</strong>es remote<br />
user accor<strong>di</strong>ng to corpor<strong>at</strong>e security policy<br />
5. Corpor<strong>at</strong>e g<strong>at</strong>eway confirms acceptance of<br />
tunnel<br />
6. NAS logs acceptance and/or traffic (optional)<br />
7. Corpor<strong>at</strong>e g<strong>at</strong>eway performs PPP<br />
negoti<strong>at</strong>ions with remote users (e.g.,<br />
IPaddress assignment)<br />
8. End-to-end d<strong>at</strong>a tunneled between user and<br />
corpor<strong>at</strong>e g<strong>at</strong>eway<br />
VPN - 44 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Highlights of <strong>Virtual</strong> Dial-Up<br />
• Au<strong>the</strong>ntic<strong>at</strong>ion/Security<br />
• Performed by VPN G<strong>at</strong>eway<br />
• Policies and inform<strong>at</strong>ion of <strong>the</strong> corpor<strong>at</strong>e<br />
network<br />
• Authoriz<strong>at</strong>ion<br />
• Performed by <strong>the</strong> VPN G<strong>at</strong>eway<br />
• Policies and inform<strong>at</strong>ion of <strong>the</strong> corpor<strong>at</strong>e<br />
network<br />
• Address alloc<strong>at</strong>ion<br />
• Corpor<strong>at</strong>e addresses are dynamically alloc<strong>at</strong>ed<br />
• Same access as when <strong>di</strong>rectly connected<br />
VPN - 45 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Access VPN: Two Protocols<br />
• L2TP (Layer 2 Tunneling Protocol)<br />
• Not widely implemented in terminals<br />
• Idependent of layer 2 protocol<br />
• Security through IPsec<br />
• Strong<br />
• But complic<strong>at</strong>ed<br />
• PPTP (Point-to-Point Tunneling Protocol)<br />
• Originally proposed by Microsoft, Apple, …<br />
• Integr<strong>at</strong>ed in <strong>the</strong> <strong>di</strong>al-up networking<br />
• Multiprotocol<br />
• Weak encryption and au<strong>the</strong>ntic<strong>at</strong>ion<br />
• Proprietary key management<br />
VPN - 46 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Layer 2 Tunneling Protocol<br />
Original Reference Scenario<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
PPP<br />
LAC<br />
L2TP Tunnel<br />
Control Connection<br />
LNS<br />
INTERNET<br />
L2TP Session<br />
Provider provisioned deployment mode<br />
VPN - 47 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Layer 2 Tunneling Protocol<br />
• Tunneling between public network access<br />
point and corpor<strong>at</strong>e network<br />
• Also wholesale <strong>di</strong>al-up services<br />
• Between access provider and Internet Service<br />
Provider<br />
• L2TP Access Concentr<strong>at</strong>or (LAC)<br />
• <strong>Network</strong> access device supporting L2TP<br />
• NAS (<strong>Network</strong> Access Server)<br />
• L2TP <strong>Network</strong> Server (LNS)<br />
• Corpor<strong>at</strong>e (VPN) G<strong>at</strong>eway<br />
• CPE based deployment mode by inclu<strong>di</strong>ng<br />
LAC functionalities within user terminal<br />
VPN - 48 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
L2TP Header<br />
• Control Message<br />
• D<strong>at</strong>a Message<br />
PPP Frame<br />
L2TP D<strong>at</strong>a Message<br />
L2TP D<strong>at</strong>a Channel<br />
unreliable<br />
L2TP Control Message<br />
L2TP Control Channel<br />
reliable<br />
Packet Transport (UDP porta 1701, FR, ATM, etc.)<br />
T<br />
Description<br />
0 D<strong>at</strong>a message.<br />
MAC header IP header UDP header L2TP header D<strong>at</strong>a :::<br />
1 Control message.<br />
0 8 16 24 31<br />
T L 0 S 0 O P 0 Version Length<br />
Tunnel ID<br />
Ns<br />
Session ID<br />
Nr<br />
Offset Size Offset Pad :::<br />
D<strong>at</strong>a :::<br />
VPN - 49 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Header fields<br />
• L, S, O<br />
• Flags in<strong>di</strong>c<strong>at</strong>ing whe<strong>the</strong>r <strong>the</strong> fields length, Ns & Nr<br />
and offset are present<br />
• For control messages L=S=1 and O=0<br />
• P<br />
• Priority flag, if set, <strong>the</strong> priority is high<br />
• Ver<br />
• Version, must be 2<br />
• Tunnel ID<br />
• Recipient’s ID of <strong>the</strong> control connection (local<br />
meaning)<br />
• Session ID<br />
• Recipient’s ID of <strong>the</strong> session within <strong>the</strong> same tunnel<br />
(local meaning)<br />
VPN - 50 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
O<strong>the</strong>r header fields<br />
• Ns<br />
• Nr<br />
• Sequence number of <strong>the</strong> d<strong>at</strong>a or control<br />
message<br />
• Sequence number of <strong>the</strong> next control message<br />
to be received (i.e. last Ns received in order +1<br />
modulus 2 16<br />
• Offset<br />
• Number of bytes, past <strong>the</strong> header, where <strong>the</strong><br />
payload d<strong>at</strong>a starts<br />
VPN - 51 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
L2TP Oper<strong>at</strong>ions<br />
1. Establishing a control connection for a<br />
tunnel between LAC and LNS<br />
2. Establishing a session triggered by an<br />
incoming or outgoing call request<br />
• The control connection must be established<br />
before a connection request is sent<br />
• A session must be established before<br />
tunnelling PPP frames<br />
VPN - 52 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Tunnels and sessions<br />
• Multiple sessions may exist within <strong>the</strong> same<br />
tunnel<br />
• Multiple tunnels may be established between<br />
<strong>the</strong> same LAC and LNS<br />
session<br />
session<br />
CC<br />
tunnel<br />
session<br />
session<br />
CC<br />
LAC<br />
LNS<br />
PPP frames<br />
VPN - 53 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Establishing a tunnel<br />
• It is possible to au<strong>the</strong>ntic<strong>at</strong>e <strong>the</strong> o<strong>the</strong>r peer<br />
• A shared secret must exist between LAC and<br />
LNS<br />
• L2TP uses a CHAP-like mechanism<br />
• A challenge is proposed to <strong>the</strong> o<strong>the</strong>r peer<br />
• The correct answer to <strong>the</strong> challenge requires<br />
<strong>the</strong> shared secret<br />
• The tunnel endpoints exchange <strong>the</strong> local ID<br />
<strong>at</strong>tributed to <strong>the</strong> tunnel<br />
VPN - 54 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Establishing sessions<br />
• A session may be established only when a<br />
control connection is already in place<br />
• Each session is a <strong>di</strong>fferent flow of PPP frames<br />
• LAC may request incoming calls<br />
• LNS may request outgoing calls<br />
• The two session parties exchange <strong>the</strong> local<br />
session IDs<br />
VPN - 55 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Sequence numbers<br />
• D<strong>at</strong>a connections use sequence number only<br />
to detect d<strong>at</strong>a loss<br />
• No re-transmission is used for d<strong>at</strong>a streams<br />
• No ack is used in d<strong>at</strong>a streams (PPP can<br />
handle this)<br />
• Control packets use ack and re-transmission<br />
• Selective repe<strong>at</strong><br />
• Tx and Rx windows set to 32k<br />
VPN - 56 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Security issues<br />
• Tunnel endpoint security<br />
• Au<strong>the</strong>ntic<strong>at</strong>ion is assured only during tunnel<br />
establishing phase<br />
• A user who can snoop traffic, can easily inject<br />
packets in a session<br />
• Tunnel and session IDs should be selected in<br />
an unpre<strong>di</strong>ctable way (no sequentially)<br />
• Packet level security<br />
• Encryption,au<strong>the</strong>ntic<strong>at</strong>ion and integrity must<br />
be provided by <strong>the</strong> transport mechanisms<br />
• End-to-end security<br />
• Provided by <strong>the</strong> transport mechanism (e.g.<br />
IPsec)<br />
VPN - 57 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Point-to-Point Tunneling Protocol<br />
Original Reference Scenario<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
PPTP Tunnel<br />
Control Connection<br />
PNS<br />
INTERNET<br />
PPTP Session<br />
CPE based deployment mode<br />
VPN - 58 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Point-to-Point Tunneling Protocol<br />
(PPTP)<br />
• Adopted by IETF (RFC 2637)<br />
• Implements tunnels for PPP frames over<br />
packet switched networks<br />
• Microsoft Encryption: MPPE<br />
• Microsoft Au<strong>the</strong>ntic<strong>at</strong>ion: MS CHAP<br />
• PPTP <strong>Network</strong> Server (PNS)<br />
• Corpor<strong>at</strong>e (VPN) g<strong>at</strong>eway<br />
• PPTP Access Concentr<strong>at</strong>or (PAC)<br />
• For provider provisioned deployment mode<br />
VPN - 59 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
PPTP Connections<br />
• PPTP D<strong>at</strong>a Tunneling<br />
• D<strong>at</strong>a transport<br />
• PPP tunneling<br />
• GRE (of PPP over IP)<br />
• Control Connection<br />
• Tunnel d<strong>at</strong>a session setup, management, and<br />
tear-down<br />
• TCP encapsul<strong>at</strong>ion<br />
• PNS port 1723<br />
VPN - 60 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
PPTP Header<br />
Length<br />
Magic cookie<br />
D<strong>at</strong>a :::<br />
Message type<br />
Value<br />
Control Message<br />
1 Start-Control-Connection-Request.<br />
2 Start-Control-Connection-Reply.<br />
3 Stop-Control-Connection-Request.<br />
4 Stop-Control-Connection-Reply.<br />
5 Echo-Request.<br />
6 Echo-Reply.<br />
7 Outgoing-Call-Request.<br />
8 Outgoing-Call-Reply.<br />
9 Incoming-Call-Request.<br />
10 Incoming-Call-Reply.<br />
11 Incoming-Call-Connected.<br />
12 Call-Clear-Request.<br />
13 Call-Disconnect-Notify.<br />
14 WAN-Error-Notify.<br />
VPN - 61 15 Set-Link-Info.<br />
© M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IP sec and site-to-site VPN<br />
VPN - 62 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Au<strong>the</strong>ntic<strong>at</strong>ion Header Protocol<br />
(AH)<br />
• provides source<br />
au<strong>the</strong>ntic<strong>at</strong>ion, d<strong>at</strong>a integrity,<br />
no confidentiality<br />
• AH header inserted between<br />
IP header, d<strong>at</strong>a field.<br />
• protocol field: 51<br />
• interme<strong>di</strong><strong>at</strong>e routers process<br />
d<strong>at</strong>agrams as usual<br />
AH header includes:<br />
• connection identifier<br />
• au<strong>the</strong>ntic<strong>at</strong>ion d<strong>at</strong>a: sourcesigned<br />
message <strong>di</strong>gest<br />
calcul<strong>at</strong>ed over original IP<br />
d<strong>at</strong>agram.<br />
• next header field: specifies<br />
type of d<strong>at</strong>a (e.g., TCP, UDP,<br />
ICMP)<br />
IP header<br />
AH header<br />
d<strong>at</strong>a (e.g., TCP, UDP segment)<br />
VPN - 63 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
ESP protocol<br />
• provides secrecy, host<br />
au<strong>the</strong>ntic<strong>at</strong>ion, d<strong>at</strong>a integrity.<br />
• d<strong>at</strong>a, ESP trailer encrypted.<br />
• next header field is in ESP<br />
trailer.<br />
• ESP au<strong>the</strong>ntic<strong>at</strong>ion field<br />
is similar to AH<br />
au<strong>the</strong>ntic<strong>at</strong>ion field.<br />
• Protocol = 50.<br />
au<strong>the</strong>ntic<strong>at</strong>ed<br />
encrypted<br />
IP header<br />
ESP<br />
header<br />
TCP/UDP segment<br />
ESP<br />
trailer<br />
ESP<br />
au<strong>the</strong>nt.<br />
VPN - 64 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IPsec VPNs<br />
IPsec tunnel between VPN g<strong>at</strong>eways<br />
• Encryption<br />
• Au<strong>the</strong>ntic<strong>at</strong>ion<br />
• Encapsul<strong>at</strong>ion<br />
A<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
VPN (IPsec) g<strong>at</strong>eway X<br />
Internet<br />
Tunnel<br />
VPN (IPsec) g<strong>at</strong>eway Y<br />
B<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
VPN - 65 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IPSec modes of oper<strong>at</strong>ion<br />
• Transport mode<br />
• IP header not protected<br />
Transport layer<br />
transport d<strong>at</strong>a<br />
•IPSec header<br />
IPSec payload<br />
IPSec trail<br />
IP header<br />
IP payload<br />
IP layer<br />
VPN - 66 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IPSec modes of oper<strong>at</strong>ion<br />
• Tunnel mode<br />
• IP header and payload protected<br />
IP header<br />
IP paylaod<br />
•IPSec header<br />
IPSec payload<br />
IPSec trail<br />
IP header<br />
IP payload<br />
IP layer<br />
tunnel<br />
VPN - 67 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Security Associ<strong>at</strong>ion (SA)<br />
• Before starting with IPSec oper<strong>at</strong>ions it is<br />
necessary to start a SA<br />
• SA are one-way logical channels<br />
To<br />
Prot.<br />
Au<strong>the</strong>ntic.<br />
Encryp.<br />
From<br />
Prot<br />
Au<strong>the</strong>ntic.<br />
Encryp.<br />
B<br />
ESP<br />
SHA-1, x s<br />
DES, y<br />
A<br />
ESP<br />
SHA-1, x p<br />
DES, y<br />
From<br />
Prot.<br />
Au<strong>the</strong>ntic.<br />
Encryp.<br />
To<br />
Prot.<br />
Au<strong>the</strong>ntic.<br />
Encryp.<br />
B<br />
ESP<br />
SHA-1, z p<br />
DES, w<br />
A<br />
ESP<br />
SHA-1, z s<br />
DES, w<br />
A<br />
B<br />
IPSec packet<br />
IPSec packet<br />
VPN - 68 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Internet Key Exchange (IKE)<br />
protocol<br />
• Used to establish and maintain SA in IPSec<br />
• The oper<strong>at</strong>ions are as follows:<br />
• An IKE SA is establisehd between <strong>the</strong> two<br />
parties<br />
• One or more “child” SA are established<br />
• Child SA are for d<strong>at</strong>a exchange<br />
• All <strong>the</strong> child SAs use keys derived from a<br />
shared secret of <strong>the</strong> IKE SA<br />
VPN - 69 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Cre<strong>at</strong>e <strong>the</strong> ISAKMP SA<br />
(Internet Security Associ<strong>at</strong>ion Key Management Protocol)<br />
and shared secret<br />
VPN - 70 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN G<strong>at</strong>eway Positioning<br />
VPN - 71 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN G<strong>at</strong>eway and Firewall<br />
• Inside<br />
• No inspection of VPN traffic<br />
• VPN g<strong>at</strong>eway protected by firewall<br />
• Parallel<br />
• Potential uncontrolled access<br />
• Outside<br />
• VPN g<strong>at</strong>eway protected by access router<br />
• Consistent policy<br />
• Integr<strong>at</strong>ed<br />
• Maximum flexibility<br />
Encrypted<br />
traffic<br />
VPN G<strong>at</strong>eway<br />
Decrypted traffic<br />
Internet<br />
Public<br />
Intranet<br />
<strong>Priv<strong>at</strong>e</strong><br />
Intranet<br />
Firewall<br />
VPN - 72 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IPsec, VPN G<strong>at</strong>eways and NATs<br />
• Au<strong>the</strong>ntic<strong>at</strong>ion Header (AH)<br />
• IP addresses are part of AH checksum<br />
calcul<strong>at</strong>ion packets <strong>di</strong>scarded<br />
• Transport mode<br />
• IP address of IPSec tunnel peer is not wh<strong>at</strong><br />
expected packets <strong>di</strong>scarded<br />
• No PAT (Protocol Address Transl<strong>at</strong>ion)/NAPT<br />
• Ports not visible in Transport mode<br />
• Tunnel mode<br />
• IP address within secure packet can be<br />
changed before entering <strong>the</strong> g<strong>at</strong>eway<br />
• E.g., same addresses in two <strong>di</strong>fferent VPN sites<br />
• Most often NAT is not needed on external<br />
packet<br />
VPN - 73 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
VPN G<strong>at</strong>eway and IDS (Intrusion<br />
Detection System)<br />
• IDS is usually outside <strong>the</strong> firewall<br />
• No control on VPN traffic<br />
• Multiple IDS probes<br />
• Outside firewall<br />
• Inside VPN g<strong>at</strong>eway<br />
VPN G<strong>at</strong>eway<br />
Internet<br />
Access<br />
router<br />
Public<br />
Intranet<br />
Firewall<br />
<strong>Priv<strong>at</strong>e</strong><br />
Intranet<br />
IDS probe<br />
IDS probe<br />
VPN - 74 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Peer VPN and MPLS-based Solutions<br />
VPN - 75 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
IP-based peer VPNs<br />
• De<strong>di</strong>c<strong>at</strong>ed router<br />
• Service provider oper<strong>at</strong>es a network of routers<br />
de<strong>di</strong>c<strong>at</strong>ed to <strong>the</strong> customer<br />
• Viable only for major clients<br />
• Shared/virtual router<br />
• Service provider cre<strong>at</strong>es de<strong>di</strong>c<strong>at</strong>ed router<br />
instances within his physical routers<br />
• High-end routers enable hundreds of virtual<br />
routers<br />
• Instance-specific routing table and routing<br />
protocol<br />
• ASIC and oper<strong>at</strong>ing system support<br />
• Packet exchange through IPsec or GRE tunnels<br />
VPN - 76 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS-based Layer 2 VPNs: PWE3<br />
• Pseudo Wire Emul<strong>at</strong>ion End-to-End<br />
• Several services on <strong>the</strong> same network:<br />
• IP, but also leased lines, frame relay, ATM,<br />
E<strong>the</strong>rnet<br />
• Customer edge (CE) device fe<strong>at</strong>ures n<strong>at</strong>ive<br />
service interface<br />
• Traffic is carried through an LSP between CEs<br />
• Two labels<br />
• External – for routing within <strong>the</strong> network<br />
• Identifies access point to <strong>the</strong> network<br />
• Internal - multiplexing of several users/services<br />
<strong>at</strong> <strong>the</strong> same access point<br />
VPN - 77 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS-based Layer 2 VPNs: PWE3<br />
• There may be aggreg<strong>at</strong>ion devices inside <strong>the</strong><br />
network<br />
• E.g., an ATM switch inside <strong>the</strong> service provider<br />
network switching traffic between users<br />
• LSP ended on <strong>the</strong> device<br />
• Mainly manual LSP setup<br />
• Proposals exist for deployment of LDP and<br />
BGP<br />
VPN - 78 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS-based Layer 3 VPNs<br />
• Provider provisioned solutions<br />
• VPN policies implemented by Service Provider<br />
• No experience needed on <strong>the</strong> Customer side<br />
• Scalability<br />
• Large scale deployments<br />
• Two altern<strong>at</strong>ive solutions<br />
• RFC2547bis (BGP)<br />
• Initially supported by Cisco Systems<br />
• Currently most widely deployed approach<br />
• <strong>Virtual</strong> router<br />
• Initially supported by Nortel and Lucent<br />
VPN - 79 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS/BGP VPN Components<br />
• VRF (VPN Routing and Forwar<strong>di</strong>ng) table<br />
• Associ<strong>at</strong>ed to one or more ports<br />
• Forwar<strong>di</strong>ng inform<strong>at</strong>ion to be used for traffic<br />
received through <strong>the</strong> port<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Provider<br />
(P) Router<br />
Provider <strong>Network</strong><br />
Provider Edge (PE) Router<br />
VRF<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Customer<br />
Edge (CE)<br />
Router<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
VPN - 80 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS VPN Components<br />
• CE router cre<strong>at</strong>es adjacency with PE router<br />
• It advertises its destin<strong>at</strong>ions<br />
• It receives advertisements of o<strong>the</strong>r VPN<br />
destin<strong>at</strong>ions<br />
• St<strong>at</strong>ic routing, or<br />
• IGP (Interior G<strong>at</strong>eway Protocol)<br />
• (e.g., OSPF, RIP)<br />
• E-BGP (Exterior-Border G<strong>at</strong>eway Protocol)<br />
• PE router does not keep routes for all VPNs<br />
VPN - 81 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Provider<br />
Edge (PE)<br />
Router<br />
MPLS VPN Components<br />
• PE routers<br />
• Exchange routing inform<strong>at</strong>ion<br />
• E.g., I-BGP (Interior-Border G<strong>at</strong>eway Protocol)<br />
• Are ingress and egress LSR (Label Switch<br />
Router) for <strong>the</strong> backbone<br />
• P routers have routes to PE routers only<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Provider<br />
(P) Router<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Customer<br />
Edge (CE)<br />
Router<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Provider <strong>Network</strong><br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
VPN - 82 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Control Plane<br />
• Establishment of LSPs across <strong>the</strong> backbone<br />
• LDP (Label Distribution Protocol) and/or<br />
• RSVP (Resource reSerV<strong>at</strong>ion Protocol)<br />
• LSP mesh among PE routers with same VPN<br />
• (I-BGP carrying label inform<strong>at</strong>ion)<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
LSP<br />
(Label Switched P<strong>at</strong>h)<br />
VRF<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Customer<br />
Edge (CE)<br />
Router<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Provider <strong>Network</strong><br />
Provider Edge (PE) Router<br />
VPN - 83 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong>
Packet Routing<br />
Packet from 10.2.3.4 to 10.1.3.8<br />
• Default g<strong>at</strong>eway PE2 router<br />
10.1.3.8<br />
VRF<br />
CE1<br />
10.2/16<br />
PE1<br />
10.1/16<br />
Provider <strong>Network</strong><br />
LSP (L2)<br />
CE2<br />
PE2 10.2.3.4<br />
VPN - 84 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Packet Routing<br />
• PE2 looks-up VRF<br />
• Next hop: PE1<br />
• Outgoing interface: LSP to PE1<br />
• MPLS label advertised by PE1 for 10.1.3/24: L1<br />
• Initial label for LSP from PE2 to PE1: L2<br />
VRF<br />
10.1.3.8<br />
CE1<br />
PE1<br />
10.2/16<br />
10.1/16<br />
Provider <strong>Network</strong><br />
LSP (L2)<br />
CE2<br />
PE2 10.2.3.4<br />
VPN - 85 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Packet Routing<br />
• PE2 pushes L1 and L2 on label stack<br />
• P routers forward packet to PE1 using L2<br />
• Last hop before PE1 pops L2<br />
• PE1 receives packet with L1<br />
• PE1 pops L1: plain IP packet<br />
• PE1 uses L1 to route packet to proper output<br />
interface<br />
CE1<br />
PE1<br />
IP Payload<br />
L2/L1<br />
LSP (L2)<br />
IP Payload<br />
PE2<br />
VPN - 86 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
Benefits<br />
• No constraints on addressing plan<br />
• Address uniqueness only within VPN<br />
• CE routers do not exchange inform<strong>at</strong>ion<br />
• Customer does not manage backbone<br />
• Providers do not have one virtual backbone<br />
per customer<br />
• VPN can span multiple providers<br />
• Security equivalent to Frame relay or ATM<br />
• Traffic isol<strong>at</strong>ion<br />
• No cryptography (confidentiality)<br />
• QoS supported through experimental bits in<br />
MPLS header<br />
VPN - 87 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS/BGP VPNs<br />
• Routing exchange <strong>at</strong> edges based on MP-<br />
BGP (Multi-protocol BGP)<br />
• Support for addresses of <strong>di</strong>fferent families<br />
• Route filtering<br />
• PE routers determine which routes to install in<br />
VRF<br />
• Support for overlapping address spaces<br />
• VPN-IPv4 Address family<br />
• Route Distinguisher + IPv4 address<br />
Route Distinguisher<br />
IP Address<br />
VPN - 88 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
MPLS/<strong>Virtual</strong> Router VPNs<br />
• PEs execute a (virtual) router instance for<br />
each VPN<br />
• Each VR instance has separ<strong>at</strong>e d<strong>at</strong>a<br />
structures<br />
• VRs of same VPN communic<strong>at</strong>e through LSPs<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Provider<br />
(P) Router<br />
<strong>Virtual</strong> router<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong><br />
Provider <strong>Network</strong><br />
Provider Edge (PE) Router<br />
VPN - 89 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2<br />
Customer<br />
Edge (CE)<br />
Router<br />
Corpor<strong>at</strong>e<br />
<strong>Network</strong>
Multi-Protocol Support<br />
• Access VPN<br />
• Transparent<br />
• L2TP and PPTP<br />
• Overlay (IPsec based)<br />
• Generic Routing Encapsul<strong>at</strong>ion (GRE)<br />
• Transport any layer 3 protocol within IP<br />
• Peer (MPLS based)<br />
• Built in MPLS (Multi-Protocol Label Switching)<br />
VPN - 90 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
References<br />
• E. Rosen and Y. Rekhter, “BGP/MPLS VPNs,”<br />
RFC 2547, March 1999.<br />
• E. Rosen et al., “BGP/MPLS VPNs,” ,<br />
July 2000.<br />
• C. Semeria, “RFC 2547bis: BGP/MPLS VPN<br />
Fundamentals,” Juniper <strong>Network</strong>s, White<br />
paper 200012-001, March 2001.<br />
• IETF MPLS Working Group,<br />
http://www.ietf.org/html.charters/mplscharter.html<br />
VPN - 91 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2
References<br />
• Hanks, S., E<strong>di</strong>tor, "Generic Routing<br />
Encapsul<strong>at</strong>ion over IPv4", RFC 1702, October<br />
1994.<br />
• Brian Browne, “Best Practices For VPN<br />
Implement<strong>at</strong>ion,”Business Communic<strong>at</strong>ion<br />
Review, March 2001.<br />
• http://www.ietf.org/html.charters/l2vpncharter.html<br />
• http://www.ietf.org/html.charters/l3vpncharter.html<br />
come funziona<br />
VPN - 92 © M. Bal<strong>di</strong> & L. Ciminiera: see page 2