31
Sheet no. (32) 1 VPN Basics

32_VPN

Tags:

Embed Size (px)

DESCRIPTION

VPN

Citation preview

  • VPNBasics

    Sheet no. (32)

  • DefinitionA Virtual Private Network (VPN) utilizes public networks to conduct private data communicationsVirtual: No separate physical network (even if it seems to be)Private: Separation of routing and addressing (from the public network)Network: Connects distant locations (of an organization)

    VPN providePossibility of sharing private information between distant locations using public infrastructureAlternative for costumers to build own private networks

    Sheet no. (32)

  • Components BackbonePublic network of the service provider used for data transmission VPNSet of all sites belonging to one costumerCan span over multiple service providerVPN sitePortion of one or more VPNs

    Sheet no. (32)

  • VPN DesignRequirementsIsolationAddress space, routing informationSecurity issuesPrivacyQoS capabilitiesQoS classesInternet accessConnectivity outwardsExtranet accessRestricted access into the VPNScalabilityEasy extensionDemands of the costumerFlexible traffic conditionsFixed bandwidthVariable bandwidth Flexible VPN topology Adding or removing VPN sitesFlexible QoSChanging QoS constraints of the providerSimple MaintenanceScalabilityEfficiency

    Sheet no. (32)

  • Spectrum of VPN TechnologiesCarrier ManagedEnterprise ManagedLayer 4-7Layer 3Layer 2

    Sheet no. (32)

  • VPN modelsOverlay VPNService Provider furnishes virtual point-to-point links between costumer sitesConnection oriented approach Relies on a predefined network design/configurationPeer-to-Peer VPNService Provider participates in costumer routingNo connections, relies on routing protocolsLack of isolation between VPNsAddress space coordination necessary between VPNsMPLS VPNCombines the advantages of overlay and peer-to-peer VPN

    Sheet no. (32)

  • Overlay VPN ModelImplemented at the link-layer Infrastructure typically based in ATM or Frame RelayVirtual circuits established between VPN sites Connection oriented approach for service provisioningService Providers (SP)Have no knowledge about customer routesCostumerCostumer edge (CE) router seem to be directly connectedRouting protocols un-aware about the SP networkConstraintsFull mesh between the VPN sitesDimensioning the direct links between the VPN sites (Multiplexing gain between different VPNs not given for all realizations)

    Sheet no. (32)

  • Overlay VPNTechnologiesMulti-Protocol over ATM (MPOA)Egress nodes of the ATM network seem to be directly connected (one hop away from each other)Tunneling (using GRE, L2TP, )VPN related data portions are sent through tunnelsPros/Cons+FlexibilityScalabilityConfiguration complexity

    Sheet no. (32)

  • Overlay VPN Model: Example Tunnel VPN logic concentrated at the costumer edge (CE) router

    Sheet no. (32)

  • ImplementationsLayer 1SP assigns bit pipes (leased or dialup lines)Costumer implements higher layers (PPP, HDLC, IP)Layer 2SP establishes layer 2 connections (X.25, Frame Relay, ATM Virtual Circuits)Costumer implements the layer 3 (IP) and higher layer protocolsLayer 3SP generates a network of point-to-point IP-over-IP tunnels (Generic Routing Encapsulation GRE, IP Security IPSec)Costumer implements the layer 3 (IP) and higher layer protocols

    Sheet no. (32)

  • Comparative representationLayer 1 Layer 2Layer 3

    Sheet no. (32)

  • Peer VPN ModelImplemented at the network-layer Network based VPNInfrastructure typically based on IPDistribution of VPN information using routing protocolsCostumer and provider use the same routing protocolOptimal routing between VPN sitesTechnologiesControlled Route LeakingMulti Protocol Label Switching (MPLS)Pros/Cons+ScalabilityLack of isolationLayer 3 protocol related and dependent BGP/MPLS only for IP (not for IPX, AppleTalk)

    Sheet no. (32)

  • ImplementationsShared PE Router ModelPacket-filters at the PE router assure that VPN are separated

    Dedicated PE Router ModelVPN specific PE router for segregationAggregation at the P router

    VPN-BSite 1VPN-ASite 1InternetCECEPEVPN-BSite 1VPN-ASite 1InternetCECEPEPPE

    Sheet no. (32)

  • Peer VPN Model: Example VPN logic concentrated at the provider edge (PE) router

    Sheet no. (32)

  • Overlay VPN versus Peer-to-Peer VPN

    Sheet no. (32)

  • Remote Access VPNSecure connections for remote usersE.g. mobile users or telecommutersProvide connectivity to corporate LANs Over shared service provider networks using tunnelsOver dialup networksTwo types of remote access VPN over public networksClient-Initiated Remote users use clients to establish a secure tunnel across an ISP's shared network to the enterprise. NAS-Initiated Remote users dial in to an ISP Network Access Server (NAS). The NAS establishes a secure tunnel to the enterprise private network that might support multiple remote user-initiated sessions.

    Sheet no. (32)

  • LAN-to-LAN VPNConnects the network (LAN) of one location (site) to the network of another location Formerly implemented by leased linesActually implemented over a public service provider networkAlso known as site-to-site VPNTwo common typesIntranet VPNs connect corporate headquarters, remote offices, and branch offices over a public infrastructure Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a public infrastructure

    Sheet no. (32)

  • IP Tunnels over ATMApproachMapping of IP tunnels on ATM VCCPropertiesReuse of ATM technologyFull range of ATM capabilities availableQoS classes for tunnels independent (CBR, rtVBR, nrtVBR, )Only PE router need IP capability (ATM core possible)Traffic engineering available (1+1, shared protection)Protocol for automatic tunnel configuration necessary

    Sheet no. (32)

  • IPSec VPNType Overlay VPNDesign AssumptionsHigh availability and failover with fast convergenceSupport of dynamic routing protocolsTransport of multiple traffic: IP multicast, multi-protocolRouter based

    Sheet no. (32)

  • IPSec VPNUsage of GRE with IPSecDynamic routingSupport of multicast protocolsSupport of non-IP protocolsSimpler implementationOverheadGRE (24 Byte) + IPSec (52 Byte)Total: 76 ByteIPSec TunnelIP Header20 ByteESP Header

    32 Byte, variableGRE IP Header20 ByteGRE Header4 ByteIP Header

    20 BytePayload

    Sheet no. (32)

  • Virtual Router Concept

    Sheet no. (32)

  • The Virtual Router ConceptSpecified in RFC 2764 A Framework for IP Based Virtual Private NetworksEnables Service Provider to provide value added VPN services in a scalable manner AdvantagesScales to large number of VPN customersUtilizes existing protocols and toolsProvides:Separation of VPNs serviced by the same provider Separation of VPNs and the provider networkSecurity using standard mechanisms

    Sheet no. (32)

  • Without Virtual Routers Without Virtual Routers

    Sheet no. (32)

  • Components Virtual Router (VR) Emulates a physical router in hard- and softwareBelongs to an VPN isolation of routing tables of different VPNProvider Edge Virtual Router (PE-VR)Connects multiple VR to the providers network

    Sheet no. (32)

  • Virtual Router (VR)Main functionsConstructing routing information base using any routing technologyForwarding packets within the VPN domainCharacteristicsEmulation of a physical router in hard- and softwareProvides the same functionality as a physical routerCommunication between VR over virtual interfacesVRs belong to the same VPN share the same VPN-IDBelongs to one VPNIndependent IP routing and forwarding tables for different VPNsVPNs isolated from each other

    Sheet no. (32)

  • Tunnel Connection between VR of the same VPNVR to VR tunnel, a point-to-point link from each VRs viewTunnel system is normally set up automatically (scalability)TypesPer VPN tunnel (originate at VR)Aggregated two level tunnel (originated at SP-VR)Tunneling realized withIPinIPGeneric Routing Encapsulation (GRE)IP Security Protocol (IPSec)MPLS

    Sheet no. (32)

  • Properties of Virtual Router VPNsVPNs built with VRs are overlay modelScalableThe Provider routers (P) are VPN unaware FlexibleRouting for each VPN is the same as regular network routingNo dependencies between backbone and VPN protocolsNo constraints for VPN routing protocols (useful for IPX, AppleTalk)Regular routing within the VPNs, independent from Service Provider (SP)No new protocols or extensions necessaryEasy implementationNo protocol modifications neededNo tool (debugging, management,etc.) modifications neededDeployment will not impact normal operation of the provider network

    Sheet no. (32)

  • VPN Establishment with VRsLike all VPN implementation mechanisms, membership information needs to be disseminatedIn VR model, membership information can be distributed with the following mechanismManual configurationDirectory based mechanismUtilization of routing protocols (e.g. BGP Auto-discovery)

    Sheet no. (32)

  • Realization of the Virtual Router Concept using IP tunnelingVR Virtual RouterPE-VR Provider Edge VR

    Sheet no. (32)

  • IP Tunnels over ATMApproachMapping of IP tunnels on ATM VCCAdvantagesReuse of ATM technologyFull range of ATM capabilities availableQoS classes for tunnels independent (CBR, rtVBR, nrtVBR, )Only PE router need IP capability (ATM core possible)Traffic engineering available (1+1, shared protection)Protocol for automatic tunnel configuration necessary

    Sheet no. (32)

  • MPLS VPNCombines the best of both, Overlay and Peer-to-Peer VPNPeer-to-peer characteristicsSimplified costumer routingOptimal path between VPN sitesSimilar to the dedicated PE router implementation by using multiple Virtual Routing and Forwarding (VRF) tables in one physical PE routerMultiplexing gainOverlay characteristicsRouting information of costumer VPNs isolatedReplicate addressing within the VPN possiblePaths between VPN sites direct adjacency of CE router

    Sheet no. (32)


Bhagavad Gita

Bhagavad Gita

Documents
Barclays1

Barclays1

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
How Computer Monitors Work

How Computer Monitors Work

Documents
Iron Mills Essay

Iron Mills Essay

Documents
18 Tricks to Teach Your Body

18 Tricks to Teach Your Body

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
Plato - Symposium

Plato - Symposium

Documents
Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

Documents
I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Documents
Who Killed God

Who Killed God

Documents
Oedipus The King: The Ideal Tragic Play

Oedipus The King: The Ideal Tragic Play

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
xCDC14a

xCDC14a

Documents
Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Documents
Aesops Fables

Aesops Fables

Documents
How Computer Keyboards Work

How Computer Keyboards Work

Documents
Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Documents
The Dutch Republic In International Trade

The Dutch Republic In International Trade

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
Algorithms

Algorithms

Documents
Compressing And Decompressing Folders

Compressing And Decompressing Folders

Documents
Venture Capital

Venture Capital

Documents
Personality Development

Personality Development

Documents
Acetone Peroxide

Acetone Peroxide

Documents
Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
Rubik's cube solution

Rubik's cube solution

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
Chapter 24

Chapter 24

Documents