Network-based IP VPNsusing Virtual Routers

Tim Hubbard

Backbone(s)

VPN A

VPN C

VPN B

VPN D

VPN A

VPN B

VPN C

VPN D

PE

PE

PE

CE

CE

CE

CE

CE

CE

CE

CE

CE P P

P P

Network based VPN Network Reference Model

CE - Customer Edge Router

PE - Provider Edge Router

P - Provider Router

CE

Network Based VPN Services

Provider Edge Router (PE)

VPN A

VPN B

VPN C

Provider Edge Router (PE)

VPN Service 1

VPN Service 2

VPN Service 3

VPN Service 1

VPN Service 2

VPN Service 3

VPN A

VPN B

VPN C

Backbone(s)

Architecture Design Goals• Flexibility

– solution architected around choices

• Scalability– backbone, VPN, PE, etc.

• Resiliency– NB-VPN services resilient to failures, smooth migration,

• Manageability– multiple levels of control while reducing NB-VPN service, and

network management complexity• Reusability

– existing management aspects, network mechanisms and tools• Security

– VPN service, VPN information (routing and data)

Architecture Requirements

• Per VPN routing and forwarding.

• No routing/forwarding based on private addresses in the backbone.

• Any routing protocol can be used in the VPN domain and in the backbone.

• Overlapping of VPN addresses.

• Not limited to a single tunneling mechanism.

• Accommodates different backbone deployment scenarios.

• Not limited to a single backbone technology

What is a Virtual Router?

• A virtual router (VR) is an emulation of physical router.

• A VR has the same mechanisms and functionality as physical routers.

• Each virtual router maintains separate routing and forwarding tables.

• Each virtual router can run any routing protocols (OSPF, RIP, BGP-4, etc).

VPN Tunneling

• Network-based VPNs are implemented through some form of tunneling mechanism.

• Different tunneling mechanisms can be used (MPLS, IPSec, GRE, L2TP, etc).

• The architecture allows per VPN tunnels, or using VPN shared tunnels across the backbone.

Scenario 1:- VR to VR Direct Connectivity

VR-C

VR-A

VR-B

VPN A

VPN B

VPN C

PE

VR-C

VR-A

VR-BBackbone

(ATM, FR, MPLS, etc)

PE

VPN A

VPN B

VPN C

Virtual Router Backbone Aggregation

• Virtual router (called Backbone Virtual Router) for routing in the backbone used at the PE level only.

• IP or MPLS based tunnels between VRs for transport of VPN information across the backbone.

Scenario 2:- VPNs with Backbone VRs

PE

Backbone Routing SpaceVPN Routing Space

The backbone virtual router

is not functionally different

than other virtual routers.

BackboneVR

Backbone

VR-C

VR-A

VR-B

VPN A

VPN B

VPN C

Scenario 3: - Combination of VR Deployment Scenarios

VR-B

VR-C BackboneVR

VPN B

VPN C

Backbone(s)

VR-AVPN A

PE

Scenario 4:- Multiple Backbones

VR-C

VR-A

VR-B BackboneVR-1

VPN A

VPN B

VPN C

Backbone-1

VR-D

VR-EBackbone

VR-2

Backbone-2

VPN E

VPN D

PE

Scenario 5:- VPNs with Backdoor Links

VR-C

VR-A

VR-B BackboneVR-1

VPN A

VPN B

VPN C

Backbone-1

VR-C

VR-A

VR-BBackboneVR-1

VPN A

VPN B

VPN CVPN C

Scenario 6:- Outsourcing/Management of the PE

VR-C

VR-A

VR-B BackboneVR-1

VPN A

VPN B

VPN C

Backbone-1

VR-D

VR-EBackbone

VR-2

Backbone-2

VPN E

VPN D

PEService Provider-1

Service Provider-2

Scenario 7:- Multi-protocol VPNs

VR-C

VR-A

VR-B BackboneVR-1

VPN A

IPv6

VPN B

IPv4

VPN CIPv6

Backbone-1IPv4/IPv6

PE

Scenario 8:- Backbone Migration Example

VR-C

VR-A

VR-B

BackboneVR-1

VPN A

VPN B

VPN C

BackboneIPv4

BackboneVR-2

(MPLS)

BackboneMPLS

PE

VPN services are migrated one at a time

Provider Edge Router 1

VirtualRouter

B

VirtualRouter

A

VirtualRouter

C

Provider Edge Router 2

VirtualRouter

A

VirtualRouter

C

VirtualRouter

B

Routing Instance

Routing Instance

Routing Update

Routing Update

Routing Update

Backbone

Backbone

Per VPN Reachability Info

Virtual

Virtual

Virtual

Virtual Router Reachability Scheme

Each routing instance is independent of each other.

Routing Instance

Routing Instance

Routing Update

Routing Update

Routing Update

Routing Instance

Routing Instance

Routing Update

Routing Update

Routing Update

VPN A

VPN B

VPN C

VPN A

VPN B

VPN C

Membership and Topology Determination

Different mechanisms can be used (not mutually exclusives):

• Directory server approach.• Explicit configuration• Using a VPN auto-discovery

mechanism

What can be discovered?

VPNAuto-Discovery

Tunnel Mechanism(optionally Tunnel endpoints)

MembershipInformation

TopologyInformation

VPN Reachability Information (draft RFC2547)

The virtual router architecture doesn’t require piggybacking VPN reachability information onto the backbone routing instance.

Discovering VPN Information

Provider Edge Router (PE1)

VPN A

VPN B

VPN C

Backbone

BGP BGPBGPBGPBGP UPDATE

BGP UPDATE

VPN Information(membership, etc.)

Provider Edge Router (PE2)

BVR BVR

VR-C

VR-A

VR-B

VR-C

VR-A

VR-B

VPN A

VPN B

VPN C

Discovering Membership Information

Provider Edge Router (PE1)

VPN A

VPN B

VPN C

BackboneVPN A

VPN B

VPN C

BGP BGPBGPBGPBGP UPDATE

BGP UPDATE

(VPN-IDs,PE-BVR)

Provider Edge Router (PE2)

BVR BVR

VPN-ID=1:1

VPN-ID=1:2

VPN-ID=1:3

VPN-ID=1:1

VPN-ID=1:2

VPN-ID=1:3VR-C

VR-A

VR-B

VR-C

VR-A

VR-B

Discovering Tunnel Endpoints

Provider Edge Router (PE1)

Backbone

BGP BGPBGPBGPBGP UPDATE

BGP UPDATE

(VPN-IDs, 123.3.4.5, PE-BVR)

Provider Edge Router (PE2)

BVR BVR

VPN-ID=1:1

VPN-ID=1:2

VPN-ID=1:3

VPN-ID=1:1

VPN-ID=1:2

VPN-ID=1:3

VR-C

VR-A

VR-B

VR-C

VR-A

VR-B

IPsec TunnelVPN A

VPN B

VPN C

VPN A

VPN B

VPN C

Discovering VPN Topology Information

Provider Edge Router (PE1)

Backbone

BGP BGPBGPBGPBGP UPDATE

BGP UPDATE

(1:1, hub, PE BVR)

Provider Edge Router (PE2)

BVR BVR

VPN-ID=1:1

VPN-ID=1:2

VPN-ID=1:3

VPN-ID=1:1

VPN-ID=1:2

VPN-ID=1:3

VR-C

VR-A

VR-B

VR-C

VR-A

VR-B

VPN A

VPN B

VPN C

VPN A

VPN B

VPN C

BGP based Auto-Discovery Mechanism (for layer-3 VPNs)

“Using BGP as an Auto-Discovery Mechanism for Network-based VPNs”

Hamid Ould-Brahim, Bryan Gleeson, Peter Ashwood-Smith, Eric Rosen, Yakov Rekhter

draft-ouldbrahim-bgpvpn-auto-00.txt

Conclusion

• Virtual Routers allow Service Providers to build differentiated network-based VPN services.

• The architecture is highly flexible and accommodates different tunneling mechanisms, and different backbone technologies.

Contacts

Hamid Ould-BrahimNortel Networks

P. O. Box 3511 Station COttawa, ON, K1Y 4H7

CanadaPhone: +1 (613) 765 3418

hbrahim@nortelnetworks.com Bryan GleesonNortel Networks

2305 Mission College BlvdSanta Clara CA 95054

USAPhone: +1 (408) 565 2625bgleeson@shastanets.com

Thank You