Virtual Private Networks Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio Video recordings of this lecture are available at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 17 1 2007 Raj Jain Overview Overview What When Issues Types of VPNs PE CE based L2 vs L3 PPP VPN Tunneling Protocols GRE PPTP L2TPv3 MPLS Washington University in St Louis CSE571S 17 2 2007 Raj Jain What is a VPN Private Network Uses leased lines Virtual Private Network Uses public Internet Internet Service Provider Washington University in St Louis CSE571S 17 3 2007 Raj Jain When to VPN Modest Bandwidth Many Locations QoS not Critical Long Distance More Locations Longer Distances Less Bandwidth site QoS less critical VPN more justifiable Fewer Locations Shorter Distances More Bandwidth site QoS more critical VPN less justifiable Washington University in St Louis CSE571S 17 4 2007 Raj Jain VPN Design Issues 1 Security 2 Address Translation 3 Performance Throughput Load balancing roundrobin DNS fragmentation 4 Bandwidth Management RSVP 5 Availability Good performance at all times 6 Scalability Number of locations Users 7 Interoperability Among vendors ISPs customers for extranets Standards Compatibility With firewall Washington University in St Louis CSE571S 17 5 2007 Raj Jain Design Issues Cont 8 Compression Reduces bandwidth requirements 9 Manageability SNMP Browser based Java based centralized distributed 10 Accounting Auditing and Alarming 11 Protocol Support IP non IP IPX 12 Platform and O S support Windows UNIX MacOS HP Sun Intel 13 Installation Changes to desktop or backbone only 14 Legal Exportability Foreign Govt Restrictions Key Management Infrastructure KMI initiative Need key recovery Washington University in St Louis CSE571S 17 6 2007 Raj Jain Types of VPNs Ends WAN VPN Branch offices Access VPN Roaming Users Extranet VPNs Suppliers and Customers Branch Office ISP Head Office Partner Telecommuter Washington University in St Louis CSE571S 17 7 2007 Raj Jain Types of VPNs Cont Payload Layer L2 VPN Ethernet L3 VPN IP Tunneling Protocol MPLS L2TPv3 PPTP Who is in charge Provider Edge Device PE Based or Customer Edge Device CE Based VPN Site to Site PPVPN L3 MPLS Virtual Router Washington University in St Louis CE Based L2 L3 L2 VPWS VPLS IPsec L2TPv3 Access CSE571S 17 8 GRE PPTP 2007 Raj Jain CE Based VPNs Customers Edge routers implement IPsec tunnels Customer Net 2 CE Customer Net 1 CE CE Customer Net 4 CE Customer Net 3 Washington University in St Louis CSE571S 17 9 2007 Raj Jain PE Based VPNs Service providers offers privacy QoS and Routing Customer uses standard routers Customer Net 2 CE PE Customer Net 1 CE PE PE CE Customer Net 4 PE Washington University in St Louis CSE571S 17 10 2007 Raj Jain Layer 2 VPNs Customers Layer 2 packets are encapsulated and delivered at the other end Looks like the two ends are on the same LAN or same wire Provides Ethernet connectivity Works for all Layer 3 protocols Virtual Private Wire Service VPWS Virtual Private LAN Service VPLS RFC4664 Framework for L2 VPNs Sep 2006 Provider Net Washington University in St Louis Provider Net CSE571S 17 11 2007 Raj Jain Layer 3 VPN Provides Layer 3 connectivity Looks like the two customer routers are connected Usually designed for IP packets Provider Net Washington University in St Louis CSE571S 17 12 2007 Raj Jain PPP Introduction Point to point Protocol Originally for User network connection Now being used for router router connection Three Components Data encaptulation Link Control Protocol LCP Network Control Protocols NCP Dead UP Establish Opened Fail Fail Down Washington University in St Louis Terminate Closing CSE571S 17 13 Authenticate Success None Network 2007 Raj Jain PPP Procedures Typical connection setup Home PC Modem calls Internet Provider s router sets up physical link PC sends series of LCP packets Select PPP data link parameters Authenticate PC sends series of NCP packets Select network parameters E g Get dynamic IP address Transfer IP packets Washington University in St Louis CSE571S 17 14 2007 Raj Jain VPN Tunneling Protocols GRE Generic Routing Encaptulation RFC 1701 2 PPTP Point to point Tunneling Protocol L2TP Layer 2 Tunneling protocol IPsec Secure IP MPLS Washington University in St Louis CSE571S 17 15 2007 Raj Jain GRE Delivery Header GRE Header Payload Generic Routing Encaptulation RFC 1701 1702 Generic X over Y for any X or Y Optional Checksum Loose strict Source Routing Key Key is used to authenticate the source Over IPv4 GRE packets use a protocol type of 47 Allows router visibility into application level header Restricted to a single provider network end to end Washington University in St Louis CSE571S 17 16 2007 Raj Jain PPTP PPTP Server ISP Network Access Server Client PPTP Tunnel PPTP Point to point Tunneling Protocol Developed jointly by Microsoft Ascend USR 3Com and ECI Telematics PPTP server for NT4 and clients for NT 95 98 Washington University in St Louis CSE571S 17 17 2007 Raj Jain PPTP Packets Private PPTP Network Server Public IP Addressing IP IPX NetBEUI Data Internal IP Addressing Washington University in St Louis Network Access Server Internet IP GRE PPP IP IPX NetBEUI Data Client PPP IP GRE PPP IP IPX NetBEUI Data Encrypted CSE571S 17 18 2007 Raj Jain L2TP Layer 2 Tunneling Protocol L2F Layer 2 Forwarding From CISCO L2TP L2F PPTP Combines the best features of L2F and PPTP Easy upgrade from L2F or PPTP Allows PPP frames to be sent over non IP Frame relay ATM networks also PPTP works on IP only Allows multiple different QoS tunnels between the same end points Better header compression Supports flow control Washington University in St Louis CSE571S 17 19 2007 Raj Jain L2TPv3 Provider Net Allows service providers to offer L2 VPN over IP network L2TPv2 was for tunneling PPP over packet switched data networks PSDN V3 generalizes it for other protocols over PSDN PPP specific header removed Can handle HDLC Ethernet 802 1Q VLANs Frame relay packet over SONET Washington University in St Louis CSE571S 17 20 2007 Raj Jain L2TPv3 Cont Universal Transport Interface UTI is a pre standard effort for transporting L2 frames L2TPv3 extends UTI and includes it as one of many supported encapsulations L2TPv3 has a control plane using reliable control connection for establishment teardown and maintenance of individual sessions RFC4667 L2 VPN extensions for L2TP Sept 2006 Ref L2TPv3 FAQ www cisco com warp public cc so neso vpn