17-1©2007 Raj JainCSE571SWashington University in St. LouisVirtual Private Virtual Private NetworksNetworksRaj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/Video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-07/17-2©2007 Raj JainCSE571SWashington University in St. Louis Overview: What, When, Issues Types of VPNs: PE/CE based, L2 vs. L3 PPP VPN Tunneling Protocols: GRE, PPTP, L2TPv3, MPLSOverview17-3©2007 Raj JainCSE571SWashington University in St. LouisWhat is a VPN?What is a VPN? Private Network: Uses leased lines Virtual Private Network: Uses public InternetInternetServiceProvider17-4©2007 Raj JainCSE571SWashington University in St. LouisWhen to VPN?When to VPN? More Locations, Longer Distances, Less Bandwidth/site, QoS less critical ⇒ VPN more justifiable Fewer Locations, Shorter Distances, More Bandwidth/site, QoS more critical ⇒ VPN less justifiableManyLocationsLongDistanceModestBandwidthQoS not Critical17-5©2007 Raj JainCSE571SWashington University in St. LouisVPN Design IssuesVPN Design Issues1. Security2. Address Translation3. Performance: Throughput, Load balancing (round-robin DNS), fragmentation4. Bandwidth Management: RSVP5. Availability: Good performance at all times6. Scalability: Number of locations/Users7. Interoperability: Among vendors, ISPs, customers (for extranets) ⇒ Standards Compatibility, With firewall17-6©2007 Raj JainCSE571SWashington University in St. LouisDesign Issues (Cont)Design Issues (Cont)8. Compression: Reduces bandwidth requirements9. Manageability: SNMP, Browser based, Java based, centralized/distributed10. Accounting, Auditing, and Alarming11. Protocol Support: IP, non-IP (IPX)12. Platform and O/S support: Windows, UNIX, MacOS, HP/Sun/Intel13. Installation: Changes to desktop or backbone only14. Legal: Exportability, Foreign Govt Restrictions, Key Management Infrastructure (KMI) initiative ⇒ Need key recovery17-7©2007 Raj JainCSE571SWashington University in St. LouisTypes of VPNsTypes of VPNs Ends:¾ WAN VPN: Branch offices¾ Access VPN: Roaming Users¾ Extranet VPNs: Suppliers and CustomersISPHead OfficeBranch OfficePartnerTelecommuter17-8©2007 Raj JainCSE571SWashington University in St. LouisTypes of VPNs (Cont)Types of VPNs (Cont) Payload Layer: L2 VPN (Ethernet), L3 VPN (IP) Tunneling Protocol: MPLS, L2TPv3, PPTP Who is in charge?: Provider Edge Device (PE Based) or Customer Edge Device (CE Based)VPNSite-to-SiteAccessPPVPN CE BasedL3 L2MPLS Virtual RouterL2TPv3IPsec GREPPTPVPWS VPLSL3 L217-9©2007 Raj JainCSE571SWashington University in St. LouisCE Based VPNsCE Based VPNs Customers Edge routers implement IPsec tunnelsCECECECECustomerNet 1CustomerNet 2CustomerNet 3CustomerNet 417-10©2007 Raj JainCSE571SWashington University in St. LouisPE Based VPNsPE Based VPNs Service providers offers privacy, QoS, and Routing Customer uses standard routersCECEPECustomerNet 1CustomerNet 2CustomerNet 4PEPEPECE17-11©2007 Raj JainCSE571SWashington University in St. LouisLayer 2 VPNsLayer 2 VPNs Customers' Layer 2 packets are encapsulated and delivered at the other end Looks like the two ends are on the same LAN or same wire ⇒Provides Ethernet connectivity Works for all Layer 3 protocols Virtual Private Wire Service (VPWS) Virtual Private LAN Service (VPLS) RFC4664, "Framework for L2 VPNs," Sep 2006.Provider Net Provider Net17-12©2007 Raj JainCSE571SWashington University in St. LouisLayer 3 VPNLayer 3 VPN Provides Layer 3 connectivity Looks like the two customer routers are connected Usually designed for IP packetsProvider Net17-13©2007 Raj JainCSE571SWashington University in St. LouisPPP: IntroductionPPP: Introduction Point-to-point Protocol Originally for User-network connection Now being used for router-router connection Three Components: Data encaptulation, Link Control Protocol (LCP), Network Control Protocols (NCP)DeadEstablish AuthenticateNetworkTerminateUPOpenedSuccess/NoneClosingDownFailFail17-14©2007 Raj JainCSE571SWashington University in St. LouisPPP ProceduresPPP Procedures Typical connection setup:¾ Home PC Modem calls Internet Provider's router: sets up physical link¾ PC sends series of LCP packets Select PPP (data link) parameters Authenticate¾ PC sends series of NCP packets Select network parametersE.g., Get dynamic IP address Transfer IP packets17-15©2007 Raj JainCSE571SWashington University in St. LouisVPN Tunneling ProtocolsVPN Tunneling Protocols GRE: Generic Routing Encaptulation (RFC 1701/2) PPTP: Point-to-point Tunneling Protocol L2TP: Layer 2 Tunneling protocol IPsec: Secure IP MPLS17-16©2007 Raj JainCSE571SWashington University in St. LouisGREGRE Generic Routing Encaptulation (RFC 1701/1702) Generic ⇒ X over Y for any X or Y Optional Checksum, Loose/strict Source Routing, Key Key is used to authenticate the source Over IPv4, GRE packets use a protocol type of 47 Allows router visibility into application-level header Restricted to a single provider network ⇒ end-to-endPayloadGRE HeaderDelivery Header17-17©2007 Raj JainCSE571SWashington University in St. LouisPPTPPPTP PPTP = Point-to-point Tunneling Protocol Developed jointly by Microsoft, Ascend, USR, 3Com and ECI Telematics PPTP server for NT4 and clients for NT/95/98PPTPServerNetworkAccessServerClientISPPPTP Tunnel17-18©2007 Raj JainCSE571SWashington University in St. LouisPPTP PacketsPPTP PacketsPPTPServerNetworkAccessServerClientInternetIPGREPPPIP/IPX/NetBEUIDataPPPIPGREPPPIP/IPX/NetBEUIDataIP/IPX/NetBEUIDataPrivateNetworkEncryptedPublic IPAddressingInternal IPAddressing17-19©2007 Raj JainCSE571SWashington University in St. LouisL2TPL2TP Layer 2 Tunneling Protocol L2F = Layer 2 Forwarding (From CISCO) L2TP = L2F + PPTPCombines the best features of L2F and PPTP Easy upgrade from L2F or PPTP Allows PPP frames to be sent over non-IP (Frame relay, ATM) networks also (PPTP works on IP only) Allows multiple (different QoS) tunnels between the same end-points. Better header compression. Supports flow control17-20©2007 Raj JainCSE571SWashington University in St. LouisL2TPv3L2TPv3 Allows service providers to offer L2 VPN over IP network. L2TPv2 was for tunneling PPP over packet switched data networks (PSDN) V3 generalizes it for other protocols over PSDN ⇒ PPP specific header removed Can handle
View Full Document