Virtual Private Networks

1
Virtual Private Networks

• Network Based IP VPN
• 03/10/2002

2
Agenda

• Introduction
• VPN Introduction, Requirements, Categories and
  Types
• Virtual Private Routed Networks Introduction,
  Features, Requirements
• Virtual Private Routed Networks Architecture
• Virtual Router Concept, Objectives,
  Characteristics
• VR Based Solution for IP VPN
• VPN support on Linux

3
Introduction - Types of Private Networks

• A Private network is a collection of hosts
  belonging to a common administration or
  organization. Private connectivity between
  geographically scattered networks is done through
• Dedicated WANs - permanently connected to
  multiple sites
• Dial Networks - on demand connections through
  PSTN to sites
• High cost and complexity is involved in
  multi-site WAN services. In order to overcome
  this constraint, the Internet is used to provide
  the connectivity between private networks.

4
Introduction - Motivation and History

• Some other factors that motivate in migrating to
  an Internet based connectivity are as follows
• A need to extend the private network to offer
  services or connectivity that is invisible to the
  external observers.
• Economics, in terms of aggregating the costs of
  individual components or set ups into a single
  infrastructure and offer services collectively
  over the public domain.
• Source of revenue generation for the ISPs.

5
What Is a VPN?

• A VPN is a communications environment in which
  access is controlled to permit peer connections
  only within a defined community of interest, and
  is constructed through some form of partitioning
  of a common underlying communications medium,
  where this underlying communications medium
  provides services to the network on a
  non-exclusive basis."
•  
• A VPN is a private network constructed within
  a public network infrastructure, such as the
  global Internet."
•  
• A Virtual Private Network is a connectivity
  object between two or more private entities. It
  uses the Internet or public domain infrastructure
  and connects private networks.

6
VPN Requirements

• Opaque Transport
• VPN traffic may be unrelated to the traffic in IP
  backbone
• Traffic can be multi-protocol
• Customer may be using IP addresses not related to
  backbone. These addresses may be private and
  non-unique
• Data Security
• No misdirection, misrouting, snooping
• Security against modification of traffic in
  transit
• Unauthorized analysis of traffic

7
VPN Requirements

• QoS Guarantee
• Need for IP based QoS similar to dedicated or
  dial lines or ATM/Frame Relay
• Opaque transport requirement is fulfilled by
  using tunnels for transport. Some tunneling
  mechanisms provide support for data security and
  QoS.
• Some tunneling mechanisms are IP/IP, IPSec, GRE,
  L2TP, MPLS

8
VPN Requirements

• Private connectivity between networks is an
  inherent characteristic of a VPN implementation.
  This is achieved through the following
  requirements
• Opaque transport
• Data Security
• QoS guarantee
• Tunneling mechanism

9
VPN Requirements

• Tunneling Protocol Requirements
• Support for Multiplexing
• Signaling
• Security
• Multi-protocol traffic
• Frame Sequencing
• Maintenance
• Large MTUs
• Minimization of tunnel overhead
• Flow/Congestion control
• QoS/traffic management

10
VPN Requirements
IP/IP IPSec GRE L2TP MPLS
Multiplexing y y y y
Signaling y y y y
Security y y
Multi-protocol traffic y y y
Frame Sequencing y y y
Maintenance
Large MTUs
Minimization of Tunnel overhead
Flow/Congestion Control y
QoS/Traffic Management y
11
VPN Categories

• VPN services are provided at layer 2 and layer
  3. IP based layer 3 VPN implementations are
  broadly classified as follows
• Customer Premises Equipment (CPE) based Model
• Network based or Provider Provisioned Model

12
CPE Based Model
smitha change

• Some characteristics of CPE based VPN model are
  as follows
• Provides VPN capabilities on firewalls, WAN edge
  routers and specialized VPN termination devices
• Handles security, tunneling between customer
  ends, management of services and devices,
  administrative responsibility and operational
  costs
• Uses the ISP only for transmission of data over
  the backbone

13
Network Based Model

• Some characteristics of network based VPN model
  are as follows
• ISPs provide services with no change in the
  subscriber equipment. Services like fire-walling,
  data security, routing configuration, QoS, tunnel
  establishment, management and maintenance are
  handled by the provider
• No extra investment is needed, at the customer
  end, on dedicated expensive CPE gear while
  subscribing to a VPN service
• Customer is provided the option of choosing
  various services at various costs

14
Network Based Model

• Customer follows a trust model for security,
  where it trusts or does not trust the provider
• Trust model extends across multiple providers if
  the VPN spans the domain of multiple providers
• Forwarding of data between the provider edges
  takes place through tunnels
• The complexity of operation and administrative
  responsibility rests with the provider

15
Types of VPNs

• Virtual Leased Lines
• Virtual Private Dial Networks
• Virtual Private LAN Segment
• Virtual Private Routed Networks

16
Virtual Leased Lines
IP Backbone
ATM VCC
ATM VCC
ISP Edge Router
ISP Edge Router
CPE
CPE
10.0.0.5
10.0.0.6
Provides a point to point link between
customers CPE devices ISP edge binds ATM VCC to
a tunnel in IP backbone e.g. AAL5 payload is
encapsulated in an IPSEC tunnel in backbone
IP Tunnel
10.0.0.4/30
17
Virtual Private Dial Networks
10.0.0.6
CPE
L2TP Layer 2 Tunneling Protocol LAC - L2TP
Access Concentrator LNS L2TP Network Server
IP Backbone
Dial Up Connection
NAS
Gateway
LNS
LAC
Corporate Network
L2TP Tunnel
10.0.0.0 / 16
PPP frames are tunneled across IP backbone using
L2TP L2 connection terminating at LAC avoids long
distance dialup connection PPP session terminates
at LNS
18
Virtual Private LAN Segment- Transparent LAN
Service
Stub Link
Stub Link
ISP Edge Router
ISP Edge Router
IP Tunnel
CPE
CPE
IP Backbone
10.0.0.5
10.0.0.6
ISP Edge Router
IP Tunnel
IP Tunnel

• Emulation of LAN over internet
• CPE can be a bridge or a router
• Full mesh connectivity between edge routers
• Bridge CPE
• ISP edge routers do flooding and MAC learning
• Router CPE
• Explicit link layer routes to CPE routers

Stub Link
CPE
10.0.0.9
19
Virtual Private Routed Networks
Provider Backbone
CPE 1
CPE 1
10.1.1.0 / 30
10.5.5.0 / 30
Stub Link
Stub Link
10.0.0.1 157.0.0.1
PE Router
PE Router
IP Tunnel
10.1.1.1
10.5.5.1
Encapsulation in IP/IP
Stub Link
IP Backbone
CPE 2
CPE 2
Stub Link
10.2.2.0 / 30
10.6.6.0 / 30
P
P
Outer IP Header Destination Address 157.0.0.1
Inner IP Header Destination Address 10.5.5.1
P
PE Router
IP Tunnel
IP Tunnel
Customer data
PE Provider Edge CPE Customer Premises
Equipment P Provider/Interior
Stub Link
CPE 1
10.3.3.0 / 30
20
Virtual Private Routed Network (VPRN)

• VPRN is an IP based layer 3 VPN.
• Both CPE and network based implementations are
  possible.
• A VPRN is an emulation of a multi-site wide area
  routed network using IP facilities
• VPN specific forwarding tables called the VPN
  Routing and Forwarding tables or VRFs are present
  at the provider routers on a per VPN basis. They
  contain network reachability information.
• VPRN operation is de-coupled from the mechanism
  used by the customer to access the Internet

21
VPRN Generic Requirements

• Use of a globally unique identifier for each VPN
• VPN ID is a Globally Unique Identifier, which
  uniquely identifies an instance of a VPRN.
• VPN ID can be used for management purposes in a
  MIB
• Used for tunnel establishment, to bind a VPRN to
  a particular tunnel etc.
• Same ID can be used across different technologies
  e.g., IP and ATM

22
VPRN Generic Requirements

• VPRN membership determination
• Determination of stub link belonging to a VPRN
• Through configuration for Static links e.g. ATM
  VCC
• As part of authentication for Dynamic Links e.g.
  PPP
• PEs participating in a particular VPRN must be
  known to each other
• Membership determination is done using
• Directory Lookup
• Explicit Management Configuration
• Piggybacking in Routing Protocols

23
VPRN Generic Requirements

• Stub link reachability information
• Determine the set of VPRN addresses and address
  prefixes or destinations reachable at each stub
  site or customer site
• This exchange of information between the CE and
  PE can be through
• Routing Protocol Instance on CE - PE
• Configuration
• ISP Administered Addresses
• MPLS Label Distribution Protocol

24
VPRN Generic Requirements

• Intra - VPN reachability information
• Exchange of stub link reachability information
  between the provider edges
• Set of reachable addresses within a VPRN are
  unique
• Information dissemination is done through
• Directory Lookup
• Explicit Configuration
• Local intra-VPRN Routing Instantiations
• Link Reachability Protocol
• Piggybacking in IP backbone Routing Protocols
  e.g. BPG/MPLS VPN

25
VPRN Generic Requirements

• Tunneling Mechanisms
• Tunnels comprising the VPRN cores, are
  established between PEs, after membership
  determination
• Various mechanisms can be used for tunneling with
  the requirements of security, authentication,
  confidentiality, sharing etc
• Tunneling mechanisms IP/IP, IPSec, GRE, MPLS,
  L2TP etc

26
Implementation Issues

• Summarizing some issues involved in building
  VPRNs
• Initial configuration
• Determining the set of links in each VPRN
• Identifying the member routers belonging to a
  VPRN
• Determining the set of IP addresses or address
  prefixes reachable via each 'stub' link or
  customer

27
Implementation Issues

• Disseminate the 'stub' reachability information
  to the appropriate set of PE routers
• Set of IP addresses reachable from the provider
  that is to be given to the customer
• Establish, maintain, and manage the tunnels
  needed to carry the data
• Provide secure data transfer and other features
  based on customer requirements

28
VPRN Architecture

• There are two fundamental architecture models
  for implementing VPRNs.
• Overlay
• Piggyback
• The models differ in methods used to determine
  and disseminate membership and reachability
• Overlay model constructs multiple routing
  protocol instances e.g., Multiple OSPF instances
  on a per VPRN basis, which overlay the IP
  backbone
• Piggyback models make use of the existing routing
  protocol and extend it to carry information e.g.,
  BGP/MPLS in the backbone

29
IP VPN - Virtual Router Model

• "A Virtual Router is an emulation of a physical
  router at the software and/or hardware level."
• The overlay VPRN model uses the concept of
  Virtual Routers
• Each VR runs an instance of the routing protocol
  for determining and exchanging reachability
  information with peer VRs

30
VR Model
CPE 1
CPE 1
S T U B L I N K S
VPRN 1
PE Router
PE Router
VPRN 2
CPE 2
CPE 2
VPRN 3
CPE 3
CPE 3
VRF
Backdoor Link
VRF
PE Router
VRF VPN Routing and Forwarding Table VR
Instance for CE 1 VR Instance for CE 2
VR Instance for CE 3
CPE 1
CPE 3
31
VR Objectives

• The objective of this mechanism is to provide
  per-VPN routing, forwarding, QoS, and service
  management capabilities
• To leverage and make use of the existing
  protocols for implementing VPN functionality
• To isolate different VPN instances
• To isolate the underlying backbone protocol from
  the VPN protocols

32
VR Characteristics

• VRs that are members of a particular VPN must
  share the same VPN ID.
• The VR architecture supports overlapping address
  spaces in separate VPNs
• Each VPN can have its own routing protocol in the
  provider backbone or the customer end if needed

33
VR Characteristics

• Supports VR to VR connectivity
• Over Layer 2 connections (ATM or Frame relay)
• Over IP based or MPLS tunnels
• Any routing protocol instance can be run between
  the PE and CE to determine stub link
  reachability.
• CE PE routing protocol is independent of
  routing protocol in the backbone.

34
VR Advantages

• The Provider (P) routers or non-edge backbone
  routers need not be VPN aware. In piggyback
  models, the provider/intermediate routers may be
  VPN aware to determine if the packets sent belong
  to the VPN or the backbone routing
• Backbone protocol can be independent of the VR
  protocol used
• No changes to existing protocols. In piggyback
  models, the routing protocol for VPN must extend
  to accommodate information about VPN membership,
  reachability etc.
• No changes are needed while deployment

35
VR Based Solution for IP VPN

• OSPF is run as a VR protocol for PE - PE routing
• For each VPN, towards the provider edge, an OSPF
  instance is run on the Provider Edge router over
  tunnels in the backbone
• Routing protocol updates are exchanged between
  the PE routers participating in a given VPN

36
Membership

• Membership information is used to identify and
  determine which VPN a given VR belongs to
• Membership information is disseminated statically
  or dynamically
• A VPN Manager can have pre-configured or
  dynamically learnt VPN IDs, which are assigned to
  each of the VR instances
• This can be used to map the VPN ID to the
  resources used by the instance like the routing
  table associated with the interface

37
Routing

• The "stub link reachability", is learnt by the VR
  instance on the PE associated with that customer
  end of the VPN site
• VRs belonging to the same VPN exchange this
  reachability information with the help of the VR
  routing protocol
• Redistribution takes place at the Provider Edge
  Router between the customer and the provider
  edges on a per-VR basis
• Each VR instance is associated with a routing
  table called the VRF. Each VPN is mapped to a VRF

38
Routing

• Multiple routing tables are used to isolate
  routing information between the VRs
• Multiple routing tables support on Linux is
  provided by the Advanced Routing option
• On Linux, the input interface(s) from the
  customer end is/are mapped to a VRF using 'ip
  rule' command

39
Routing

• VR instance on the customer end and provider end
  share the routing table. Any addition/deletion of
  new routes is redistributed to the other
  corresponding instance of routing protocol
• CE-CE or CE-PE routing is independent of the VR
  routing
• Multiple routing tables concept can be extended
  to support Traffic Engineering

40
Tunneling

• The exchange of control and data plane
  information is done using tunnels, established
  between member routers of a VPN
• Tunnels on Linux can be established by
  configuring the tunnel device tunl0. This feature
  is provided using 'ip tunnel' commands
• Multiple VPNs can be mapped to a single tunnel
  depending on the security constraints
• Tunnel aggregation can be done to minimize
  overhead in tunnel establishment and maintenance

41
VPN Support On LINUX

• Multiple Routing table support
• A compile time Advanced Routing option
• Up to 255 routing tables
• Netlink support for associating network
  interfaces or tunnels with routing tables
• IP/IP and GRE tunneling mechanism.

42
VPN Support On LINUX

• IP utility
• To configure IP/IP and GRE tunnels
• ip tunnel add mode ipip local 10.0.0.1 remote
  10.0.0.2
• To configure routes in different routing tables
• ip route add 10.0.0.0/24 via 192.168.221.254
  table 50
• To associate interfaces with routing tables
• ip rule add iif eth0 table 50

43
Issues in OSPF VR Model

• Depending on configuration of customers, various
  issues related to connectivity and duplication of
  information arise. Examples of configuration
  scenarios are
• Each customer belonging to a particular VPN
• Customer belongs to multiple VPRNs over multiple
  stub links
• Customer belongs to multiple VPRNs over a single
  stub link
• Multiple VPRNs are established over a single stub
  link

44
Issues in OSPF VR Model

• Stub information exchanged is AS External
  information. The routing information or updates
  are exchanged as AS External information between
  the customer ends
• Membership information is statically configured
  by a VPN manager. Manager must keep track of
  change in membership and disseminate this
  information appropriately
• Static configuration of tunnels, maintenance and
  management is also done by the manager, which
  must keep track of changes and handle the OSPF
  instances accordingly

45
Issues in OSPF VR Model

• Various configuration scenarios of connection
  between CE-PE and the way routing information is
  re-distributed between the customer and provider
  edge of the PE router influences the kind of
  information exchanged
• E.g., if the customer ends are treated as
  belonging to same area or different areas but
  belonging to the same AS, then the routes
  exchanged become intra or inter area routes,
  which gain preference over AS External routes
  according to OSPF protocol. In this case, the VPN
  serves to seamlessly transfer the OSPF/routing
  information between the customer ends.

46
Summary

• VPN is a connectivity object
• Objective of VPN is to provide private
  connectivity between customer ends, over a public
  infrastructure
• VPN features and requirements include opaque
  transfer, security, QoS etc
• Layer 3 VPN implementations are considered
• Different types of VPN types exist, of which VPRN
  is a IP-network based layer 3 VPN implementation
• VR is an overlay concept for implementing VPRN
• OSPF is used as a VR protocol. Linux based model
  uses IP tunnels and Advanced Routing options to
  build rule based routing tables

47
References

• VPN-RFC2764 Gleeson, B., et al, A Framework
  for IP Based Virtual Private Networks, RFC 2764,
  February 2000.
• PPVPN Ould-Brahim, H., et al., Network based
  IP VPN Architecture using Virtual Routers, work
  in progress.
• PPVPN Nagarajan Ananth., et al, Applicability
  Statement for Virtual Router-based Layer 3 PPVPN
  approaches, August 2002
• RFC2685 Fox B., et al, Virtual Private Network
  Identifier, RFC 2685, September 1999
• RFC2547bis Rosen E., et al, BGP/MPLS VPNs,
  work in progress.
• VPN-BGP Ould-Brahim, H., et al, Using BGP as
  an Auto-Discovery Mechanism for Network-based
  VPNs, work in progress.