History of VPN, Technology Overview

Marc Debaerdemaeker BELNET, Network Engineer

History of VPN (1/3)

Virtual Private Network (VPN) = ?
A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: collection of devices that communicate Restricted connectivity is the goal

History of VPN (2/3)

Customer facilities across the country or around
the world Maintain fast, secure and reliable communications
WAN Leased

Lines (64kbps -> 155 Mbps) Frame Relay Network from Provider Use of PVC Layer 2 circuits interconnecting customer sites Fully meshed network scalability issue Routing needs to be done by customer

History of VPN (3/3)

Increasing popularity of Internet:
Became

part of everyday life Means of extending customer networks Intranet (for company employees) VPNs (remote employees + distant offices) Increasing importance of IP/MPLS (not ATM/Frame Relay)

VPN Benefits
lower operational expenses (vs. WAN):
single network (internet) connection => multiple services

extend geographic connectivity provide global networking opportunities improve security simplify network topology

VPN Technology Overview

Classification of VPNs:
1) Customer Premises VPN Solutions (CPE-VPN) Tunneling methods 2) Provider-Provisioned VPN Solutions (PP-VPN) Layer2 <-> Layer 3

Classification of VPNs
1) CPE-VPN Creation and management of tunnels: customers equipment ISP treats packets from customer as normal IP packets Tunneling requires 3 different protocols:
Carrier IP Encapsulating GRE L2TP PPTP IPSec SSL Passenger

protocol: used by the network protocol: wrapped around original data:

Protocol: original data IPX, IP, NetBEUI,

Example of CPE-VPN: IPSec

Routing performed at CPE Secure tunnels terminate on customers premises Only CPE must support IPSec Security services: access control, data origin authentication, replay protection, data integrity, data encryption, key management

Classification of VPNs
2) PP-VPN Creation and management of tunnels: providers equipment Typical use of MPLS on providers network Layer 3 versus Layer 2:
Layer

3: Providers routers participate in customers L3 routing CE routers advertise their networks to provider Providers routers manage VPN-specific routing tables Providers routers distribute routes to remote sites Layer 2: Customer maps L3 routing to circuit mesh Provider delivers L2 circuits to customer Customer networks are transparent to provider

MPLS
Multi Protocol Label Switching Goal:
bring speed of L2 switching to L3 Traffic engineering VPN

Definitions:
Label:

short, fixed length, locally significant identifier located after the Layer 2 header and before any other network layer header Label Switched Path (LSP): a specific traffic path through an MPLS network, provisioned using Label Distribution Protocols (e.g. RSVP, LDP) LSR: Label Switch Router (or P router): routers in the middle

MPLS

PP-VPNs: Layer 3
Application: RFC2547bis Advantages:
Customer: Offload routing complexity to provider Focus on core competencies Provider: Value-added services

Disadvantages:
Customer: Less flexibility No control over L3 routing Provider: Increasing load on providers infrastructure if number of L3 VPN customers increases

PP-VPNs: Layer 2
Circuit Cross-Connect (CCC)
Foundation for MPLS-based L2 VPNs Supports variety of L2 protocols Manually map local identifiers to LSPs Configure 1 LSP per direction/PVC

Draft-Kompella:
L2 VPN created using bidirectional MPLS LSPs LSPs automatically mapped to L2 circuits BGP between PE routers to exchange information about VPN member sites

Draft-Martini:
LDP as signaling protocol

PP-VPNs: Layer 3 vs Layer 2

L3 advantages:
Customer Offload routing complexity Focus on core competencies Provider: value-added services

L2 advantages:
Customer: Outsource L2 circuits Maintains routing control Use any L3 protocol Provider: easy to add, remove or change L2 circuits

L3 drawbacks:
Customer Less flexibility No control over L3 routing Provider: complex management if # L3VPN customers increases

L2 drawbacks:
Customer: routing expertise necessary Uniform circuit type