VPN Virtual Private Mario Baldi Synchrodyne s, Inc. baldi@synchrodyne.com VPN - 1 M. Baldi: see page 2 Nota di Copyright! Questo insieme di trasparenze (detto nel seguito slides) è protetto dalle leggi sul copyright e dalle disposizioni dei trattati internazionali. Il titolo ed i copyright relativi alle slides (ivi inclusi, ma non limitatamente, ogni immagine, fotografia, animazione, video, audio, musica e testo) sono di proprietà degli autori indicati a pag. 1.! Le slides possono essere riprodotte ed utilizzate liberamente dagli istituti di ricerca, scolastici ed universitari afferenti al Ministero della Pubblica Istruzione e al Ministero dell Università e Ricerca Scientifica e Tecnologica, per scopi istituzionali, non a fine di lucro. In tal caso non è richiesta alcuna autorizzazione.! Ogni altra utilizzazione o riproduzione (ivi incluse, ma non limitatamente, le riproduzioni su supporti magnetici, su reti di calcolatori e stampate) in toto o in parte è vietata, se non esplicitamente autorizzata per iscritto, a priori, da parte degli autori.! L informazione contenuta in queste slides è ritenuta essere accurata alla data della pubblicazione. Essa è fornita per scopi meramente didattici e non per essere utilizzata in progetti di impianti, prodotti, reti, ecc. In ogni caso essa è soggetta a cambiamenti senza preavviso. Gli autori non assumono alcuna responsabilità per il contenuto di queste slides (ivi incluse, ma non limitatamente, la correttezza, completezza, applicabilità, aggiornamento dell informazione).! In ogni caso non può essere dichiarata conformità all informazione contenuta in queste slides.! In ogni caso questa nota di copyright non deve mai essere rimossa e deve essere riportata anche in utilizzi parziali. VPN - 2 M. Baldi: see page 2 A Definition Virtual Private Customer connectivity deployed on on a shared infrastructure such that that policies can can be be enforced as as in in a private network! Shared infrastructure:! Private/public network! e.g., the one of an Internet Service! IP! Frame Relay! ATM! The Internet! Policies Secure communication! Security, Quality of Service (QoS), reliability, etc. VPN - 3 M. Baldi: see page 2 Why VPN? Private s are based on! Private leased lines! Long distance dial-up solutions VPNs enable cutting on these expensive solutions VPN - 4 M. Baldi: see page 2
Classification! Access VPN! Remote access over a shared infrastructure! e.g., ISDN, PSTN, cable, DSL! VPN! Links corporate headquarters, remote offices, branch offices! Extranet VPN! Links customers, suppliers, partners, or communities of interest to a corporate intranet VPN - 5 M. Baldi: see page 2 VPN Service Provision! Overlay Model! IPSec-based managed service VPN - 6 M. Baldi: see page 2! Many separate highly meshed tunnels! Each VPN gateway Model Overlay Peer must know every other VPN gateway Access L2TP, PPTP --! Peer Model IPSec MPLS! MPLS network Extranet IPSec MPLS! Each VPN gateway knows only its peer service provider router! Exchange of routing information! Service provider network disseminates routing information! Service provider network routes traffic between gateways of the same VPN Tunneling! A and B are enterprise addresses! they do not have to satisfy the public system requirements! Tunneling enables operation! Tunneling by itself does not ensure security A VPN gateway X Internet Tunnel VPN gateway Y B Access VPN! L2TP (Layer 2 Tunneling Protocol)! Used mainly by ISPs for access VPNs! Does not require special software on client! PPTP (Point-to-Point Tunneling Protocol)! Microsoft: integrated in dial-up networking IP IP Header from from X to to Y IP IP Header from from A to to B Payload VPN - 7 M. Baldi: see page 2 VPN - 8 M. Baldi: see page 2
Highlights of Virtual Dial-Up! Authentication/Security! Performed by VPN Gateway! Policies and information of the corporate network! Authorization! Performed by the VPN Gateway! Policies and information of the corporate network! Address allocation! addresses are dynamically allocated! Same access as when directly connected VPN - 9 M. Baldi: see page 2 VPN Gateway and Firewall! Inside! No inspection of VPN traffic! VPN gateway protected by firewall! Parallel! Potential uncontrolled access! Outside! VPN gateway protected by access router! Consistent policy! Integrated! Maximum flexibility Internet Encrypted traffic Public Firewall VPN - 10 M. Baldi: see page 2 VPN Gateway Decrypted traffic Private VPN Gateway and NAT! Authentication Header (AH)! IP addresses are part of AH checksum calculation packets discarded! Transport mode! IP address of IPSec tunnel peer is not what expected packets discarded! Tunnel mode! IP address within secure packet is not changed! The IP addresses manipulated by NAT belong to IPSec Gateway! Probably NAT is not needed! No PAT (Protocol Address Translation) VPN Gateway and IDS! IDS is usually outside the firewall! No control on VPN traffic! Multiple IDS probes! Outside firewall! Inside VPN gateway Internet Access router Public IDS probe Firewall IDS probe IPSec Gateway Private VPN - 11 M. Baldi: see page 2 VPN - 12 M. Baldi: see page 2
MPLS Based VPNs! Scalability! Large scale deployments! VPN policies implemented by Service! No experience needed on the Customer side! RFC2547bis! MPLS! BGP MPLS VPN Components! VRF (VPN Routing and Forwarding) table! Associated to one or more ports! Forwarding information to be used for traffic received through the port (P) Customer Edge (CE) VPN - 13 M. Baldi: see page 2 Edge (PE) VPN - 14 M. Baldi: see page 2 MPLS VPN Components! CE router creates adjacency with PE router! It advertises its destinations! It receives advertisements of other VPN destinations! Static routing, or! IGP (Interior Gateway Protocol)! (e.g., OSPF, RIP)! E-BGP (Exterior-Border Gateway Protocol)! PE router does not keep routes for all VPNs Edge (PE) MPLS VPN Components! PE routers! Exchange routing information! I-BGP (Interior-Border Gateway Protocol)! Are ingress and egress LSR (Label Switch ) for the backbone! P routers have routes to PE routers only (P) Customer Edge (CE) VPN - 15 M. Baldi: see page 2 VPN - 16 M. Baldi: see page 2
Control Plane! Establishment of LSPs across the backbone! I-BGP carrying label information! LDP (Label Distribution Protocol) and/or! RSVP (Resource reservation Protocol)! LSP mesh among PE routers with same VPN LSP (Label Switched Path) Customer Edge (CE) Control Plane! Routing exchange at edges! Route filtering! PE routers determine which routes to install in VRF! Support for overlapping address spaces! VPN-IPv4 Address family! Route Distinguisher + IPv4 address Route Distinguisher IP IP Address Edge (PE) VPN - 17 M. Baldi: see page 2 VPN - 18 M. Baldi: see page 2 Packet Routing Packet from 10.2.3.4 to 10.1.3.8! Default gateway PE2 router 10.1.3.8 CE1 PE1 10.2/16 Packet Routing! PE2 looks-up VRF! MPLS label advertised by PE1 for 10.1/16: L1! BGP next hop (PE1)! Outgoing interface for LSP to PE1! Initial label for LSP from PE2 to PE1: L2 10.1.3.8 CE1 10.2/16 PE1 10.1/16 LSP (L2) CE2 PE2 10.2.3.4 10.1/16 LSP (L2) CE2 PE2 10.2.3.4 VPN - 19 M. Baldi: see page 2 VPN - 20 M. Baldi: see page 2
Packet Routing! PE2 pushes L1 and L2 on label stack! P routers forward packet to PE1 using L2! Last hop before PE1 pops L2! PE1 receives packet with L1! PE1 pops L1: plain IP packet CE1! PE1 uses L1 to route packet to proper output interface IP Payload PE1 L1 IP Payload L2/L1 LSP (L2) IP Payload VPN - 21 M. Baldi: see page 2 PE2 Benefits! No constraints on addressing plan! Address uniqueness only within VPN! CE routers do not exchange information! Customer does not manage backbone! s do not have one virtual backbone per customer! VPN can span multiple providers! Security equivalent to Frame relay or ATM! Traffic isolation! No cryptography (confidentiality)! QoS supported through experimental bits in MPLS header VPN - 22 M. Baldi: see page 2 Multi-Protocol Support! Access VPN! Transparent! L2TP and PPTP! IPsec based! Generic Routing Encapsulation (GRE)! Transport any layer 3 protocol within IP! MPLS based! Built in MPLS (Multi-Protocol Label Switching) References! E. Rosen and Y. Rekhter, BGP/MPLS VPNs, RFC 2547, March 1999.! E. Rosen et al., BGP/MPLS VPNs, <draftrosen-rfc2547bis-02.txt>, July 2000.! C. Semeria, RFC 2547bis: BGP/MPLS VPN Fundamentals, Juniper s, White paper 200012-001, March 2001.! IETF MPLS Working Group, http://www.ietf.org/html.charters/mplscharter.html VPN - 23 M. Baldi: see page 2 VPN - 24 M. Baldi: see page 2
References! Hanks, S., Editor, "Generic Routing Encapsulation over IPv4", RFC 1702, October 1994.! Brian Browne, Best Practices For VPN Implementation, Business Communication Review, March 2001. VPN - 25 M. Baldi: see page 2