Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer

Similar presentations


Presentation on theme: "1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer"— Presentation transcript:

1

2 1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer

3 222 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Forewords one Focus mainly on VPN for one organization

4 333 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Agenda Cisco Definition of VPNCisco Definition of VPN Using Layer 3 Tunnels & Routing Security of the Above Existing Techniques for Dynamic VPN Deployment Examples

5 444 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop A Virtual Private Network Carries Private Traffic Over a Public Network Virtual Private Network (VPN) Defined “ ” Cisco 'official' definition

6 555 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop What Is a “Public” Network? In this context, any network shared among different administrative domains A shared network such as the Internet A privately owned network which services many external/internal customers

7 666 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop What is 'Private' Traffic? Can be anything desired by an organization Confidentiality => IPSec IP Routing independance (address and IGP) => MPLS & RFC 2547 QoS end to end Efficient multicast

8 777 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop The Three Categories of VPN Remote Office Main Office WAN VPN POP Home Office POP Mobile Worker Remote Access VPN Secure, scalable, encrypted tunnels across a public network, client software Remote Access VPN Secure, scalable, encrypted tunnels across a public network, client software Business Partner Extranet VPN Extends WANs to business partners Extranet VPN Extends WANs to business partners Intranet VPN Low cost, tunneled connections with rich VPN services, like IPSec encryption and QoS to ensure reliable throughput Intranet VPN Low cost, tunneled connections with rich VPN services, like IPSec encryption and QoS to ensure reliable throughput

9 888 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Technologies A large choice BGP/MPLS VPN IPSec Layer 3: IPinIP, GRE, IPv6 over IPv4 Layer 2: L2TP IEEE 802.1q VLAN My main focus

10 999 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Another Cisco Taxonomy L2VPN MPLS VPNNetwork Based IPSec L3VPN Network Based VPN IPSec/GRE CPE Based VPN

11 10 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Agenda Cisco Definition of VPN Using Layer 3 Tunnels & RoutingUsing Layer 3 Tunnels & Routing Security of the Above Existing Techniques for Dynamic VPN Deployment Examples

12 11 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Examples The most common layer 3 tunnels are IP in IP: RFC 2003 GRE: RFC 2784 The most common layer 2 tunnels are PPTP, L2F: deprecated L2TP: RFC 2661 L2TPv3: aka UTI Default on Cisco routers

13 12 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop IPSec Tunnel Mode Encapsulation Original IP header Protocol=p IP payload 20 bytes Original IP datagram IPSec packet with new IP header (on the wire) Original IP header Protocol=p IP payload ESP header Protocol=4 External IP header Protocol=50 (ESP) 20 bytes 16 bytes ESP trailer 2-10 bytes IPSec ESP without ESP auth encapsulation (after encapsulation) Original IP header Protocol=p ESP header Protocol=4 (IPinIP) 20 bytes16 bytes ESP trailer 2-10 bytes IP payload Encrypted payload

14 13 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop IPinIP + IPSec Transport Mode Original IP header Protocol=p IP payload 20 bytes Original IP datagram External IP header Protocol=4 (IPinIP) 20 bytes IPinIP Encapsulation Original IP header Protocol=p 20 bytes IP payload After IPSec Transport Mode Original IP header Protocol=p IP payload ESP header Protocol=4 20 bytes16 bytes ESP trailer 2-10 bytes External IP header Protocol=50 (ESP) 20 bytes Encrypted payload

15 14 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Differences with IPSec Tunnel Mode Same syntax (bits on the wire): IPSec Tunnel Mode IPinIP + IPSec Transport Mode NoIs it the same semantic ? No Because SPD is now replaced by routing Ease of deployment Resiliency Less security

16 15 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Difference: SPD & SAD IPinIP + IPSec Transport Mode Usually one pair of SA IPSec Tunnel Mode Can potentially be multiple pairs of SA Trivial selectors  Easy provisioning One pair of SA  Very scalable

17 16 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Difference: Cisco Router IOS view IPinIP + IPSec: is a L3 tunnel interface Routing Protocol Multicast,.. IPSec Tunnel mode: is not This means strong resilience And fast re-routing

18 17 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Difference: SA Selection IPinIP + IPSec Transport Mode L3 tunnel is selected by FIB FIB is dynamic (insecure) IPSec Tunnel Mode IPSec SA selected by SAD SAD is static (secure)

19 18 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Traffic can be Routed Through 2 Hubs Central Site Hub 1 (active) Hub 2 (active) + Easier. + Hub are always under 50% load. - Asymmetric routing

20 19 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Traffic can be Load Balanced Central Site Hub 1 (active) Hub 2 (active) Need to tune IGP to always select the GREEN tunnels. + Symmetric routing + Both hubs running at 50%

21 20 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Agenda Using Layer 3 Tunnels & Routing Security of the AboveSecurity of the Above Existing Techniques for Dynamic VPN Deployment Examples

22 21 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Plain IPSec Outgoing Packets: SAD Selects SA Network A Network B Network C SA #1 SA #2 SAD SelectorSA #1 #2 SAD SelectorSA #1 #2 SPD SelectorAction Encrypt Drop SPD SelectorAction Encrypt Drop A -> B

23 22 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Plain IPSec Incoming Packets: SAD Checks SA Network A Network B Network C SA #1 SA #2 SAD SelectorSA #1 #2 SAD SelectorSA #1 #2 C->A Let’s Spoof C C->A Packets from SA#1 Should match Drop !

24 23 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Plain IPSec Incoming Packets: SPD Checks Network A Network B Network C SPD SelectorAction Encrypt Drop SPD SelectorAction Encrypt Drop Let’s Spoof C Packets should be encrypted Drop ! C->A

25 24 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Plain IPSec Preventing Traffic Injection Network A Network B Network C SPD SelectorAction Encrypt Drop SPD SelectorAction Encrypt Drop No spoofing, I’m D Packets must be dropped ! D->A

26 25 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Security Issues of L3 Tunnel + IPSec No anti-spoofing enforcement Among VPN routers (no SAD check) From external networks (no SPD check) FIB (hence tunnel selection) is dynamic  Hacker can force traffic In the wrong protected L3 tunnel Out of protected L3 tunnel Need to add anti-spoofing unicast RPF check

27 26 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Traffic Injection is Possible Network A Network B Network C No spoofing, I’m D D->A

28 27 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Traffic Hijacking Network A Network B Network C FIB Network Interface Btunnel 0 Ctunnel 1 FIB Network Interface Btunnel 0 Ctunnel 1 Send false IGP information ‘Best route to C is through me’ IGP Tunnel 0 Tunnel 1 FIB Network Interface Btunnel 0 Cserial 0/0 FIB Network Interface Btunnel 0 Cserial 0/0 A -> C I receive packets to C in the clear !

29 28 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Agenda Using Layer 3 Tunnels & Routing Security of the Above Existing Techniques for Dynamic VPNExisting Techniques for Dynamic VPN Deployment Examples

30 29 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Next Hop Resolution Protocol, RFC 2332 IETF protocol Used on NBMA Non Broadcast Multi-Access networks (Frame Relay, X.25, …) to discover peers Can also be used on multi-point GRE, mGRE Specific kind of GRE tunnel Fan-out like: one hub and multiple spokes Hub can speak direct to all spokes Spokes can only talk to hub Cannot be used over IPinIP since NHRP does not run over IP

31 30 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop NHRP over mGRE NHRP Server NHRP Client YNHRP Client X mGRE IP: X-Y NHRP: resolution request for Y NHRP: resolution Reply: Y is through NHRP Cache Client Y is via NHRP: registration Request: Y is NHRP: registration Reply: OK NHRP Cache Client Y is via

32 31 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Tunnel Endpoint Discovery Alice Bob X1 Y A to B must be protected no SA => send probe IP: A to B IKE: A to B (proxy=X1) Traffic to B must be protected no SA & probe received => block & answer probe IKE: Y to X1 Proposed to IETF IPSP WG Proposed to IETF IPSP WG X2

33 32 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop NRHP, TED and Routing NHRP+mGRE requires routing inside the GRE tunnel to learn about connected networks TED requires routing in the core to learn about connected networks

34 33 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Agenda Using Layer 3 Tunnels & Routing Security of the Above Existing Techniques for Dynamic VPN Deployment ExamplesDeployment Examples

35 34 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #1: 1500 Nodes Hierarchical Network With IPX Customer: large retail bank Requirements: Mix of IP and IPX traffic Large scale 1500 nodes Hierarchical structure: branch, regional office Bandwidth: 128 kbps, 512 kbps & 10 Mbps Outsourced IP services

36 35 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #1: Issues Large scale Need to use a layered structure Mix of IPX & IP Use of GRE encapsulation High Availability (Resilience) Use routing protocol (EIGRP for IP & IPX) Outsourced IP services 1 router managed by IP Service Provider 1 router managed by customer (IPSec)

37 36 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #1: IPSec Overlay Network HQ approx. 2; 200 tunnels per router, can be split over several routers RO approx. 600; 15 tunnels to branches 4 tunnels to BO BO approx. 800; 1 tunnel per branch

38 37 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #2: MPLS BGP VPN & IPSec Customer: SP for a bank Requirements Outsourced network: connectivity & security Double management ? Interworking with MPLS (RFC 2547) 300 Nodes

39 38 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #2: Network MPLS Network 2 Mbps Green VPN Red VPN Use of Tunnel Endpoint Discovery

40 39 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #3: Mapping IPSec Remote Access to another VPN SP customer Wants to connect remote user over a remote access IPSec VPN to Specific L3 VPN: GRE, BGP/MPLS Specific L2 VPN: Frame Relay, 802.1Q VLAN Solution: IPSec termination in different VRF based on IKE identity

41 40 © 2003, Cisco Systems, Inc. All rights reserved. Evyncke ucl vpn workshop Case #3: IPSec to BGP/MPLS VPN MPLS Network Internet IPSec-AGG PE Branch Office Telecommuter/SOHO Remote Access Customer A Customer B Internet Gateway MPLS/VPN IPSec VPN Mapping offnet users into BGP/MPLS VPNs.


Download ppt "1 © 2003, Cisco Systems, Inc. All rights reserved. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer"

Similar presentations


Ads by Google