Virtual Private Networks Network Based IP VPN 03/10/2002

Agenda Introduction VPN – Introduction, Requirements, Categories and Types Virtual Private Routed Networks – Introduction, Features, Requirements Virtual Private Routed Networks – Architecture Virtual Router – Concept, Objectives, Characteristics VR Based Solution for IP VPN VPN support on Linux

A Private network is a collection of hosts belonging to a common administration or organization. Private connectivity between geographically scattered networks is done through Dedicated WANs - permanently connected to multiple sites Dial Networks - on demand connections through PSTN to sites High cost and complexity is involved in multi-site WAN services. In order to overcome this constraint, the Internet is used to provide the connectivity between private networks. Introduction - Types of Private Networks

Some other factors that motivate in migrating to an Internet based connectivity are as follows A need to extend the private network to offer services or connectivity that is invisible to the external observers. Economics, in terms of aggregating the costs of individual components or set ups into a single infrastructure and offer services collectively over the public domain. Source of revenue generation for the ISPs. Introduction - Motivation and History

“A VPN is a communications environment in which access is controlled to permit peer connections only within a defined community of interest, and is constructed through some form of partitioning of a common underlying communications medium, where this underlying communications medium provides services to the network on a non- exclusive basis." “A VPN is a private network constructed within a public network infrastructure, such as the global Internet." A Virtual Private Network is a connectivity object between two or more private entities. It uses the Internet or public domain infrastructure and connects private networks. What Is a VPN?

VPN Requirements Opaque Transport VPN traffic may be unrelated to the traffic in IP backbone Traffic can be multi-protocol Customer may be using IP addresses not related to backbone. These addresses may be private and non-unique Data Security No misdirection, misrouting, snooping Security against modification of traffic in transit Unauthorized analysis of traffic

VPN Requirements QoS Guarantee Need for IP based QoS similar to dedicated or dial lines or ATM/Frame Relay Opaque transport requirement is fulfilled by using tunnels for transport. Some tunneling mechanisms provide support for data security and QoS. Some tunneling mechanisms are IP/IP, IPSec, GRE, L2TP, MPLS

VPN Requirements Private connectivity between networks is an inherent characteristic of a VPN implementation. This is achieved through the following requirements Opaque transport Data Security QoS guarantee Tunneling mechanism

VPN Requirements Tunneling Protocol Requirements Support for Multiplexing Signaling Security Multi-protocol traffic Frame Sequencing Maintenance Large MTUs Minimization of tunnel overhead Flow/Congestion control QoS/traffic management

IP/IPIPSecGREL2TPMPLS Multiplexingyyyy Signalingyyyy Securityyy Multi-protocol traffic yyy Frame Sequencing yyy Maintenance Large MTUs Minimization of Tunnel overhead Flow/Congestion Control y QoS/Traffic Management y VPN Requirements

VPN Categories VPN services are provided at layer 2 and layer 3. IP based layer 3 VPN implementations are broadly classified as follows Customer Premises Equipment (CPE) based Model Network based or Provider Provisioned Model

CPE Based Model Some characteristics of CPE based VPN model are as follows Provides VPN capabilities on firewalls, WAN edge routers and specialized VPN termination devices Handles security, tunneling between customer ends, management of services and devices, administrative responsibility and operational costs Uses the ISP only for transmission of data over the backbone smitha: change smitha: change

Some characteristics of network based VPN model are as follows ISPs provide services with no change in the subscriber equipment. Services like fire-walling, data security, routing configuration, QoS, tunnel establishment, management and maintenance are handled by the provider No extra investment is needed, at the customer end, on dedicated expensive CPE gear while subscribing to a VPN service Customer is provided the option of choosing various services at various costs Network Based Model

Customer follows a trust model for security, where it trusts or does not trust the provider Trust model extends across multiple providers if the VPN spans the domain of multiple providers Forwarding of data between the provider edges takes place through tunnels The complexity of operation and administrative responsibility rests with the provider Network Based Model

Types of VPNs Virtual Leased Lines Virtual Private Dial Networks Virtual Private LAN Segment Virtual Private Routed Networks

Virtual Leased Lines CPE ISP Edge Router IP Backbone CPE AT M V C C AT M V C C IP Tunnel /30 ISP Edge Router Provides a point to point link between customer’s CPE devices ISP edge binds ATM VCC to a tunnel in IP backbone e.g. AAL5 payload is encapsulated in an IPSEC tunnel in backbone

Virtual Private Dial Networks CPE NAS IP Backbone Gateway Dial Up Connection / L2TP Tunnel Corporate Network L2TP – Layer 2 Tunneling Protocol LAC - L2TP Access Concentrator LNS – L2TP Network Server PPP frames are tunneled across IP backbone using L2TP L2 connection terminating at LAC avoids long distance dialup connection PPP session terminates at LNS LAC LNS

Virtual Private LAN Segment - Transparent LAN Service CPE ISP Edge Router IP Backbone ISP Edge Router CPE ISP Edge Router CPE Stub Link IP Tunnel Emulation of LAN over internet CPE can be a bridge or a router Full mesh connectivity between edge routers Bridge CPE ISP edge routers do flooding and MAC learning Router CPE Explicit link layer routes to CPE routers

Virtual Private Routed Networks CPE 1 PE Router IP Backbone PE Router CPE / 30 PE Router CPE 1 Stub Link IP Tunnel / 30 Stub Link CPE 2 Stub Link / / / 30 P P P PE – Provider Edge CPE – Customer Premises Equipment P – Provider/Interior Provider Backbone Outer IP Header Destination Address Inner IP Header Destination Address Customer data Encapsulation in IP/IP

Virtual Private Routed Network (VPRN) VPRN is an IP based layer 3 VPN. Both CPE and network based implementations are possible. A VPRN is an emulation of a multi-site wide area routed network using IP facilities VPN specific forwarding tables called the VPN Routing and Forwarding tables or VRFs are present at the provider routers on a per VPN basis. They contain network reachability information. VPRN operation is de-coupled from the mechanism used by the customer to access the Internet

VPRN Generic Requirements Use of a globally unique identifier for each VPN oVPN ID is a Globally Unique Identifier, which uniquely identifies an instance of a VPRN. oVPN ID can be used for management purposes in a MIB oUsed for tunnel establishment, to bind a VPRN to a particular tunnel etc. oSame ID can be used across different technologies e.g., IP and ATM

VPRN Generic Requirements VPRN membership determination oDetermination of stub link belonging to a VPRN oThrough configuration for Static links e.g. ATM VCC oAs part of authentication for Dynamic Links e.g. PPP oPEs participating in a particular VPRN must be known to each other oMembership determination is done using Directory Lookup Explicit Management Configuration Piggybacking in Routing Protocols

VPRN Generic Requirements Stub link reachability information oDetermine the set of VPRN addresses and address prefixes or destinations reachable at each stub site or customer site This exchange of information between the CE and PE can be through Routing Protocol Instance on CE - PE Configuration ISP Administered Addresses MPLS Label Distribution Protocol

VPRN Generic Requirements Intra - VPN reachability information oExchange of stub link reachability information between the provider edges oSet of reachable addresses within a VPRN are unique Information dissemination is done through Directory Lookup Explicit Configuration Local intra-VPRN Routing Instantiations Link Reachability Protocol Piggybacking in IP backbone Routing Protocols e.g. BPG/MPLS VPN

VPRN Generic Requirements Tunneling Mechanisms oTunnels comprising the VPRN cores, are established between PEs, after membership determination oVarious mechanisms can be used for tunneling with the requirements of security, authentication, confidentiality, sharing etc oTunneling mechanisms – IP/IP, IPSec, GRE, MPLS, L2TP etc

Implementation Issues Summarizing some issues involved in building VPRNs Initial configuration Determining the set of links in each VPRN Identifying the member routers belonging to a VPRN Determining the set of IP addresses or address prefixes reachable via each 'stub' link or customer

Implementation Issues Disseminate the 'stub' reachability information to the appropriate set of PE routers Set of IP addresses reachable from the provider that is to be given to the customer Establish, maintain, and manage the tunnels needed to carry the data Provide secure data transfer and other features based on customer requirements

VPRN Architecture There are two fundamental architecture models for implementing VPRNs. Overlay Piggyback oThe models differ in methods used to determine and disseminate membership and reachability oOverlay model constructs multiple routing protocol instances e.g., Multiple OSPF instances on a per VPRN basis, which overlay the IP backbone oPiggyback models make use of the existing routing protocol and extend it to carry information e.g., BGP/MPLS in the backbone

IP VPN - Virtual Router Model "A Virtual Router is an emulation of a physical router at the software and/or hardware level." The overlay VPRN model uses the concept of Virtual Routers Each VR runs an instance of the routing protocol for determining and exchanging reachability information with peer VRs

VR Model CPE 1 PE Router CPE 1 PE Router PE Router CPE 3 CPE 2 CPE 3 Backdoor Link STUBLINKSSTUBLINKS VPRN 1 VPRN 2 VPRN 3 VRF VRF – VPN Routing and Forwarding Table VR Instance for CE 1 VR Instance for CE 2 VR Instance for CE 3

VR Objectives The objective of this mechanism is to provide per-VPN routing, forwarding, QoS, and service management capabilities To leverage and make use of the existing protocols for implementing VPN functionality To isolate different VPN instances To isolate the underlying backbone protocol from the VPN protocols

VR Characteristics VRs that are members of a particular VPN must share the same VPN ID. The VR architecture supports overlapping address spaces in separate VPNs Each VPN can have its own routing protocol in the provider backbone or the customer end if needed

VR Characteristics Supports VR to VR connectivity Over Layer 2 connections (ATM or Frame relay) Over IP based or MPLS tunnels Any routing protocol instance can be run between the PE and CE to determine stub link reachability. CE – PE routing protocol is independent of routing protocol in the backbone.

VR Advantages The Provider (P) routers or non-edge backbone routers need not be VPN aware. In piggyback models, the provider/intermediate routers may be VPN aware to determine if the packets sent belong to the VPN or the backbone routing Backbone protocol can be independent of the VR protocol used No changes to existing protocols. In piggyback models, the routing protocol for VPN must extend to accommodate information about VPN membership, reachability etc. No changes are needed while deployment

VR Based Solution for IP VPN OSPF is run as a VR protocol for PE - PE routing For each VPN, towards the provider edge, an OSPF instance is run on the Provider Edge router over tunnels in the backbone Routing protocol updates are exchanged between the PE routers participating in a given VPN

Membership Membership information is used to identify and determine which VPN a given VR belongs to Membership information is disseminated statically or dynamically A VPN Manager can have pre-configured or dynamically learnt VPN IDs, which are assigned to each of the VR instances This can be used to map the VPN ID to the resources used by the instance like the routing table associated with the interface

Routing The "stub link reachability", is learnt by the VR instance on the PE associated with that customer end of the VPN site VRs belonging to the same VPN exchange this reachability information with the help of the VR routing protocol Redistribution takes place at the Provider Edge Router between the customer and the provider edges on a per-VR basis Each VR instance is associated with a routing table called the VRF. Each VPN is mapped to a VRF

Routing Multiple routing tables are used to isolate routing information between the VRs Multiple routing tables support on Linux is provided by the Advanced Routing option On Linux, the input interface(s) from the customer end is/are mapped to a VRF using 'ip rule' command

Routing VR instance on the customer end and provider end share the routing table. Any addition/deletion of new routes is redistributed to the other corresponding instance of routing protocol CE-CE or CE-PE routing is independent of the VR routing Multiple routing tables concept can be extended to support Traffic Engineering

Tunneling The exchange of control and data plane information is done using tunnels, established between member routers of a VPN Tunnels on Linux can be established by configuring the tunnel device tunl0. This feature is provided using 'ip tunnel' commands Multiple VPNs can be mapped to a single tunnel depending on the security constraints Tunnel aggregation can be done to minimize overhead in tunnel establishment and maintenance

VPN Support On LINUX Multiple Routing table support –A compile time Advanced Routing option –Up to 255 routing tables Netlink support for associating network interfaces or tunnels with routing tables IP/IP and GRE tunneling mechanism.

VPN Support On LINUX IP utility –To configure IP/IP and GRE tunnels ip tunnel add mode ipip local remote –To configure routes in different routing tables ip route add /24 via table 50 –To associate interfaces with routing tables ip rule add iif eth0 table 50

Issues in OSPF VR Model Depending on configuration of customers, various issues related to connectivity and duplication of information arise. Examples of configuration scenarios are Each customer belonging to a particular VPN Customer belongs to multiple VPRNs over multiple stub links Customer belongs to multiple VPRNs over a single stub link Multiple VPRNs are established over a single stub link

Issues in OSPF VR Model Stub information exchanged is AS External information. The routing information or updates are exchanged as AS External information between the customer ends Membership information is statically configured by a VPN manager. Manager must keep track of change in membership and disseminate this information appropriately Static configuration of tunnels, maintenance and management is also done by the manager, which must keep track of changes and handle the OSPF instances accordingly

Issues in OSPF VR Model Various configuration scenarios of connection between CE-PE and the way routing information is re-distributed between the customer and provider edge of the PE router influences the kind of information exchanged E.g., if the customer ends are treated as belonging to same area or different areas but belonging to the same AS, then the routes exchanged become intra or inter area routes, which gain preference over AS External routes according to OSPF protocol. In this case, the VPN serves to seamlessly transfer the OSPF/routing information between the customer ends.

Summary VPN is a connectivity object Objective of VPN is to provide private connectivity between customer ends, over a public infrastructure VPN features and requirements include opaque transfer, security, QoS etc Layer 3 VPN implementations are considered Different types of VPN types exist, of which VPRN is a IP-network based layer 3 VPN implementation VR is an overlay concept for implementing VPRN OSPF is used as a VR protocol.Linux based model uses IP tunnels and Advanced Routing options to build rule based routing tables

References [VPN-RFC2764] Gleeson, B., et al, “A Framework for IP Based Virtual Private Networks”, RFC 2764, February [PPVPN] Ould-Brahim, H., et al., “Network based IP VPN Architecture using Virtual Routers”, work in progress. [PPVPN] Nagarajan Ananth., et al, “Applicability Statement for Virtual Router-based Layer 3 PPVPN approaches”, August 2002 [RFC2685] Fox B., et al, “Virtual Private Network Identifier”, RFC 2685, September 1999 [RFC2547bis] Rosen E., et al, “BGP/MPLS VPNs”, work in progress. [VPN-BGP] Ould-Brahim, H., et al, “Using BGP as an Auto-Discovery Mechanism for Network-based VPNs”, work in progress.