Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001
Objectives n Enable Service Provider to provide value added VPN services in a scalable manner n Scale to large number of VPN customers w.r.t. t Router resources t Operation and management n Utilize existing protocols and tools n Provide: t separation of VPNs serviced by the same provider t separation of VPNs and the provider network t security using standard mechanisms
Virtual Router Concept Provider’s NetworkCustomer Site(s) Customer Site(s) VPN Without VR CE PP PP PE VPN With VR PP PP CE VR
Virtual Router Definition n A virtual router (VR) is an emulation of a physical router at the software and hardware levels n VRs have independent IP routing and forwarding tables and they are isolated from each other n Two main functions t Constructing routing using any routing technology t Forwarding packets to the next hops within the VPN domain n From the VPN user point of view, a virtual router provides the same functionality as a physical router
VPN Built with VRs SP Network VR-1 VR-2 SPVR VR-1 VR-2 SPVR VPN-1 Sites VPN-2 Sites VPN-2 Sites VPN-1 Sites Connecting multiple VRs to the Provider Network through the use of a single VR “the provider virtual router” - SPVR VPN-1 Sites
VPN Basic Building Blocks n Membership t VRs belong to the same VPN share the same VPN-ID n Tunnel t VR to VR tunnel, a point-to-point link from each VR’s view t Tunnel mechanisms can be IPsec, GRE, IPinIP or MPLS, etc. t Tunnel type l Per VPN tunnel (originate at VR) or l aggregated two level tunnel (originate at SPVR) n Routing t Independent from SP backbone routing t Each VPN can have its own choice of routing protocols
VPN Establishment with VRs n Like all VPN implementation mechanisms, membership information needs to be disseminated n In VR model, membership information can be distributed with the following mechanism t Manual configuration t Directory based mechanism t Utilize routing protocol l BGP Auto-discovery
Inter-domain VPN Support n With VR model, the mechanisms for multiple domain VPN remains the same as single domain VPN n Main requirements t Providers support a common tunnel mechanism t The ability to assign unambiguous VPN identification across the domains
Inter-domain VPN Support SP Network VR-1 VR-2 SPVR VPN-1 Sites VPN-2 Sites VR-1 VR-2 SPVR VPN-2 Sites VPN-1 Sites SP Network VPN-1 Sites VPN-1 Sites
Extranet Support n Two or more corporate have network access to a limited amount of each other’s corporate data n It’s a matter of control of who can access what data, i.e. a policy decision n VR model supports extranet by allowing two or more VRs connect to each other with policy control for data flow
VR VPN Properties n VPNs built with VRs are overlay model n The Provider routers (P) are VPN unaware – scalable n Routing for each VPN is the same as regular network routing n The choice of the backbone protocols is not constrained by the VPNs and vise versa n No protocol modifications needed n No tool (debugging, management,etc.) modifications needed n Deployment will not impact normal operation of the provider network
Scalability n Only PEs handle VPN type information, other provider routers are VPN unaware n Establishment and reconfigure can use Directory based tool and BGP-auto discovery – no manual configuration is necessarily
Deployment Status n A number of SPs have already deployed VPN implemented with VR model in their network and providing Network Based VPN service
Reference n ftp://ftp.ietf.org/internet-drafts/draft-oluldbrahim-vpn-vr- 02.txt