Copyright © 2000, Juniper Networks, Inc. Virtual Private Networks: Progress and Challenges Panel Session

Copyright © 2000, Juniper Networks, Inc.

Virtual Private Networks:Virtual Private Networks:Progress and ChallengesProgress and Challenges

Panel SessionPanel Session


Slide 2

Panel ObjectivesPanel Objectives• Introduce Virtual Private Network Introduce Virtual Private Network

concepts and technologies concepts and technologies

• Describe some potential service Describe some potential service provider VPN offeringsprovider VPN offerings

• List challenges faced by service List challenges faced by service providers in offering VPN servicesproviders in offering VPN services

• List and describe some of the List and describe some of the proposals for addressing VPN proposals for addressing VPN challengeschallenges


Slide 3

Panel ParticipantsPanel Participants• Paul Ferguson – Cisco SystemsPaul Ferguson – Cisco Systems

• David O’Leary – Juniper NetworksDavid O’Leary – Juniper Networks

• Keerti Melkote – Nortel NetworksKeerti Melkote – Nortel Networks

• NANOG audience (Question and NANOG audience (Question and Answer)Answer)


Virtual Private Networks:Virtual Private Networks: Progress and Challenges Progress and Challenges

David O’LearyDavid O’Leary

Director, Consulting EngineeringDirector, Consulting Engineering


Slide 5

What is a VPN?What is a VPN?• VirtualVirtual

• Emulation of a private network facilities Emulation of a private network facilities over a shared network infrastructureover a shared network infrastructure

• PrivatePrivate• Minimally: no mixing with traffic outside Minimally: no mixing with traffic outside

the VPN, and support for private address the VPN, and support for private address space(s)space(s)

• Possibly encryption and protected traffic Possibly encryption and protected traffic classclass

• Network – two or more users or sitesNetwork – two or more users or sites


Slide 6

How Virtual is Virtual?How Virtual is Virtual?• The only true non-virtual private network are The only true non-virtual private network are

customer-owned physical plant, like copper customer-owned physical plant, like copper and fiber, transport and switching equipmentand fiber, transport and switching equipment

• Leasing TDM circuits from a carrier means Leasing TDM circuits from a carrier means that the customer gets a “virtual” slice of the that the customer gets a “virtual” slice of the carrier’s transmission networkcarrier’s transmission network

• Leasing some kind of layer 2 circuits (ATM, Leasing some kind of layer 2 circuits (ATM, Frame Relay) from a carrier means that the Frame Relay) from a carrier means that the customer gets a “virtual” slice of the customer gets a “virtual” slice of the carrier’s layer 2 networkcarrier’s layer 2 network

• Statistical multiplexing here means that it’s Statistical multiplexing here means that it’s cheaper for both the provider and (in theory) the cheaper for both the provider and (in theory) the customercustomer


Slide 7

Focus on “IP VPNs”Focus on “IP VPNs”• VPNs over an IP backbone that VPNs over an IP backbone that

supports multiple services (e.g., public supports multiple services (e.g., public Internet, VoIP)Internet, VoIP)

• Exploit economies of scale through use of Exploit economies of scale through use of common backbone facilitiescommon backbone facilities

• Reduce inefficiencies of separate networksReduce inefficiencies of separate networks

• Shared local loops for internal corporate Shared local loops for internal corporate network and Internet accessnetwork and Internet access

• Service providers add value by allowing Service providers add value by allowing customers (enterprises networks) to customers (enterprises networks) to “outsource” their routing (complexity) to “outsource” their routing (complexity) to the carrierthe carrier


Slide 8

Four models of VPNsFour models of VPNs

•Remote User accessRemote User access

•CPE BasedCPE Based

•MPLS-based Layer2MPLS-based Layer2

•Provider-Based Layer 3Provider-Based Layer 3


Slide 9

Remote User AccessRemote User Access• Variety of protocols developed in mid-Variety of protocols developed in mid-

90’s to tunnel remote user traffic to a 90’s to tunnel remote user traffic to a fixed site on the IP networkfixed site on the IP network

• ATMP, PPTP, ATMPATMP, PPTP, ATMP

• Functions consolidated in IETF L2TP Functions consolidated in IETF L2TP protocolprotocol

• Documented in RFC 2661, with various Documented in RFC 2661, with various drafts for extensionsdrafts for extensions

• Dynamic, authenticated tunnelsDynamic, authenticated tunnels

• Deployments are becoming quite Deployments are becoming quite commoncommon


Slide 10

CPE Based VPNsCPE Based VPNs• Tunnels configured between CPE devicesTunnels configured between CPE devices

• Options are GRE, IPSEC, IP-in-IP, PPTP, L2TPOptions are GRE, IPSEC, IP-in-IP, PPTP, L2TP

• Topology of the VPN is configured into the CPE devicesTopology of the VPN is configured into the CPE devices

• The provider does not have to do anything to The provider does not have to do anything to their network their network (they may not even know it is happening)(they may not even know it is happening)

• VPN traffic may be marked and prioritized VPN traffic may be marked and prioritized

• The service provider may bundle and manage the The service provider may bundle and manage the CPE devices used to create the VPN serviceCPE devices used to create the VPN service

• Provides “value add” beyond best effort Internet Provides “value add” beyond best effort Internet connectivityconnectivity

• This model is already being aggressively deployed by This model is already being aggressively deployed by providers around the worldproviders around the world


Slide 11

CPE Based VPNs TradeoffsCPE Based VPNs Tradeoffs• Provider network configurationProvider network configuration

• Potentially no more than required for Internet Potentially no more than required for Internet accessaccess

• CoS or managed service adds provider complexityCoS or managed service adds provider complexity

• Customer (CPE) configurationCustomer (CPE) configuration• Every tunnel is a separate virtual interface that Every tunnel is a separate virtual interface that

must be configured, including for routingmust be configured, including for routing

• ScalabilityScalability• Provider network – excellent Provider network – excellent

• Customer – depends on number of tunnels and Customer – depends on number of tunnels and routing topology/complexityrouting topology/complexity


Slide 12

Layer-2 VPNsLayer-2 VPNs• A subscriber leases VCs between the sites A subscriber leases VCs between the sites

that need to be connectedthat need to be connected• Topologies are hub and spoke, full or partial meshTopologies are hub and spoke, full or partial mesh

• The subscriber and provider think of these VCs as The subscriber and provider think of these VCs as “dumb” pipes not at all involved in Layer 3 issues “dumb” pipes not at all involved in Layer 3 issues such as routing, packet filtering, etc.such as routing, packet filtering, etc.

• Subscriber outsources the Layer 3 management to Subscriber outsources the Layer 3 management to the provider in a “Managed Router” servicethe provider in a “Managed Router” service

• Mature support for commitments about Mature support for commitments about service (e.g., bandwidth, availability, etc.)service (e.g., bandwidth, availability, etc.)

• At least in the business/SLA senseAt least in the business/SLA sense

• Virtual Circuit model eases capacity planning Virtual Circuit model eases capacity planning


Slide 13

Layer-2 VPN TradeoffsLayer-2 VPN Tradeoffs• Provider configurationProvider configuration

• A lot in theory, but it’s mostly automated in practiceA lot in theory, but it’s mostly automated in practice

• Subscriber configurationSubscriber configuration• Every VC is a separate virtual interface that must be Every VC is a separate virtual interface that must be

configured, including for routingconfigured, including for routing

• Large, complex topologies yield complex Large, complex topologies yield complex configurationsconfigurations

• ScalabilityScalability• Provider -- number of VCs and stability of coreProvider -- number of VCs and stability of core

• Subscriber -- number of interfaces and routingSubscriber -- number of interfaces and routing

• OtherOther• Leverages existing investmentLeverages existing investment


Slide 14

MPLS-Based Layer-2 VPNsMPLS-Based Layer-2 VPNs• Looks identical to “traditional layer 2 VPNs” Looks identical to “traditional layer 2 VPNs”

from the subscriber perspectivefrom the subscriber perspective

• Provider carries the layer 2 circuits over an Provider carries the layer 2 circuits over an IP/MPLS backboneIP/MPLS backbone

• Provides the ability for multiple services Provides the ability for multiple services (public IP, private IP, VoIP, etc) over a single (public IP, private IP, VoIP, etc) over a single access circuitaccess circuit


Slide 15

MPLS-Based Layer-2 VPNsMPLS-Based Layer-2 VPNs

Provider 1Provider 1

Subscriber Subscriber AA

Subscriber ASubscriber AATM AccessATM Access

ATM AccessATM Access

Internet Traffic:Internet Traffic:ATM VC1 terminated, IP packets delivered to provider 2ATM VC1 terminated, IP packets delivered to provider 2

Provider 2Provider 2

VPN Traffic:VPN Traffic:ATM VC2 mapped to MPLS LSP “tunnel”ATM VC2 mapped to MPLS LSP “tunnel”

Termination of ATM PVCs (layer 3 lookup) and support Termination of ATM PVCs (layer 3 lookup) and support Layer-2 pass-through on the same port.Layer-2 pass-through on the same port.


Slide 16

MPLS-Based Layer-2 VPN MPLS-Based Layer-2 VPN TradeoffsTradeoffs• Provider configurationProvider configuration

• Manual configuration of ingress and egress Manual configuration of ingress and egress boxes (could be partially automated)boxes (could be partially automated)

• Subscriber configurationSubscriber configuration• Every VC is a separate virtual interface that Every VC is a separate virtual interface that

must be configured, including for routingmust be configured, including for routing

• Retains existing CPE and subscriber modelRetains existing CPE and subscriber model

• ScalabilityScalability• Provider -- number of LSPs, stability of coreProvider -- number of LSPs, stability of core

• Subscriber -- number of VCs and routingSubscriber -- number of VCs and routing


Slide 17

Provider-Based Layer-3 VPNsProvider-Based Layer-3 VPNs• Concepts outlined in RFC 2547 and RFC 2764Concepts outlined in RFC 2547 and RFC 2764

• Subscriber treats access link as combined Subscriber treats access link as combined internet/VPN linkinternet/VPN link

• Except for multiply-connected sites, needs Except for multiply-connected sites, needs minimal configuration (i.e., Default)minimal configuration (i.e., Default)

• Provider’s edge router supports instances of Provider’s edge router supports instances of routing protocols and multiple forwarding routing protocols and multiple forwarding tablestables

• If a destination isn’t in a VPN-specific forwarding If a destination isn’t in a VPN-specific forwarding table then use Internet tabletable then use Internet table

• VPN site membership and VPN-specific routing VPN site membership and VPN-specific routing information carried in BGPinformation carried in BGP

• Supports overlapping private address spaceSupports overlapping private address space

• Topology is conceptually always a full mesh between Topology is conceptually always a full mesh between PE’sPE’s


Slide 18

Provider-based Layer-3 VPN Provider-based Layer-3 VPN tradeoffstradeoffs• Provider configurationProvider configuration

• Minimal static configuration in basic scenariosMinimal static configuration in basic scenarios

• More configuration needed for complex topologiesMore configuration needed for complex topologies

• Subscriber configurationSubscriber configuration• Basic scenario is straightforwardBasic scenario is straightforward

• More complex config needed for security, More complex config needed for security, multihoming, participation in multiple VPNs, etc.multihoming, participation in multiple VPNs, etc.

• ScalabilityScalability• ProviderProvider

• I-BGP possibly sees 100,000s of routes, (in)stability of I-BGP possibly sees 100,000s of routes, (in)stability of multiple dynamic routing domains, multiple forwarding multiple dynamic routing domains, multiple forwarding tablestables

• Subscriber – allows shared local loop and CPE device Subscriber – allows shared local loop and CPE device for multiple services (intranet, Internet, voice, etc.)for multiple services (intranet, Internet, voice, etc.)


Slide 19

Where Does That Leave Us?Where Does That Leave Us?• Customer-centric tunneling are easier for the Customer-centric tunneling are easier for the

providerprovider• COS, traffic engineering, SLA’s, etc. are value-addsCOS, traffic engineering, SLA’s, etc. are value-adds

• For a provider implementing VPNs, scalability For a provider implementing VPNs, scalability and value-add are fundamentally at oddsand value-add are fundamentally at odds

• MPLS-based layer-2 VPNs offer the benefits of an MPLS-based layer-2 VPNs offer the benefits of an integrated/multi-service networkintegrated/multi-service network• But the enterprise network has to handle the routingBut the enterprise network has to handle the routing

• Layer-3 VPNs allow the enterprise network to be Layer-3 VPNs allow the enterprise network to be almost unconcerned with routingalmost unconcerned with routing• Doesn’t support as many VPNs, sites per VPN, routes Doesn’t support as many VPNs, sites per VPN, routes

per VPN or customers per access box than MPLS-per VPN or customers per access box than MPLS-based layer 2 VPNsbased layer 2 VPNs

• Risk of the stability of the multi-service coreRisk of the stability of the multi-service core

• So what is So what is thethe answer? answer?


Slide 20

Where Does That Leave Us? Where Does That Leave Us? (cont.)(cont.)• TheThe answer is: it depends answer is: it depends• Some subscribers may require the ability to outsource Some subscribers may require the ability to outsource

routingrouting• Layer 3 VPNs orLayer 3 VPNs or

• MPLS-based layer 2 VPNs where “managed services” are MPLS-based layer 2 VPNs where “managed services” are provided and a device at the customer’s premises converts provided and a device at the customer’s premises converts from pure IP to some number of layer 2 virtual circuitsfrom pure IP to some number of layer 2 virtual circuits

• Some subscribers may be capable of doing their own Some subscribers may be capable of doing their own routingrouting

• MPLS-based layer 2 VPNs offer scalability for broad MPLS-based layer 2 VPNs offer scalability for broad deployment as well as stability with less couplingdeployment as well as stability with less coupling

• Range of hybrid solutions is probably likelyRange of hybrid solutions is probably likely• Remote access user VPNsRemote access user VPNs

• CPE-based VPNsCPE-based VPNs

• MPLS-based layer 2 VPNsMPLS-based layer 2 VPNs

• Layer 3 VPNs Layer 3 VPNs


Slide 21

SummarySummary• There is no one-size-fits-all solution for There is no one-size-fits-all solution for

VPNsVPNs

• Tradeoffs between value add and Tradeoffs between value add and scalability/stabilityscalability/stability

• Tradeoffs between customer Tradeoffs between customer requirementsrequirements

• Desire to outsource routing, security, etc.Desire to outsource routing, security, etc.

• Size and complexity of networkSize and complexity of network

Documents

Copyright © 2000, Juniper Networks, Inc. Virtual Private Networks: Progress and Challenges Panel Session