Embed Size (px)
DESCRIPTION
CPE-based VPNs. Hans De Neve Alcatel Network Strategy Group. Customer Premises Equipment based Virtual Private Networks. Contents. Global VPN requirements Deployment View What does a typical CPE VPN look like ? Network View What sort of connectivity does it provide ? - PowerPoint PPT Presentation
Citation preview
All rights reserved © 2000, Alcatel — 1
CPE-based VPNs
Hans De Neve
Alcatel
Network Strategy Group
All rights reserved © 2000, Alcatel — 2
Contents
Global VPN requirements
Deployment View What does a typical CPE VPN look like ?
Network View What sort of connectivity does it provide ?
Technology View What are the underlying technologies ?
Differentiation and Success Factors Where are the factors today, what will they be in future ?
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 3
Global VPN requirements
Connectivity IP connectivity between geographically dislocated sites using private
addressing
transparent to underlying shared infrastructure
=> tunnelling mechanism
Security data privacy (e.g. encryption)
authentication and integrity
Scalability
Management
...
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 4
Proposed Technology :IPsec
IP security offers tunnelling (forwarding in shared internet is normal IP
forwarding)
authentication and integrity
cryptographic encryption
IPsec can be used with IKEIKE = Security Association negotiation and Key
Exchange Protocol
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 5
Branch OfficeBranch Office
Dial-upVPN clients
Business Business PartnerPartner
VPN Site-Site
VPN gateway
Internet Internet Uplink Uplink PVCPVC International International
SalesSales
DomesticDomesticSalesSales Dial-up
VPN clients
VPN gateway
HeadquartersHeadquarters
ASP Data center
Finance server
Corp. server
256K256KPolicy
manager
Policy manager
256k
CPE VPN Deployment View
LAN-basedVPN client CustomerCustomer
WebWebSurfersSurfers
512K512K128K128K512K512K
LAN-basedVPN client
VPN gateway
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 6
CPE VPN Network View
L2 AccessNetwork
ServiceProviderNetwork
L3 Access+
Distribution+
L3 Edge
CPEL2 AccessNetwork
L3 Access+
Distribution+
L3 Edge
IP routing / MPLS Traffic Engineering
IPSEC Connectivity
Customer Premises Equipmentbased
Virtual Private Networks
CPE
IP header IP data new IP header IPsec header IP header IP data
possibly encrypted
All rights reserved © 2000, Alcatel — 7
CPE VPN Network Topologies
Internet
Customer Premises Equipmentbased
Virtual Private Networks
Site 1
Site 2
Site 3
Site 4
HUB and SPOKE topology
IPsec tunnel
All rights reserved © 2000, Alcatel — 8
CPE VPN Network Topologies
Internet
Customer Premises Equipmentbased
Virtual Private Networks
Site 1
Site 2
Site 3
Site 4
Full Mesh topology
IPsec tunnel
All rights reserved © 2000, Alcatel — 9
CPE VPN - Dial up VPN Client
L2 AccessNetwork
ServiceProviderNetwork
L3 Access+
Distribution+
L3 Edge
CPEL2 AccessNetwork
L3 Access+
Distribution+
L3 Edge
IPSEC
IP over PPP
IP over PPP
L2TP
IP
Option 1
Option 2
Dial UpClient
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 10
CPE VPN Gateway Technologies
IKE Daemons Phase I, Phase II negotiations to generate/update IPSEC keys and
setting up of Security Associations (IPsec tunnels)
Use of certificates v/s shared secret for authentication
Proposal exchange and agreement, exchange of proxy ids
IPSEC Drivers Handling of IP packets based on IP header and proxy ids
Encryption using IKE negotiated keys and encryption algorithm
Encapsulation of IP packets using IPSEC headers
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 11
CPE VPN Gateway Differentiation & Success Factors - Today
Number of concurrent IPSEC tunnels supported Maps to memory and CPU required to maintain state for tunnels
Critical for dial up scenarios and large number of branch offices
Critical for multi tenant MAN service networks
Throughput over the IPSEC tunnels Maps to encryption/decryption speeds of the CPU/ASIC
Critical for the HUB site or in case of gigabit campus networks
Critical for gigabit IP access service networks
Restoration of tunnels in case of VPN gateway failure
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 12
Enterprise market as a pure IP overlay VPN solution Number of IPSEC tunnels, throughput over IPSEC tunnels, recovery
Dynamic membership of sites to a VPN for Site-Site VPNs
Integration with PKI infrastructure, AAA for VPN Clients
Carrier/Service Provider market as a vehicle for IPVPN services Integration of configuration with service provisioning solutions
Integration with IPVPN service functionality such as Firewall, QoS
Integration with data collection for services (assurance + billing)
CPE VPN Gateway Differentiation & Success Factors - Future
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 13
Policy server
Policy router
InstallatioInstallation teamn team
Security Security teamteam
Network Network teamteam
Billing Billing datadata
SLA info.SLA info.
IS enterprise management
HR:HR: WW users adds/
changesIS Dept:IS Dept:
US security policy mgmt.
IS Dept:IS Dept: Asia security
policy mgmt.
Service provider management
IS Dept:IS Dept: Europe
security policy mgmt.
New York New York HeadquartersHeadquarters
Webserve
rPolicyrouterCorp.
server
GenevaGeneva officeoffice
Policyrouter
Tokyo Tokyo officeoffice
Policyrouter
Internet
CPE IPVPNVehicle for IPVPN Services
Customer Premises Equipmentbased
Virtual Private Networks
