Multi-domain VPNs

  • View
    222

  • Download
    3

Embed Size (px)

Text of Multi-domain VPNs

  • Multi-domain VPNs

    A practical approach to enable end-to-end services over multiple domains

    DENOG7, Darmstadt Thomas Schmid, schmid@dfn.de

  • The research network landscape

    NRENs are in general interconnected via theGANT network.No end-users are connected to GANT.

    Seite 2DENOG 7 schmid@dfn.de

    GANT

  • The NREN challenge

    All NRENs are createdunequal Multi-vendor Pure IP IP+MPLS PBB MPLS-TP MEF Transport technologies

    Seite 3DENOG 7 schmid@dfn.de

    How to offer private e2e services?

  • A brief history of private inter-domainconnections 90s:

    ATM SVCs, SDH: Not operated by the NRENs 00s: NG-SDH, Ethernet, MPLS back-to-back, MPLS-TE tunnel stitching 10s: Lambdas, OTN, Ethernet, MPLS ubiquitous

    Example: BoD (Bandwidth on Demand)

    Seite 4DENOG 7 schmid@dfn.de

    Complex: Topology databases, PCEs etc.

    Stitching technologies L

    http://services.geant.net/bod/Pages/Home.aspx

  • Example: LHCONE LHCONE: Large Hadron Collider Open Network

    Environment Private Network to distribute data from the large

    hadron collider at CERN among data centers ( LHCOPN mostly for traffic CERN-Tier1 datacenters)

    One VRF per domain Domains interconnected via normal IP, no labels

    involved: back-to-back VPNs ( no support forL2VPNs)

    In some parts separate physical/logicalinfrastructure reserved for LHCONE traffic

    Seite 5DENOG 7 schmid@dfn.de

  • ESnetUSA

    MAN LAN(New York)

    BNL-T1

    Internet2USA

    Harvard

    CANARIECanadaUVic

    SimFraUTRIUMF-T1

    SCINET(UTor)

    McGill

    PNWG(Seattle)

    ASGCTaiwan

    ASGC-T1

    KREONET2Korea

    KNU

    DFNGermany

    DESY

    RWTHDE-KIT-T1

    GARRItaly

    CNAF-T1RedIRIS

    Spain

    RENATERFranceIN2P3

    (10 sites)WIX

    (Washington)CC-IN2P3-T1

    CEA(IRFU)

    SLAC

    GLakesNE SoW

    Geneva

    FNAL-T1

    UFloridaPurUUWisc

    NetherLight(Amsterdam)

    CENICUSA

    ASGC2

    Wup.U

    Pacificwave(Los

    Angeles)

    Vanderbilt

    MIT

    AGLT2UMAGLT2

    MSU IndianaGigaPoPUNL

    GSI

    GLORIAD(global) KIAE/

    Kurchatov T1

    ICEPPU Tokyo

    NCU NTU

    SINETJapan

    PNUKCMS

    KISTI T1

    NKNIndi aCERN

    TIFR

    CSTNet/CERNet2China

    IHEP-ATLAS

    IHEP-CMS

    GANT

    UCSD

    JANETUK

    KEK T1

    PNNL-T1

    TEIN(proposed) INFN(7 sites)

    PIC-T1

    LHCONE VRF domainUChi

    Chicago Communication links: 1, 10, 20/30/40, and 100Gb/sRegional R&E communication nexusor link/VLAN provider

    LHCONE VRF aggregator networkSites that manage their own LHCONE routing

    See http://lhcone.net for details.

    UNL

    28 May 2015

    WEJohnston, ESnet,

    wej@

    es.net

    PNU

    Belle II Tier 1/2

    CUDIMexicoUNAM

    yellow outline indicates LHC+Belle IIsite}KEK

    IC

    LHC Tier 1/2/3 ALTAS and CMS

    LHC ALICE or LHCb

    KIT

    INFNNapoli

    INFNPisa

    ARNESSolveniaSiGNET

    LHCONE: A global infrastructure for the High Energy Physics (LHC and Belle II) data management

    CESNETCzech

    praguelcg2

    NORDUnetNordic

    NDGF-T1NDGF-T1bNDGF-T1c

    RoEduNetRomaniaNIHAM

    NIPNE x3ISS ITIM

    UAIC

    CERN

    IndiaKorea

    CERN

    PacWave(Sunnyvale)

    CICOmniPoP(Chicago)

    Starlight(Chicago)

    MREN(Chicago)

    GANT Europe

    Caltech UChi(MWT

    2)UIUC(MWT

    2)

    IU(MWT

    2)

    NL-T1

    SURFsaraNikhef

    Netherlands

    CERN(CERNLight)

    GenevaCERN-T1

    KISTIKorea

    TIFRIndia

    AMPATH(Miami)

    RNP/ANSPBrazil

    CBPF SAMPA(USP)

    HEPGrid(UERJ)

    SPRACE

    PSNCPolandPSNC

    Seite 6DENOG 7 schmid@dfn.de

  • Carrier-support-carrier for hierarchical VPNs

    RFC4364 Option 10.c (2006!) Means to provide seamless end-to-end MPLS services over multiple

    domains No stitching Hierarchical architecture: GANT is Carrier-of-Carrier No CAPEX Supported on almost all router hardware MDVPN: multidomain VPN But: no user community

    No large scale implementation according to vendors

    Seite 7DENOG 7 schmid@dfn.de

  • MDVPN: tLDP-signalling L2 circuit

    RR RR

    ABR

    PE

    ABRPE

    PE

    PE

    GEANT

    NREN)A

    NREN)BSSP

    SSP

    VPNproxy

    PE

    PE

    PE

    PE

    VPN1

    VPN1SDP

    SDP

    VR

    eBGPlabeled-unicast

    iBGPlabeled-unicast

    eBGPlabeled-unicast

    Multi-domain PE to PE MPLS path

    Targeted LDP -signaled L2 circuitlabel exchange

  • MDVPN: BGP-signalling L2VPN, L3VPN

    RR RR

    ABR

    PE

    ABRPE

    PE

    PE

    GEANT

    NREN)A

    NREN)BSSP

    SSP

    VPNproxy

    PE

    PE

    PE

    PE

    VPN1

    VPN1SDP

    SDP

    VR

    eBGPlabeled-unicast

    iBGPlabeled-unicast

    eBGPlabeled-unicast

    Multi-domain PE to PE MPLS path

    Multi-hop eBGPVPNv4, VPNv6, VPLS

    Multi-hop eBGPVPNv4, VPNv6, VPLS

    iBGPVPNv4, VPNv6, VPLS

    BGP-signaled L2VPN and L3VPN label and prefix exchange

  • GEANT

    CPE-NREN-A-VPN-ASTRO

    Peering BGP VPNv4

    CPE-NREN-B-VPN-ASTRO

    PE-NREN-A

    ASBR-1-GEANT

    ASBR-NREN-A

    ASBR-2-GEANT

    ASBR-NREN-B

    PE-NREN-B

    RR-NREN-B

    RR- NREN-A

    NREN-A

    NREN B

    Peering Multi-hop E-BGP VPNv4 (No next-hop self)

    Physical connections

    Peering labeled-unicast

    VRF ASTRO RT:22:30

    VRF BIO - RT:22:32

    VRF md-vpn1 - RT:33:10

    VRF md-vpn2 - RT:13092:17L2Circuit toward AMRES

    L2Circuit PE-RENATER - PE-REMOTE-NREN

    VPN-Route-ReflectorPeering Multi-hop E-BGP VPNv4 (No next-hop self)

    VRF CoC

    Standard deployment

    DENOG 7 schmid@dfn.de Seite 10

  • In short GANT: Carrier-of-Carrier

    only sees the /32s of the PEs with labels Transparent to configured VPNs between NRENs MDVPN runs in separate VRF (for monitoring/accounting purposes)

    ASBR-ASBR BGP LU session: distribute Loopbackaddresses (/32s) of PEs with labels No LDP required here

    VPN route-reflector: distribute BGP routes used e.g. in L3VPNs Signalling: not in the forwarding path - Could be anywhere For practical reasons run by GANT

    Traffic uses shared infrastructure Logical separation in VRF over VLAN on ASBR Dedicated infrastructures or bandwidth reservation optional

    Easy to extend into regional metronetsSeite 11DENOG 7 schmid@dfn.de

  • With the courtesy of Jani Myyry (Funet)

    MDVPN data plane label operations

    CoClabel

    Transportlabel

    VPNlabel Data

    MDVPN packets labels:

    pop CoC label

    pop transportlabel

    pop VPN labelpush VPN labelpush transport labelpush LDP label

    pop LDP labelswap transport label

    swap transport label

    swap transport labelswap transport labelpush CoC label

    swap CoC label

    incoming packet outgoingpacket

    LDPlabel

    Transportlabel

    VPNlabel Data

    12

  • Implement new service: one phone call and then

    Operation

    routerA#conf trouterA(conf)>interface TengigE1/1routerA(conf-if)>xconnect 123 encap mpls

    Done JGreat tool to easily deploy VPN services

    Technology transparent for customersSupport for all kind of VPN technologies

    L2 VPN L3 VPN incl. 6VPE VPLS

    Even with autodiscovery EVPN (currently testing looks good) Multicast: in theory yes

    Implementation of new services over multiple domains is as easy as in the own domainMonitoring:

    Signalling plane: routing protocolsForwarding plane: ping-VPN (PEs)

    13

  • VPN-Proxy implementation Solution for NRENs that dont support MPLS in their network Implemented with the help of logical routers available in Juniper

    GEANT NREN not MPLS-aware

    Back-to-back connection, VRF BIO, VRF ASTRO,

    logical router

    ASBR-GEANT

    VPN-ProxyPlay the role of ASBR + PE + route exchange VRR

    VPN-Route-Reflector

    BGP-LU

    peering

    14

  • Gory details MTU discovery not working

    Juniper doesnt signal MTU to Cisco Control label distribution between own network and GANT

    Internal: labels for Loopbacks in IGP BGP towards GANT E.g. IOS-XR: wtf - ebgp-multihop mpls required on CRS-1, not on ASR

    (took the TAC one month) IOS-XR needs static hostroute on ASBR interface for conected ASBR

    address LSPs must always be built on /32s

    Dont change next-hop VPLS site-IDs: different formats, no autonegotiation Security

    BGP Signalling standard security mechanisms Limit targeted LDP Sessions: difficult on Cisco use packet filters on ASBR

    (not very elegant compared to Juniper: implicit deny) Missing filter options for inner labels between domains

    Seite 15DENOG 7 schmid@dfn.de

  • Attack scenario

    MDVPNs are all in the same trust domain

    But: internal VPNs arevulnerable too!

    Unless theyre on a separate infrastructure

    Attacker has to: Control a router in an NREN Guess the inner VPN label Guess the IP addresses in the

    attacked VPN Then he can inject packets into

    the internal VPN Will he ever know it worked? Do the usual hacking stuff Perhaps will even get a response

    Takes a large amount ofpackets!

    Seite 16DENOG 7 schmid@dfn.de

  • Dealing with attacks Vendors dont support filters for inner labels

    Also hard to keep track of internal inner label usage Therefore try to detect the attack and take appropriate measures

    E.g. automatic shut down BGP LU peering with NREN Analyze netflow data (e.g. on GANT ASBR):

    Seite 17DENOG 7 schmid@dfn.de

    2015/03/25 10:21:39 ALARM 193.51.178.10:29770 (#