of 7/7
Computer Networks Lecture 20: MPLS, and VPN Destination Source 1 Source 2 Router can forward traffic for the same destination on different interfaces/paths Multi-Protocol Label Switching (MPLS) Initial goal: speed up intra-domain IP forwarding by using circuit identifiers (fixed-length labels) instead of IP addresses borrow ideas from VC approach (but IP datagram still keeps IP address!) Label Switching: Circuit Abstraction Label-switched paths (LSPs): pre-compute a path for each “flow” a “flow” can range from a single connection to a pair of APs or aggregated APs, etc. paths are “named” by the label at the path’s entry point each MPLS router uses a different label to identify a flow “downstream” MPLS router tells upstream neighbor its label for each flow Label Swapping At each hop, MPLS routers forward packets to outgoing interface based only on label value (doesn’t even look at IP address) use label to determine outgoing interface replace incoming label with neighbor’s label for the flow MPLS forwarding table distinct from IP forwarding tables A 1 2 3 A 2 D Tag Out New D

Multi-Protocol Label Switching (MPLS)web.eecs.umich.edu/~sugih/courses/eecs489/lectures/20-MPLS+VPN.pdf · MPLS, and VPN Destination Source 1 Source 2 Router can forward traffic for

  • View
    3

  • Download
    0

Embed Size (px)

Text of Multi-Protocol Label Switching...

  • Computer Networks

    Lecture20:

    MPLS,andVPN Destination

    Source1

    Source2

    Routercanforwardtrafficforthesame

    destinationondifferentinterfaces/paths

    Multi-ProtocolLabelSwitching(MPLS)Initialgoal:speedupintra-domainIPforwardingby

    usingcircuitidentifiers(fixed-lengthlabels)instead

    ofIPaddresses

    •  borrowideasfromVCapproach(butIPdatagramstillkeepsIPaddress!)

    LabelSwitching:CircuitAbstraction

    Label-switchedpaths(LSPs):

    • pre-computeapathforeach“flow”•  a“flow”canrangefromasingleconnectiontoapairofAPsoraggregatedAPs,etc.

    • pathsare“named”bythelabelatthepath’sentrypoint• eachMPLSrouterusesadifferentlabeltoidentifyaflow• “downstream”MPLSroutertellsupstreamneighboritslabelforeachflow

    LabelSwapping

    Ateachhop,MPLSroutersforwardpacketsto

    outgoinginterfacebasedonlyonlabelvalue

    (doesn’tevenlookatIPaddress)

    •  uselabeltodetermineoutgoinginterface

    •  replaceincominglabelwithneighbor’slabelfortheflow

    • MPLSforwardingtabledistinctfromIPforwardingtables

    A1 2

    3

    A 2 D

    TagOutNew

    D

  • LabelDistribution

    Signalingprotocolneededtosetupforwarding

    •  responsiblefordisseminatingsignalinginformation•  LabelDistributionProtocol(LDP)•  RSVPforTrafficEngineering(RSVP-TE)

    •  allowsforforwardingalongpathsnototherwiseobtainedfromIProuting(e.g.,source-specificrouting)

    • mustco-existwithIP-onlyrouters

    Destination

    Source1

    Source2

    MPLSEncapsulationPutanMPLSheaderinfrontofIPpacket

    •  MPLSheaderincludesalabel

    PPPorEthernetheader IPheader remainderoflink-layerframeMPLSheader

    label ToS S TTL

    20bits 3 1 5

    IPpacket

    MPLSheader

    ToS&TTLcopiedfromIP

    S:1ifbottomoflabelstack

    Network(layer3):IPlayer2.5?:MPLS

    DataLink(layer2):Ethernet,FrameRelay,

    ATM,PPP,etc.

    Physical(layer1)

    BGP-FreeBackboneCore

    A

    B

    R2

    R1

    R3

    R4

    C

    D

    12.11.1.0/24

    eBGP

    iBGP

    labelbasedonthe

    destinationprefix

    RoutersR2andR3don’tneedtospeakBGP

    VPNsWithPrivateAddressesWhyVPN?

    Customerhasseveralgeographicallydistributedsites• wantsprivatecommunicationsoverthepublicnetwork• wantsauniqueIPnetworkconnectingthesites

    •  singleIPaddressingplan•  virtualleasedlineconnectingthesites•  guaranteedqualityofservice

    Providershaveoverprovisionedbackbones• wanttosellpseudo-wires(leasedlines)thatallowforincreasedbackboneutilization

    • wanttechnologythathas•  lowconfigurationandmaintenancecosts•  isscalabletothenumberofcustomers,i.e.,corestatesdependontopology,notnumberofcustomers

  • Recall:Customer-basedVPN

    Encryptpacketsatnetworkentryanddecryptatexit

    Eavesdroppercannotsnoopthedata

    ordeterminetherealsourceanddestination

    NetworkVPNs

    Customerbased:•  customerbuysownequipment,configuresIPSectunnelsacrossthe

    globalInternet,manages

    addressingandrouting

    •  ISPplaysnorole•  customerhasmorecontroloversecurityandISPchoices,but

    requiresskills

    Site Site

    Site Site

    CE CE

    CE CE

    Internet

    Providerbased:•  providermanagesallthecomplexityoftheVPN,

    usuallywithMPLS

    •  customersimplyconnectstotheproviderequipment

    Site Site

    Site Site

    ISP PE PE

    PE PE

    CE

    CE CE

    CE

    TypesofMPLSRouters

    Customeredge(CE)routers:

    • donotspeakMPLS,donotrecognizelabelsatall

    •  speakeBGPwithMPLSroutersonprovidernetworktoadvertiseAPs

    •  orstaticallyconfiguredwithallocatedAPs

    advertises

    12.11.1.0/24 usingeBGP

    reachabilityof

    12.11.1.0/24 advertisedusingeBGP

    CE CEA B C D

    MPLSRouters

    Providerrouters:

    • provideredge(PE):routersAandE•  push(atingress)orpop(ategress)labelontostack

    •  forwardIPpacketsto/fromcustomerrouters

    •  core(P):routersB,C,andD•  swap(pop+push)labelontopofstack

    •  doesn’tinteractwithcustomerrouters

    advertises

    12.11.1.0/24 usingeBGP

    reachabilityof

    12.11.1.0/24 advertisedusingeBGP

    CE CEA B C D

    inner

    label

  • Provider-basedVPNLayer3BGP/MPLSVPNs(RFC2547)• providesisola,on:mul,plelogicalnetworksoverasingle,sharedphysicalinfrastructure

    • usesBGPtoexchangeroutes

    •  eBGPtoannounceAPs

    toPErouters

    • MPLStoforwardtraffic

    •  tunneling:Pcoreroutersdon’thave

    todorouting,just

    labelswitching

    PEedge

    router

    PEedge

    router

    Pcore

    router

    CEcustomer

    router

    CEcustomer

    router

    High-LevelOverviewofOperation

    IPpacketsarriveatprovider

    edge(PE)router

    DestinationIPlookedupin

    “virtual”forwardingtable•  therearemultiplesuchtables,onepercustomer

    Datagramsenttocustomer’snetworkusing

    tunneling(i.e.,anMPLSlabel-switchedpath)

    ToUseLevel3BGP/MPLSVPNTwostepsneeded:

    1. setuptheVPN

    2. forwardpacketsontheVPN

    IdentifyingaBGP/MPLSVPN

    ThreethingsareneededtoidentifyaBGP/MPLSVPN

    1.  innerlabel:awayfortheprovideredge(PE)routersateachendofaVPNtoassociateaVPNwithitsowner’scustomer

    edge(CE)router

    2. VPN-APs:awayforthecustomer’saddressprefixes(APs)tobeadvertisedbyBGP

    •  theissueis:sincecustomerscanuseprivateaddressranges(10/8,172.16/12,and192.168/16),howtodifferentiatethesameprivateaddressrangethathasbeenchosenandusedbydifferentcustomers?

    3. outerlabel:theMPLSlabelsusedbyprovider’score(P)routerstoidentifyaVC

  • Setup:InnerLabelProvider-edge(PE)routers:

    • setupaVirtualRoutingandForwarding(VRF)tableforeachcustomerAP

    • theVRFIDservesastheinnerlabelfortheVPN

    VRFID:C1

    VRFID:C2

    10.0.1.0/24 VPNID(RD):Tan

    10.0.1.0/24 VPNID(RD):Salmon

    10.0.1.0/24

    10.0.1.0/24

    Customer1

    Customer2

    Setup:VPN-APsProvider-edge(PE)routers:

    • useMulti-ProtocolBGP’sRouteDistinguisher(RD)astheVPNIDtodifferentiatethesameAPsofdifferentcustomers

    • useMP-BGPtoannounceVPN-APsreachability,alongwiththeirinnerlabels

    • runsiBGPtootheredgerouterstodistributeVPN-APreachabilities

    VRFID:C1

    VRFID:C2

    10.0.1.0/24 VPNID(RD):Tan

    10.0.1.0/24 VPNID(RD):Salmon

    10.0.1.0/24

    10.0.1.0/24

    Customer1

    Customer2

    Setup:OuterLabelBothprovider-edge(PE)andcore(P)routers:

    • runMPLS• useLDP(LabelDistributionProtocol)tosetupouterlabelsforforwarding

    •  thePErouteradvertisingacustomerAP(i.e.,the“destination”oregressrouter)initiatesLDPtodistributelabels

    22

    inner

    label

    TouseLevel3BGP/MPLSVPNTwostepsareneededtousealevel3BGP/MPLSVPN:

    1. SetuptheVPN

    2. ForwardpacketsontheVPN

  • ForwardinginBGP/MPLSVPNs

    Step1:packetarrivesfromCErouteratPErouter’sincominginterface•  lookupcustomer’sVRFtodetermineegressPEandinnerlabel(LabelI)

    Step2:egressPElookup,addcorrespondingouterlabel(LabelO,alsoatcustomer’sVRF)

    IPDatagramLabel

    I

    IPDatagramLabel

    ILabel

    O

    Forwarding

    IngressPErouterencapsulatesIPpacketinMPLSwithouterandinnerlabels

    Two-labelstackisusedforpacketforwarding• toplabelindicatesnext-hopProuter(outerlabel)• secondlabelindicatesoutgoingCEinterface/VRF(innerlabel)

    IPDatagramLabel

    ILabel

    OLayer2Header

    Correspondstolabelof

    next-hop(P)

    CorrespondstoVRF/

    interfaceatexit

    ForwardingonBGP/MPLSVPNsSourceCEroutersendsIPpackettoingressPErouter

    thatadvertisesdestinationAP

    IngressPErouterlooksupegressPErouter’svirtual

    interfaceaddressandtheinnerlabelfordestinationAP,

    thenencapsulatesIPpacketinMPLSwithouterand

    innerlabels

    CoreProutersalongthepathswapouterlabels

    PenultimatecoreProuterpopouterlabelonly

    EgressPErouterusesinnerlabeltolookupVRFand

    forwardpackettocustomerCErouter

    PacketForwarding

  • AdvantagesofMPLSVPNCustomer’saddingorchangingAPsdoesnotrequire

    manualconfigurationatprovider

    CoreProutersdonotneedtoknowcustomer’sCE

    routersorAPs⇒forwardingtablesonlyneedtoscaletonumberofedgePErouters,notnumberof

    customers,APs,orVPNs

    Theonlymanualconfigurationsrequiredareatthe

    edgePErouters:• VRFIDandcustomer’sCErouter’sIPaddress• MP-BGPRouteDistinguisherasVPNID

    StatusofMPLSDeployedinpractice

    • BGP-freebackbone/core

    • VirtualPrivateNetworks

    •  Trafficengineering

    Challenges

    •  protocolcomplexity

    •  configurationcomplexity

    •  difficultyofcollectingmeasurementdata