Virtual Private Networks Advanced Technologies•Phase 1 – hub-and-spoke capability only •Phase 2 – dynamic spoke-to-spoke tunnels •Phase 3 – limits routing information advertised

© 2005 Petr Grygarek, Advanced Computer Networks Technologies 1

Virtual Private Networks Virtual Private Networks Advanced Technologies Advanced Technologies

Petr GrygPetr Grygáárekrek

Agenda:Supporting Technologies (GRE, NHRP)Dynamic Multipoint VPNs (DMVPN)Group Encrypted Transport VPNs (GET VPN)Multicast VPNs (mVPN)

2© 2005 Petr Grygarek, Advanced Computer Networks Technologies

Generic Routing Generic Routing Encapsulation (GRE)Encapsulation (GRE)


GRE Principle (1)GRE Principle (1)•RFC 1701 - encapsulation of an RFC 1701 - encapsulation of an

arbitrary L3 protocol over another arbitrary L3 protocol over another arbitrary L3 layerarbitrary L3 layer•defines additional header (4-20B)defines additional header (4-20B)

•RFC 1702 - encapsulates IP in IPRFC 1702 - encapsulates IP in IP•accompanies RFC 1701accompanies RFC 1701

•IP protocol type 47IP protocol type 47

•Allows the creation of tunnels over the Allows the creation of tunnels over the shared infrastructureshared infrastructure•Originally P2POriginally P2P

•Support for P2MP interfacesSupport for P2MP interfaces


GRE Principle (2)GRE Principle (2)•Completely statelessCompletely stateless

•Low overheadLow overhead

•Tunnel interface is by default always up Tunnel interface is by default always up •even if the remote point is unavailableeven if the remote point is unavailable

•Support for GRE keepalivesSupport for GRE keepalives


Usage of GREUsage of GRE

•Tunnels over IP infrastructureTunnels over IP infrastructure•Unencrypted in the original Unencrypted in the original

implementationimplementation

•Passing routing information between Passing routing information between VPN sitesVPN sites


GRE Point-to-point GRE Point-to-point InterfaceInterface

•Tunnel Source AddressTunnel Source Address

•Local endpoint physical interfaceLocal endpoint physical interface•implies local tunnel endpoint physical IP implies local tunnel endpoint physical IP

addressaddress

•Remote endpoint physical interfaceRemote endpoint physical interface

•Optional tunnel protection Optional tunnel protection parametersparameters


GRE Multipoint InterfaceGRE Multipoint Interface•Tunnel interface addressTunnel interface address

•Local endpoint physical interfaceLocal endpoint physical interface

•Optional tunnel protection parametersOptional tunnel protection parameters

•No destination endpoint addressesNo destination endpoint addresses•Neither tunnel nor physicalNeither tunnel nor physical

•Destination physical addresses are Destination physical addresses are determined by ARP-like NHRPdetermined by ARP-like NHRP•Maps the destination tunnel address to the Maps the destination tunnel address to the

corresponding physical IP addresscorresponding physical IP address

•List of peers to which multicasts have List of peers to which multicasts have to be forwardedto be forwarded


Next-Hop Resolution Next-Hop Resolution Protocol (NHRP)Protocol (NHRP)

RFC 2332RFC 2332


NHRP PrincipleNHRP Principle•Allows systems connected to NBMA Allows systems connected to NBMA

network to dynamically learn “physical” network to dynamically learn “physical” (“NBMA”) addresses of other systems (“NBMA”) addresses of other systems to let them them communicate directlyto let them them communicate directly•NBMA may be either connection-oriented NBMA may be either connection-oriented

network (FR, ATM) or IP infrastructurenetwork (FR, ATM) or IP infrastructure•Direct communication may require to establish a Direct communication may require to establish a

SVC SVC

•NBMA addresses may be either IP NBMA addresses may be either IP addresses or L2 addresses (DLCI, VPI/VCI)addresses or L2 addresses (DLCI, VPI/VCI)

•May be understood as ARP equivalent for May be understood as ARP equivalent for NBMANBMA


NHRP UsageNHRP Usage•Reduction of multihop routing over Reduction of multihop routing over

NBMA network that is not fully NBMA network that is not fully meshedmeshed

•Starts with a partial mesh topologyStarts with a partial mesh topology•Most often hub-and-spokeMost often hub-and-spoke

•Helps to establish a “dynamic full Helps to establish a “dynamic full mesh”mesh”


Dynamic Full Mesh Dynamic Full Mesh Advantages (1)Advantages (1)

•Avoids multi-hop routing and overutilizing Avoids multi-hop routing and overutilizing of the hub routerof the hub router•Avoids double encryption/decryptionAvoids double encryption/decryption

•Decreases delayDecreases delay

•Utilizes the underlying network infrastructure Utilizes the underlying network infrastructure more efficientlymore efficiently

•The same are valid for static full meshThe same are valid for static full mesh

•Support for dynamic NBMA addressessSupport for dynamic NBMA addressess•Systems behind NAT or with dynamic Systems behind NAT or with dynamic

addresses (DHCP)addresses (DHCP)


Dynamic Full Mesh Dynamic Full Mesh Advantages (2)Advantages (2)

•Only spoke-to-spoke links that are needed Only spoke-to-spoke links that are needed for the traffic are (dynamically) for the traffic are (dynamically) establishedestablished•No need to configure full mesh (manually)No need to configure full mesh (manually)

•No limitation of number of tunnel interfaces No limitation of number of tunnel interfaces and number of routes supported on low-end and number of routes supported on low-end routersrouters•Allows to mix high-end and low-end routersAllows to mix high-end and low-end routers

•static full-mesh configuration would require all routers to static full-mesh configuration would require all routers to have resources for full-mesh implementationhave resources for full-mesh implementation

•If a spoke-to-spoke tunnel cannot be established, If a spoke-to-spoke tunnel cannot be established, the traffic may still be routed through the hubthe traffic may still be routed through the hub


NHRP ComponentsNHRP Components

•Next-Hop Clients (NHC)Next-Hop Clients (NHC)•Dynamically register with NHSDynamically register with NHS

•May be added without changing NHS May be added without changing NHS configurationconfiguration

•Next-Hop Servers (NHS)Next-Hop Servers (NHS)•Allows NHC to discover logical-to-Allows NHC to discover logical-to-

physical address mapping for other NHCphysical address mapping for other NHC

NHRP CacheNHRP Cache•Dynamic and static entriesDynamic and static entries


NHRP Messages (1)NHRP Messages (1)•Resolution RequestResolution Request

•May be routed through multiple systems May be routed through multiple systems along the (suboptimal) already known path to along the (suboptimal) already known path to the destination systemthe destination system

•Resolution ResponseResolution Response•Send by the destination system directly to the Send by the destination system directly to the

requesting systemrequesting system

•Registration Request/ResponseRegistration Request/Response•Registration of dynamic physical addresses Registration of dynamic physical addresses

with NHSwith NHS


NHRP Messages (2)NHRP Messages (2)

•Purge Request/ResponsePurge Request/Response•Makes the system to invalidate the cached Makes the system to invalidate the cached

information obtained by NHRPinformation obtained by NHRP


NHRP IssuesNHRP Issues

•Hub has to be configured to sent Hub has to be configured to sent multicasts to registered spokesmulticasts to registered spokes•Multicasts are necessary for many Multicasts are necessary for many

routing protocolsrouting protocols


Dynamic Multipoint VPNs Dynamic Multipoint VPNs (DM VPN)(DM VPN)


DMVPN Principle (1)DMVPN Principle (1)•Makes configuration of multipoint VPNs Makes configuration of multipoint VPNs

easier by avoiding a need to configure easier by avoiding a need to configure VPN tunnels manuallyVPN tunnels manually•Only hub-and-spoke topology has to be Only hub-and-spoke topology has to be

preconfigured infrastructurepreconfigured infrastructure

•Creates (encrypted) spoke-to-spoke Creates (encrypted) spoke-to-spoke tunnels on data-driven basistunnels on data-driven basis•Utilizes NHRP, GRE and IPSecUtilizes NHRP, GRE and IPSec

•The communication between spokes is The communication between spokes is routed by hub until the direct tunnel is routed by hub until the direct tunnel is created or if it could not be createdcreated or if it could not be created


DMVPN Principle (2)DMVPN Principle (2)•Spokes (NHC) dynamically registers Spokes (NHC) dynamically registers

with hub (NHS) using NHRPwith hub (NHS) using NHRP•Allows spoke to look up an address of Allows spoke to look up an address of

another spokeanother spoke

•spokes may have dynamic addressesspokes may have dynamic addresses

•Each spoke may create spoke-to-spoke Each spoke may create spoke-to-spoke tunnels up to its available resourcestunnels up to its available resources•Does not limit any other spoke to use all Does not limit any other spoke to use all

its available resourceits available resource

•Dynamic tunnels are deleted after idle Dynamic tunnels are deleted after idle timeout expirestimeout expires


DMVPN AdvantagesDMVPN Advantages

•Spokes can be added without any hub Spokes can be added without any hub configuration changeconfiguration change

•Uniform spoke configurationUniform spoke configuration

•Utilizes standard protocols and Utilizes standard protocols and solutionssolutions•Combination of GRE,NHRP and IPSecCombination of GRE,NHRP and IPSec


Developmental phases of Developmental phases of DMVPNDMVPN

•Phase 1 – hub-and-spoke capability Phase 1 – hub-and-spoke capability onlyonly

•Phase 2 – dynamic spoke-to-spoke Phase 2 – dynamic spoke-to-spoke tunnelstunnels

•Phase 3 – limits routing information Phase 3 – limits routing information advertised to spokesadvertised to spokes•Better scalabilityBetter scalability

•Does not require all spoke routers to Does not require all spoke routers to maintain all the routes of the VPNmaintain all the routes of the VPN


DMVPN Phase 2 (1)DMVPN Phase 2 (1)•Dynamic routing protocol on hub-to-spoke Dynamic routing protocol on hub-to-spoke

tunnel advertises all routes behind hub tunnel advertises all routes behind hub and other spokesand other spokes•including the spokes' tunnel addresses as including the spokes' tunnel addresses as

next hops to networks behind particular next hops to networks behind particular spokesspokes•routing protocol has to preserve next hoprouting protocol has to preserve next hop

•Split horizon rule has to be turned off on hubSplit horizon rule has to be turned off on hub

•Each spoke has routes to all networks in Each spoke has routes to all networks in its routing tableits routing table•with tunnel interface as the outgoing with tunnel interface as the outgoing

interfaceinterface


DMVPN Phase 2 (2)DMVPN Phase 2 (2)

•NHRP runs on the spoke's tunnel NHRP runs on the spoke's tunnel interface interface •NHRP cache is used to find the logical-NHRP cache is used to find the logical-

to-NBMA mapping for the next hop to-NBMA mapping for the next hop address (that is not present in the address (that is not present in the routing table)routing table)

•If an entry is not found in the cache, If an entry is not found in the cache, NHRP request has to be send to NHSNHRP request has to be send to NHS

•A disadvantage is a significant load A disadvantage is a significant load on the routing protocol in VPNon the routing protocol in VPN



•Reduces the amount of routes Reduces the amount of routes advertised to spokesadvertised to spokes•Hub summarizes the routing information Hub summarizes the routing information

advertised to spokesadvertised to spokes

•Hub sets itself as a next hopHub sets itself as a next hop

•Spoke sends the first data packet to Spoke sends the first data packet to hub over the tunnel interfacehub over the tunnel interface•The logical-to-NBMA mapping is The logical-to-NBMA mapping is

preconfigured for hubpreconfigured for hub



•If a hub receives a packet from a If a hub receives a packet from a spoke on the tunnel interface that has spoke on the tunnel interface that has to be routed to other spoke by the to be routed to other spoke by the same router interface, it initiates the same router interface, it initiates the spoke-to-spoke tunnel creationspoke-to-spoke tunnel creation•Sends redirect to the source spokeSends redirect to the source spoke

•NHRP redirect messageNHRP redirect message•Contains the correct next hop address and Contains the correct next hop address and

the original destination addressthe original destination address


DMVPN Phase 3 (3)DMVPN Phase 3 (3)•Spoke send NHRP Request to Spoke send NHRP Request to

determine a NBMA address for the determine a NBMA address for the logical next hop address from the logical next hop address from the redirect messageredirect message

•NHRP Request is routed to the NHRP Request is routed to the destination spokedestination spoke•Destination spoke responds to the original Destination spoke responds to the original

requesting spoke with its NBMA address requesting spoke with its NBMA address and the whole subnet of its routing table and the whole subnet of its routing table that matches the required destination that matches the required destination address from the NHRP Requestaddress from the NHRP Request



•Source spoke inserts the record for Source spoke inserts the record for the particular destination network the particular destination network into its routing tableinto its routing table•pointing to the tunnel interfacepointing to the tunnel interface

•The following packets follow the The following packets follow the direct spoke-to-spoke pathdirect spoke-to-spoke path


Problems of Hub FailureProblems of Hub Failure•Spoke will delete all routes pointing to Spoke will delete all routes pointing to

the tunnel interfacethe tunnel interface

•Even existing spoke-to-spoke tunnels Even existing spoke-to-spoke tunnels become unusable as there is no entry in become unusable as there is no entry in the routing table to route traffic into the routing table to route traffic into themthem•Tunnels will remain available, but unused Tunnels will remain available, but unused

•At least until NHRP cache entries time outAt least until NHRP cache entries time out

•Routes advertised from redundant hub Routes advertised from redundant hub may solve the problemmay solve the problem•Normally they are ignored because of worse ADNormally they are ignored because of worse AD


DMVPN ConfigurationDMVPN Configuration

•Multipoint GRE interface on hubMultipoint GRE interface on hub•Because it connects to multiple spokesBecause it connects to multiple spokes

•Multipoint GRE interface on spokesMultipoint GRE interface on spokes•Because multiple spoke-to-spoke tunnels Because multiple spoke-to-spoke tunnels

may be initiated in parallelmay be initiated in parallel

•IPSec profile is applied on GRE IPSec profile is applied on GRE tunnel to protect the traffictunnel to protect the traffic•Standard IPSec tunnels are usedStandard IPSec tunnels are used


Group-Encrypted Transport Group-Encrypted Transport VPNs (GET VPN)VPNs (GET VPN)


GET VPN (1)GET VPN (1)

•Tunnel-less any-to-any serviceTunnel-less any-to-any service•Better scalabilityBetter scalability

•No overlay routingNo overlay routing

•IPSec basedIPSec based

•Supports multicasts and QoSSupports multicasts and QoS




•Secure central key distribution to Secure central key distribution to routers in a domainrouters in a domain•Key serverKey server

•Unicast & multicast key distribution to Unicast & multicast key distribution to authorized routers (download/push)authorized routers (download/push)

•Policy managementPolicy management



Multicast VPNs (mVPN)Multicast VPNs (mVPN)


Implementation Implementation RequirementsRequirements

•Potentially different PIM modes in Potentially different PIM modes in the core and each mVPNthe core and each mVPN•Support for all PIM modesSupport for all PIM modes

•Overlap of customers' multicast Overlap of customers' multicast addressingaddressing


Overlay InfrastructureOverlay Infrastructure

•Full mesh of tunnels between VPN Full mesh of tunnels between VPN sitessites

•Hides VPN multicast from the coreHides VPN multicast from the core•Customers' multicasts groups may Customers' multicasts groups may

overlapoverlap

•No multicast state in the coreNo multicast state in the core

•Non-scalableNon-scalable

•Suboptimal multicast routingSuboptimal multicast routing


2-level Multicast Solution2-level Multicast Solution•Multicast Distribution Tree (MDT)Multicast Distribution Tree (MDT)

•Aggregates all multicast traffic between Aggregates all multicast traffic between sites of the same VPNsites of the same VPN•GRE-encapsulatedGRE-encapsulated

•Including system-oriented traffic between PE Including system-oriented traffic between PE routers (PIM sessions between PEs)routers (PIM sessions between PEs)

•May be seen as multiaccess segmentMay be seen as multiaccess segment•Every PE router is connected with virtual Every PE router is connected with virtual

tunnel interfacetunnel interface

•Suboptimal – delivers ALL multicast Suboptimal – delivers ALL multicast traffic to all PEs of the VPNtraffic to all PEs of the VPN


An optimization: Data MDT (1)An optimization: Data MDT (1)•Configured optionallyConfigured optionally

•Carries traffic of a single (or multiple) Carries traffic of a single (or multiple) customer's groupcustomer's group•Source PE switches to Data MDT from the Source PE switches to Data MDT from the

Default MDT after a preconfigured traffic Default MDT after a preconfigured traffic threshold for given group(s)threshold for given group(s)

•The tree spans only PEs with networks The tree spans only PEs with networks interested in particular multicast groups interested in particular multicast groups behind thembehind them

•Default MDT is used to inform other PEs Default MDT is used to inform other PEs about active sources sending to Data MDT about active sources sending to Data MDT

•PE may optionally join the Data MDTPE may optionally join the Data MDT


Data MDT: Pros and ConsData MDT: Pros and Cons

•Limits traffic over core networkLimits traffic over core network

•More states in core network (multiple More states in core network (multiple trees)trees)

Documents

Virtual Private Networks Advanced Technologies•Phase 1 – hub-and-spoke capability only •Phase 2 – dynamic spoke-to-spoke tunnels •Phase 3 – limits routing information advertised