04/12/23

Virtual Private NetworksVirtual Private Networks

Chen-Nee Chuah

Network Reading Group, Spring 99

04/12/23

VPNsVPNs

• Definition: A VPN is an emulation of a private wide area network (WAN) facility using IP facilities (including the public Internet, or private IP backbones).

• VPNs can be implemented in many ways:– Customer Premises Equipment (CPE) based solutions

– Network based solutions

04/12/23

MotivationsMotivations

• Need private communication networks for multiple sites => “private WANs”

• Two types of existing private networks:– dedicated WANs (permanently connected)

– dial network (on-demand connections through leased lines from PSTN network or dedicated ATM circuits).

• Running VPNs across Internet offers a cost-effective solution.

04/12/23

Can Internet Support VPNs?Can Internet Support VPNs?

• Customer requirements for VPNs– Support for opaque packet transport

– Support for data security

– Support for Quality of Service Guarantees

• Need some form of IP tunneling

04/12/23

CPE Vs. Network Based VPNsCPE Vs. Network Based VPNs

• Most current VPN implementations are based on CPE devices:– Firewalls

– WAN edge routers

– Specialized VPN termination devices

• Network based solution: VPN is implemented on network by Internet service provider (ISP)– Some mechanisms leverage tools that are applicable

only to ISPs rather than individual customers running special CPE devices.

04/12/23

Different VPN typesDifferent VPN types

• Virtual Leased Lines (VLLs)• Virtual Private Routed Networks (VPRNs)• Virtual Private LAN Segment (VPLSs)• Virtual Private Dial Networks (VPDNs)

04/12/23

Type I: Virtual Leased Lines (VLLs)Type I: Virtual Leased Lines (VLLs)

• VLL = IP tunnel forming a point-to-point link to emulate a physical leased line or dedicated connection.

• Require IP tunneling mechanism– forwarding disjoint from the address fields of the

encapsulated packets, allow opaque transport of frames as packet payload.

– e.g. IP/IP, GRE tunnels, L2TP (PPP packets), MPLS, and IPSec

04/12/23

VLLs: Tunneling Protocol Requirements VLLs: Tunneling Protocol Requirements

• Support for VLL Multiplexing– e.g. tunnel-id & call-id for L2TP, MPLS labels

• Support for a Signaling protocol– to negotiate tunnel attributes such as security level, IP

address of remote end points (e.g. MPLS’s LDP).

• Support for Data Security– allow customers to specify levels of security

• Support for Multi-protocol Transport• Support for Frame Sequencing

– required to guarantee in-order delivery of packets

04/12/23

VLLs:Protocol Requirements (continued)VLLs:Protocol Requirements (continued)

• Support for Tunnel Maintenance– establish, maintain and delete tunnel instances

• Support for Large MTUs– must allow frame fragmentation, either at IP level, or

within the tunnel (tunnel sequence number)

• Minimization of Tunnel Overhead– important for small, jitter and latency sensitive traffic

• Flow and congestion control issues– currently only L2TP does this, still open to research

• Traffic management issues– deliver guarantees e.g. loss rates, latency & bandwidth

04/12/23

VLLs: RecommendationsVLLs: Recommendations

• A modification of IKE/IPSec may be an optimal choice as a standard VLL tunneling mechanism– it has well defined signaling & multiplexing

capabilities

– it supports security

– close competitor: MPLS

• Using a single signaling protocol and associated data encapsulation is better than using multiple protocols in parallel.

04/12/23

Type II:Virtual Private Routed NetworksType II:Virtual Private Routed Networks

• A VPRN emulates a multi-site wide area routed network over IP, consisting of– a mesh of IP tunnels btw ISP routers & routing capabilities

– “stub” links connecting CPE routers to ISP routers

CPE

ISPISP

ISP

CPE

ISP edge router

IP tunnel

Stublink

Backuplink

Backdoor link

CPE

04/12/23

VPRNs (continued)VPRNs (continued)

• Benefit: Configuration of the CPE router is simplified. ISP edge router appears to be a “neighbor” router.

• The burden of tunnel establishment, maintenance and routing is on ISPs. Forwarding is done at the network layer (Layer 3).

• Each customer side CPE router is connected to an ISP edge router through one or more stub links (leased lines, ATM or Frame Relay)

• Each VPRN supports only a single network layer protocol.

04/12/23

VPRNs (continued)VPRNs (continued)• Issues need to be addressed

– Initial configuration/topology: need to determine set of routers that have members in VPRNs

– CPE routers need to determine set of IP address prefixes to be forwarded to an ISP edge router.

– ISP edge routers • need to determine the set of IP address prefixes that are

reachable via each stub link

• need to learn and disseminate stub reachability information among themselves.

• need VPN specific forwarding mechanisms to forward ingress traffic from stub links to next hop router, and to forward egress traffic from core network to stub links.

• Note: similar issues applied to VPLSs.

04/12/23

VPRN Generic RequirementsVPRN Generic Requirements• Unique VPN identifier to refer to a particular VPN

– unique across different ASs

• VPRN membership – configuration

– dissemination (directory lookup, explicit management configuration, piggybacking in routing protocols).

• Stub link reachability information– edge router must learn set of addresses/address prefixes

reachable via each stub link.

– Each CPE router needs to learn the destinations reachable by each stub link.

04/12/23

VPRN Generic Requirements (continued)VPRN Generic Requirements (continued)

• Intra-VPRN reachability information– need to be disseminated to other edge routers via one of

the following ways• directory lookup

• explicit configuration

• local intra-VPRN routing instantiations

• link reachability protocol

• piggybacking in IP backbone routing protocols.

• Tunneling mechanism (like VLLs)– Edge router must construct necessary tunnels to other

routers in the VPRN, encapsulate/decapsulate and send/receive packets over the tunnel

04/12/23

VPRNs: Multicast supportVPRNs: Multicast support

Multicast & broadcast traffic can be supported by• Edge replication:

– edge router replicates multicast traffic for transmission across each link in the VPRN

• Native multicast support– VPRN edge routers map intra-VPN multicast traffic

onto a native IP multicast distribution mechanism across the backbone.

04/12/23

VPRNs: RecommendationsVPRNs: Recommendations

• There are proposals to adapt routing protocols to carry VPN information to support router piggybacking mechanisms. (e.g. MPLS)

• Downside: some ISPs prefer not to couple VPN membership and reachability with backbone routing protocols.

04/12/23

Type III:Virtual Private LAN SegmentType III:Virtual Private LAN Segment

• A VPLS emulates a LAN segment over IP. – equivalent to VPRN, except now IP tunnels extend all

the way to CPE routers, and ISP edge routers provide Link Layer bridging (layer 2 connectivity alone).

ISPISP

ISP

CPE

ISP edge router

IP tunnel

Backdoor link

CPE

CPE

04/12/23

VPLS: Requirements & RecommendationsVPLS: Requirements & Recommendations

• Very similar to VPRNs • Unlike VPRNs, CPE nodes can either be bridges

or routers– nature of CPE (bridge Vs router) impacts nature of

encapsulation, addressing, forwarding and reachability protocols within the VPLS.

• Advantage: protocol transparency. • Commonality btw VPRNs and VPLSs can be

exploited to reduce complexity.

04/12/23

Type IV: Virtual Private Dial NetworksType IV: Virtual Private Dial Networks

• A VPDN allows for remote users to connect on demand into remote sites through an hoc tunnels.– E.g. PPP connections to network access server

• Strong binding btw a particular user and a central side requires authentication & security

• L2TP (Layer 2 Tunneling Protocol) allows user PPP sessions from L2TP access concentrator (LAC) to a remote L2TP network server (LNS)

04/12/23

VPDNs (continued)VPDNs (continued)

• Support compulsory tunneling– a dial or network access server (LAC), extends a PPP

session across a backbone using L2TP to a remote LNS.

• Other issues:– Call Routing

– Security mechanism

– Traffic management

– Call multiplexing

– Address management

– Support for large MTUs

04/12/23

VPDNs (continued)VPDNs (continued)

• Voluntary Tunnels– an individual host connects to a remote site using a

tunnel originating on the host, with no involvement from intermediate network nodes.

• Networked Host Support– existing PPP based dial model assumes connection

oriented dial access network

– want to accommodate existing AAAA infrastructure within service providers

• extend PPP to hosts through L2TP

• extend PPP directly to hosts

• use of IPSec

04/12/23

VPDNs: RecommendationVPDNs: Recommendation

• L2TP specifications are being finalized to support VPDNs using compulsory tunneling.

• Further study need to be done to determine the best solution for voluntary tunneling– PPP based solution or

– IPSec based mechanism.

04/12/23

SummarySummary

• Further standardization efforts needed in defining– a generic VPN tunneling protocol

– a globally unique VPN identifier

– a VPN membership information configuration and dissemination mechanism

• Further study is needed to address– security issues

– scalability of membership configuration and dissemination mechanism

04/12/23

QoS Guarantees in VPNsQoS Guarantees in VPNs

• Goal: obtain differentiated & dependable QoS for flows belonging to a VPN

• 2 performance service abstractions: Pipe & Hose– A pipe provides performance guarantees for traffic btw

A specific origin and destination pair

– A hose provides performance guarantees btw an origin and a set of destinations, and btw a node and a set of origins, i.e. it’s characterized by the “aggregate” traffic coming from or going into the VPN.

04/12/23

QoS SupportQoS Support

• Service Level Agreement (SLA) btw a customer & a service provider– traffic characteristics and QoS requirements

• Two ways to support different QoS classes within VPN:– resources are managed on a VPN specific basis, i.e.

SLAs would be for the overall VPN rather than for each specific QoS class

• Schedule only at the edges

• Mark packets and schedule within the core

– resources are managed on an individual QoS basis

04/12/23

SummarySummary

• Different choices for the implementation of hoses in VPNs– integrated service framework (controlled load,

guaranteed load) with signaling protocol like RSVP

– differentiated service framework (DS byte of IP header)

– MPLS environment (LSP tree)

• Security– IPSec is recommended. The only limitation is

scalability.