provider based virtual private networks
play

Provider based Virtual Private Networks An introduction and an MPLS - PDF document

Feb 14, 2023 •207 likes •362 views

HELSINKI UNIVERSITY OF TECHNOLOGY Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for S-38.192 3.3.2005 Mika Ilvesmki Networking laboratory HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmki, Lic.Sc.

  1. HELSINKI UNIVERSITY OF TECHNOLOGY Provider based Virtual Private Networks An introduction and an MPLS case Lecture slides for S-38.192 3.3.2005 Mika Ilvesmäki Networking laboratory HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) ”The idea is to create a private network via tunneling and/or encryption over the public Internet. Sure, it’s a lot cheaper than using your own frame-relay connections, but it works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around.” - Wired Magzine on VPNs in February 1998 - Lecturer’s note: If, in the final exam, asked about VPNs, do not use the above definition. Please! 1

  2. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Contents • VPN terminology • VPNs on IP layer – addressing, routing, security • Engineering VPNs with – Controlled route leaking – Tunnels – MPLS HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) What is a VPN? • Virtual – network resources used are part of a common shared resource • Private – privacy of addressing and routing – topological isolation – security (authentication, encryption, integrity) of the data – (seemingly) dedicated use of network resources – temporal isolation • Network – devices that communicate through some arbitrary method 2

  3. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Why VPNs? • Omnipresent coverage • Cost reduction – no separate private networks • Security • E-Commerce Dial-up Access – especially B2B Private lines Public Internet Public Internet Corporate Corporate Intranet Intranet Extranet Access HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Virtual Private Networks • A VPN is a private network constructed within a public network infrastructure, such as the global internet – Equipment and facilities used to build the VPN are also in other’s use->virtual – Routing and addressing is separate from all other networks and data is secured -> private • VPNs require that the flow of routing data is constrained to constrain the flow of user data – Connect geographically dispersed sites -> network 3

  4. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) VPN • Private network where privacy is introduced with some method of virtualization • Between – two organizations, end-systems within single organization or multiple organizations or applications • Across the global Internet HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Intersite connectivity types • Ranging from – full-mesh (n(n-1)/2 connections) – to hub and spoke type of connectivity • reliability problems! Spoke Hub Spoke 4

  5. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) VPN technologies • Data Integrity, Confidentiality, Authenticity – IPsec, Authentication methods, Access control, PKI • Controlled route leaking – manually or with BGP communities (RFC 2858) • Tunnels – GRE, IPinIP or MinIP – VPDNs • Tunneling PPP-traffic with L2TP or PPTP thru dial-up connections • Layer 2 VPNs with dedicated ATM or FR connections • VPNs with MPLS (and BGP in RFC 2547) HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Addressing • Private address space defined in RFC 1918 (BCP) – Addresses may be used freely within enterprise networks • 10.0.0.0-10.255.255.255 (10/8 prefix) • 172.16.0.0-172.31.255.255 (172.16/12 prefix) • 192.168.0.0-192.168.255.255 (192.168/16 prefix) – ISPs will reject packets with above addresses • Need for NAT or application layer gateways for Internet communications 5

  6. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) VPNs and routing • Virtual private networks require special actions from standard IP routing – Controlled route leaking (route filtering), NAT – manual management, scalability problems, address space mgmnt • VPNs can also be constructed on layer 2 – restricted use of ATM or FR virtual connections – management problems transferred to layer 2 Route Filter to 192.168.1.x • deny all • permit 192.168.2/3/4/5.x 10.0.2.x 10.0.1.x 192.168.1.x 192.168.4.x 10.0.3.x 192.168.2.x 192.168.5.x 192.168.3.x 10.0.4.x HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Notes on route filtering • Route filtering is the most basic way of constructing VPNs – not recommendable • Privacy through obscurity – Security means ISPs managing customer edges • or inserting address filters • Requires common routing core – VPN addresses may not overlap within the routing core 6

  7. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Tunneling • Configure tunnels across the network – Customer edge routers will act as tunnel exit points – Allows for multiple use of VPN/IP addresses in different VPNs • Manual configuration without use of routing protocols – Requires connectivity to all customer premises (VPN members) • n(n-1)/2 connections -> no management scalability 10.0.2.x 10.0.1.x 192.168.1.x 192.168.4.x 10.0.3.x 192.168.2.x 192.168.5.x 192.168.3.x 10.0.4.x HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Notes on tunneling • Allows for overlapping in VPN addresses • Multiprotocol capable • Manual configuration of tunnels – Low tolerance on network topology changes • Concerns on QoS issues • CE routers (tunnel exit points) have to managed by the ISP 7

  8. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) VPN management issues • Management of traditional VPNs is manual – Tunnels are setup manually – Routing information is manually configured • Complexity of VPN management results from the integration of IP route lookup and forwarding decisions HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) MPLS for VPNs with BGP • Meeting the (MPLS) objective for flexibility in new service introduction – MPLS separates the route lookup and forwarding somewhere in between layers 2 and 3. • Virtual Private Network – Tunnel via core network virtual backbones – Separate VPN address spaces – Advertising of VPN networks either by a routing protocol (RFC 2547 BGP/MPLS VPNs) or label distribution protocol 8

  9. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) BGP issues • RFC 2858 Multiprotocol extensions for BGP-4 – Network Layer Reachability Identifier • RFC 1997 BGP communities attribute – Mark the NLRI with a community attribute – routes within VPN can be marked with a single community instead of keeping up with individual routes • Constraining the distribution of routing info – dealt with BGP (extended) community -field • Globally non-unique addresses – dealt with VPN-IP addresses and Route Distinguisher – no constraint on connectivity HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Requirements for MPLS/VPNs • Use of VPN/IP addresses • Constrained distribution of routing information – BGP, LDP • Multiple forwarding tables – Naturally for traffic inside the VPN • outside the VPN – At ISP edge VPN addresses may conflict • for traffic between VPNs – This is where MPLS kicks in! 9

  10. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) VPN-IP addresses • VPN-IP addresses are carried only in routing protocol messages, not in IP headers – not used for packet forwarding • BGP assumes that IP addresses are unique – not valid when using private address space (RFC 1918) • IP address + Route Distinguisher – RD=Type+AS number+Assigned number • AS number = ISP AS number • Assigned number = VPN identifier given by ISP • VPN-IP addresses are (globally) unique • Use of VPN-IP addresses is done only in ISP network – no customer involvement, conversion done at PE HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Constrained distribution of routing information 1. Routing info from customer site (CE) to provider edge (OSPF) 2. Export routing info to provider BGP (CE->PE) • Attach BGP (extended) community attribute – constrained distribution of BGP info 3. Distribute with other VPN/PEs using BGP 4. Extract routing info on other PEs (opposite to 2.) • Route filtering based on BGP community attribute 5. Routing info from PE to CE (OSPF) P C 1 E 2 C 1 E 1 PE 2 PE 1 C 2 E 3 C 2 E 1 C 1 E 3 C 2 E 2 P C 2 E 4 10

  11. HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Constrained distribution of routing information - notes • Distribution of BGP info is handled by the ISP – no involvement from the customer • CE maintains routing peering with only the nearest PE • To add a new site to an existing VPN only the connecting PE needs to be configured • PE only maintains routes for the directly connected VPNs HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmäki, Lic.Sc. (Tech.) Multiple Forwarding Tables • To allow per-VPN segregation – otherwise packets could be traveling from one VPN to another OR alternatively careful management of address would be needed VPN C 1 FT -forwarding table VPN C 2 FT -another forwarding C 1 E 2 table C 1 E 1 PE 2 PE 1 P C 2 E 3 C 2 E 1 C 1 E 3 C 2 E 2 P C 2 E 4 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Service Requirements for Provider Provisioned Virtual Private Networks (PPVPN)

Service Requirements for Provider Provisioned Virtual Private Networks (PPVPN)

Service Requirements for Provider Provisioned Virtual Private Networks (PPVPN) draft-ietf-ppvpn-requirements-00.txt Presented by Dave McDysan March 23, 2001 Service Requirements for PPVPNs 1 Authors M. Carugi (Co-Editor) France Telecom D.

260 views • 14 slides
Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend

Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend

create your own exercise Hugues Fafard, Markus Mller Virtual Private Networks with tjnc 1 Motjvatjon VPN, Virtual Private Network Extend private network over public ones Useful for companies Remote access Network bridging

256 views • 9 slides
Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You

4/25/08 Virtual Private Networks Distributed Systems Paul Krzyzanowski Private networks Problem You have several geographically separated local area networks that you would like to have connected securely Solution Set up a private

425 views • 7 slides
Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public lines that are insecure Need to communicate securely Private lines : costly option VPN Secure private communications over public

671 views • 27 slides
MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation ,

MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation ,

MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation , Cisco Press B. Davie and Y. Rekhter, MPLS Technology and Applications , Morgan Kaufmann MPLS VPN Agenda Introduction to VPNs Where do Layer

854 views • 61 slides
Tunnels and VPN * s s November 6, 2020 *virtual private networks *virtual private networks

Tunnels and VPN * s s November 6, 2020 *virtual private networks *virtual private networks

Tunnels and VPN * Tunnels and VPN * s s November 6, 2020 *virtual private networks *virtual private networks Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in

547 views • 36 slides
MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation ,

MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation ,

MPLS based Virtual Private Networks Sources: V. Alwayn, Advanced MPLS Design and Implementation , Cisco Press B. Davie and Y. Rekhter, MPLS Technology and Applications , Morgan Kaufmann MPLS VPN Agenda... Layer 2 MPLS VPN Pseudo Wire

435 views • 29 slides
Distributed Systems Virtual Private Networks Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Virtual Private Networks Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Virtual Private Networks Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Private networks Problem You

386 views • 14 slides
CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy CS519 VPN Network Client

CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy CS519 VPN Network Client

CS519: Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy CS519 VPN Network Client Provider-based Customer-based Provider-based Customer-based L3 L2 Compulsory Voluntary Virtual Router BGP/MPLS ATM Frame Relay Secure

1.15k views • 70 slides
Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations

Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations

Virtual Private Networking Outline Introduction Virtual Private Networks Types of VPNs Tunneling Security Cmput 410 Presentations Encryption November 25 - 2004 Future of VPNs VPN - Definition a way to provide

595 views • 11 slides
4/22/2009 Private networks Problem You have several geographically separated Distributed

4/22/2009 Private networks Problem You have several geographically separated Distributed

4/22/2009 Private networks Problem You have several geographically separated Distributed Systems local area networks that you would like to have connected securely Virtual Private Networks Solution Set up a private network line

221 views • 3 slides
Virtual Private Networks (VPN) 12: VPN, IPV6, NAT, MobileIP Last Modified: 4/9/2003 1:14:36 PM

Virtual Private Networks (VPN) 12: VPN, IPV6, NAT, MobileIP Last Modified: 4/9/2003 1:14:36 PM

Virtual Private Networks (VPN) 12: VPN, IPV6, NAT, MobileIP Last Modified: 4/9/2003 1:14:36 PM Adapted from Gordon Chaffees slides http://bmrc.berkeley.edu/people/chaffee/advnet98/ 4: Network Layer 4: Network Layer 4a-1 4a-2 Virtual

201 views • 9 slides
The Web Week 10 LBSC 671 Creating Information Infrastructures Virtual Private Networks a

The Web Week 10 LBSC 671 Creating Information Infrastructures Virtual Private Networks a

The Web Week 10 LBSC 671 Creating Information Infrastructures Virtual Private Networks a secure private network over the public Internet Public Internet Intranet virtual leased line Intranet Tonight Think about what the Web

758 views • 63 slides
Private Networks Physically disconnected from the outside Internet. Three properties: Users

Private Networks Physically disconnected from the outside Internet. Three properties: Users

1 Virtual Private Networks Chester Rebeiro IIT Madras 2 Private Networks Physically disconnected from the outside Internet. Three properties: Users Authenticated. Users are authorized and their identities verified. Content Protected.

684 views • 37 slides
VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private

VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private

VPN Virtual Private Network Computer Center, CS, NCTU What is VPN Extension of a private network that encompasses links across shared or public networks like the Internet. Enable to send data between two computers across a shared or

942 views • 19 slides
Incorporating P2P Networks in Service Provider Infrastructure Alberto Leon-Garcia & Shad

Incorporating P2P Networks in Service Provider Infrastructure Alberto Leon-Garcia & Shad

Incorporating P2P Networks in Service Provider Infrastructure Alberto Leon-Garcia & Shad Sharma University of Toronto Why P2P for Service Providers? Virtual distributed servers Autonomous execution of applications on commodity

99 views • 7 slides
Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36,

Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36,

Large BGP Communities David Freedman david.freedman@uk.clara.net Claranet 19/01/2017 UKNOF36, London 1 In brief. BGP Communities Attribute (RFC 1997, Aug 1996) Designed for Internet Broad support in BGP implementations. 32

429 views • 9 slides
BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large

BGP Large Communities: a new BGP Routing Heuristic Montevideo, Uy | 21/09/2017 BGP Large Communities: a new BGP Routing Heuristic Lucenildo Aquino Jnior Agenda BGP Communities BGP Extended Communities BGP Large Communities

549 views • 26 slides
Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad

Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad

Finding library subroutines in stripped statically-linked binaries findmagic Katharina Bogad Technische Universitt Mnchen Computer Science Department SS 2015 January 18, 2017 K. Bogad findmagic SS 2015 January 18, 2017 1 / 39

1.15k views • 58 slides
Multimedia Communications Spring 2006-07 Session Level Advances (SDP RFC 2327, SAP, SIP

Multimedia Communications Spring 2006-07 Session Level Advances (SDP RFC 2327, SAP, SIP

CS 584 / CMPE 584 Multimedia Communications Spring 2006-07 Session Level Advances (SDP RFC 2327, SAP, SIP RFC 2543) Shahab Baqai LUMS SDP In the context of a multimedia multicast Internet, a session directory tool is used to:

609 views • 49 slides
Faster and still safe: Combining screening techniques and structured dictionaries to accelerate

Faster and still safe: Combining screening techniques and structured dictionaries to accelerate

Faster and still safe: Combining screening techniques and structured dictionaries to accelerate the Lasso Cssio F. DANTAS, Rmi GRIBONVAL cassio.fraga-dantas@inria.fr, remi.gribonval@inria.fr 1 - 03/04/18 Accelerate the Lasso

664 views • 54 slides
Modular Certification Research Activities John Rushby Computer Science Laboratory SRI

Modular Certification Research Activities John Rushby Computer Science Laboratory SRI

Modular Certification Research Activities John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Mod Cert Research: 1 Overview Modular certification: what is it? Research activities and

602 views • 38 slides
Efficiently Enforcing Strong Memory Ordering in GPUs Abhayendra Singh* , Shaizeen Aga, Satish

Efficiently Enforcing Strong Memory Ordering in GPUs Abhayendra Singh* , Shaizeen Aga, Satish

Efficiently Enforcing Strong Memory Ordering in GPUs Abhayendra Singh* , Shaizeen Aga, Satish Narayanasamy Google, University of Michigan, Ann Arbor Dec 9, 2015 University of Michigan Electrical Engineering and Computer Science *author

749 views • 52 slides
On the Need for Extended Transactional Models@Run.Time Presented at

On the Need for Extended Transactional Models@Run.Time Presented at

On the Need for Extended Transactional Models@Run.Time Presented at MRT 2015, Ottawa, Canada Mahdi Derakhshanmanesh 1 , Marvin Grieger 2 and Jrgen Ebert 1 {manesh,

1.15k views • 88 slides

More recommend