Virtual Private Networks

1
Virtual Private Networks
2
Private Networks

• How to provide secure access between members of
  an organization who are cast far around the
  world?
• Traditionally, companies use leased phone lines
  to interconnect their offices (thus forming their
  own private networks)
• Leased phone lines, however, can be expensive,
  and prohibitive if the company has offices in
  different countries
• Nowadays, frame relays permanent virtual
  circuits (PVCs) over T1 are a popular choice

3
Private Network Example
4
Points of Presence

• Private networks also have trouble with their
  traveling sales people If the salesperson
  doesn't happen to be near one of the corporate
  computers, he or she has to dial into a
  corporation's modem long-distance
• A virtual private network (VPN) is a way to
  simulate a private network over a public network,
  such as the Internet
• Because the Internet is present everywhere, the
  traveling sales person can easily connect back to
  his corporates computers

5
VPN

• A VPN has the appearance and many of the
  advantages of a dedicated link
• A VPN can be created using software, hardware, or
  a combination of the two that creates a secure
  link between peers over a public network
• Techniques used are encryption, authentication,
  packet tunneling, and firewalls
• Using the Internet for remote access saves a lot
  of money

6
Tunneling through the Internet
7
An Example
8
Intranet and Extranet

• VPNs can be used to expand the reach of an
  intranet
• An intranet is a private network that is
  contained within an enterprise it uses TCP/IP,
  HTTP, and other Internet protocols and in general
  looks like a private version of the Internet
• Say you want far-flung offices to share data or
  remote users to connect to your intranet,
  securely
• This type of connection creates an extranet
• An extranet can be viewed as part of a company's
  intranet that is extended to users outside the
  company
• An extranet requires security and privacy

9
VPN Technologies

• VPNs give you flexibility, and allow practically
  any corporate network service to be used securely
  across the Internet
• Technologies that VPNs use to protect data
  traveling across the Internet
• Firewalls, authentication, encryption, and
  tunneling
• Provides different routing and address space than
  host network

10
Tunneling

• Using tunneling, data packets are transmitted
  across a public routed network, such as the
  Internet or other commercially available network,
  in a private tunnel that simulates a
  point-to-point connection
• Allows network protocols to traverse incompatible
  infrastructures
• Enables traffic from many sources to be
  differentiated, so that it can be directed to
  specific destinations and receive specific levels
  of service

11
Encapsulation

• Tunneling allows you to encapsulate a packet
  within another packet to accommodate incompatible
  protocols
• For example, tunneling can be used to send IPX
  packets over the Internet so that a user can
  connect to an IPX-only Novell server remotely
• Encapsulating an IP packet within another IP
  packet
• So that you can send packets with arbitrary
  source and destination addresses across the
  Internet within a packet that has
  Internet-routable source and destination
  addresses
• Result you can use the reserved (not
  Internet-routable) IP address space for private
  networks on your LAN

12
Layer 2 Tunneling

• To encapsulate common network protocols (IPX,
  AppleTalk, etc.) inside PPP and then
  encapsulating the entire package inside a
  tunneling protocol (eg., L2TP)
• Called Layer 2 tunneling since the passenger is
  a Layer 2 protocol

13
Layer 2 Tunneling (contd)

• The previous example would be for the case of a
  remote access VPN
• Where the remote access client is sending a
  stream of PPP packets to a remote access server
• The effect of VPNs is like that of pulling a
  serial cable across a WAN cloud
• Microsoft's Point-to-Point Tunneling Protocol
  (PPTP), which is bundled with Windows 95/98 and
  Windows NT, is the most widely used protocol for
  VPNs

14
Layer 3 Tunneling

• Alternatively, network protocols can be
  encapsulated directly into a tunneling protocol
  such as 3Com's Virtual Tunneling Protocol (VTP)
• This approach is called Layer 3 tunneling since
  the passenger is a Layer 3 protocol

15
Overlay Model

• Each site has a router that is connected with p-p
  links to other routers in the VPN
• The routers are connected over ATM, Frame, but
  see the connections as a leased line
• Customer must build own backbone
• Inefficient routing since destinations are hidden
  from service provider
• Use Generic Route Encapsulation (GRE) or IPSec to
  provide tunnel to anywhere
• Little QoS except for Diffserv

16
Peer Model

• Support Larger scale VPNs
• Little customer expertise
• Low Cost
• Customer router is peer to network infrastructure
  router
• Constrained Distribution of Routing Information
• BGP Community attribute attached to advertised
  route
• Only export routes to customer router with the
  same community attribute
• Multiple forwarding tables for each VPN

17
Unique Addresses

• BGP expects unique addresses
• A new Route Distinguisher is added to give each
  VPN unique addresses
• VPN-IP addresses are only carried in routing
  protocols, not in data packets
• Forwarding packets handled by MPLS

18
MPLS

• Bind LSPs to VPN-IP addresses
• Provider Edge PE looks up IP address in
  forwarding table defined by Customer Edge CE
  connection
• Attaches correct MPLS shim
• 200 routers supporting 10000 VPNs, each VPN 100
  routes. Without MPLS, eadh P router
  100001001000000 outers, with MPLS each P router
  only needs 200 routes.
• Only PE routers maintain information about VPNs
  directly connected to it
• Label switching is more secure since packet cant
  be injected except through CE