Virtual Router VPN Architecture

Download Report

Transcript Virtual Router VPN Architecture 

Network based IP VPN Architecture
using Virtual Routers
Jessica Yu
CoSine Communications, Inc.
Feb. 19th, 2001
Objectives


Enable Service Provider to provide value added VPN
services in a scalable manner
Scale to large number of VPN customers w.r.t.




Router resources
Operation and management
Utilize existing protocols and tools
Provide:



separation of VPNs serviced by the same provider
separation of VPNs and the provider network
security using standard mechanisms
Virtual Router Concept
Provider’s Network
Customer
Site(s)
P
CE
CE
CE
Customer
Site(s)
P
PE
PE
P
CE
CE
CE
P
VPN Without VR
P
CE
CE
CE
P
VR
VR
VR
VR
VR
VR
P
P
VPN With VR
CE
CE
CE
Virtual Router Definition



A virtual router (VR) is an emulation of a physical router at
the software and hardware levels
VRs have independent IP routing and forwarding tables
and they are isolated from each other
Two main functions



Constructing routing using any routing technology
Forwarding packets to the next hops within the VPN domain
From the VPN user point of view, a virtual router provides
the same functionality as a physical router
VPN Built with VRs
VPN-1
Sites
VPN-1
Sites
VPN-1
Sites
SPVR
VR-2
VPN-2
Sites
VR-1
VR-1
SP Network
SPVR
VR-2
VPN-2
Sites
Connecting multiple VRs to the Provider Network through
the use of a single VR “the provider virtual router” - SPVR
VPN Basic Building Blocks

Membership


VRs belong to the same VPN share the same VPN-ID
Tunnel



VR to VR tunnel, a point-to-point link from each VR’s view
Tunnel mechanisms can be IPsec, GRE, IPinIP or MPLS, etc.
Tunnel type



Per VPN tunnel (originate at VR) or
aggregated two level tunnel (originate at SPVR)
Routing


Independent from SP backbone routing
Each VPN can have its own choice of routing protocols
VPN Establishment with VRs


Like all VPN implementation mechanisms, membership
information needs to be disseminated
In VR model, membership information can be distributed
with the following mechanism



Manual configuration
Directory based mechanism
Utilize routing protocol

BGP Auto-discovery
Inter-domain VPN Support


With VR model, the mechanisms for multiple domain VPN
remains the same as single domain VPN
Main requirements


Providers support a common tunnel mechanism
The ability to assign unambiguous VPN identification across the
domains
Inter-domain VPN Support
VPN-1
Sites
VPN-1
Sites
VR-1
VR-1
SPVR
VR-2
VPN-2
Sites
VPN-1
Sites
SP Network
SP Network
SP Network
SPVR
VR-2
VPN-2
Sites
Extranet Support



Two or more corporate have network access to a limited
amount of each other’s corporate data
It’s a matter of control of who can access what data, i.e. a
policy decision
VR model supports extranet by allowing two or more VRs
connect to each other with policy control for data flow
VR VPN Properties







VPNs built with VRs are overlay model
The Provider routers (P) are VPN unaware – scalable
Routing for each VPN is the same as regular network
routing
The choice of the backbone protocols is not constrained
by the VPNs and vise versa
No protocol modifications needed
No tool (debugging, management,etc.) modifications
needed
Deployment will not impact normal operation of the
provider network
Scalability


Only PEs handle VPN type information, other provider
routers are VPN unaware
Establishment and reconfigure can use Directory based
tool and BGP-auto discovery – no manual configuration is
necessarily
Deployment Status

A number of SPs have already deployed VPN implemented
with VR model in their network and providing Network
Based VPN service
Reference

ftp://ftp.ietf.org/internet-drafts/draft-oluldbrahim-vpn-vr02.txt