Transcript PPT Version

Nested VPNs
Fred Baker
Model of a VPN network
Customer devices see end
to end connectivity with
peers in other customer
networks and their own
Customer
Customer
Network
Customer
Customer
Network is a maze of
tunnels, at least in a
sense. Could be literal
tunnels or LSPs, but in
any event data flows are
encryptor->decryptor
by IP address
Recursive Address Hiding
•
•
•
Dynamic Tunnel Creation
– Address prefixes within
enclave invisible to network
outside enclave
Communication between
enclave and interconnecting
domain sharply limited for
security reasons
– Major concern with
knowledge of enclave
inner:outer address
relationship
Enclaves are recursive:
– the “outside” network may
itself be an enclave
connected across another
domain
Enclave
networks
Connecting
Network
Second Tier
Connecting
Network
Preemption within an
aggregate
• New call arrives at advanced priority
–May result in new aggregate
reservation for one call or increase
in bandwidth of existing
reservation
• RESV_ERROR message along routine
aggregate
–Instructs de-aggregator to reduce
bandwidth
–MLPP policy used to decide
which customer call to change or
drop
• New status
• Key implication:
–Lower priority aggregate at lower
–Customer and network
bandwidth or removed
sides of VPN router have to
–New aggregate installed or
increased
exchange information