Transcript Gary Malkin Presentation

Dial-in Virtual Private Networking
Using Layer 3 Tunneling
Gary Malkin
Bay Networks
Internet Telecom Business Group
Bay DVPN 0698 1
Overview
DVPN Topology
Service Provider
IP Network
Dial-in User
Subscriber Network
Dial-in Router
Subscriber Network
Subscriber Network
Bay DVPN 0698 2
Overview
Encapsulation & Tunneling
user data
IP PPP
user data IP GRE IP MAC
user data IP MAC
Bay DVPN 0698 3
Overview
Provisioning
• Provisioning information for BayDVS
– Tunnel protocol and endpoint
– Gateway address and path to Subscriber Site
– Authentication protocol and server address
– Dynamic Address Assignment protocol and server address
– Tunnel authentication protocol and key
• Operational information and statistics
Bay DVPN 0698 4
Tunneling Models
• Tunneling From Provider to Customer
• Tunneling Within Provider’s Network
• Tunneling From PC to Customer’s Network
• Tunneling From PC to Provider’s Network
Bay DVPN 0698 5
Tunneling Model Provider to Subscriber
Router
(Tunnel Endpoint)
Remote
Client
Network
RAC
(Tunnel Endpoint)
Service Provider Network
Subscriber
Network
Bay DVPN 0698 6
Tunneling Model Within Provider’s Network
Network
Remote
Client
RAC
Router
(Tunnel Endpoint)
(Tunnel Endpoint)
Service Provider Network
Network
CPE Router
Subscriber Network
Bay DVPN 0698 7
Tunneling Model PC to Subscriber
Router
(Tunnel Endpoint)
Remote
Client
Network
(Tunnel Endpoint)
RAC
Service Provider Network
Subscriber
Network
Bay DVPN 0698 8
Tunneling Model PC to Provider’s Network
Network
Remote
Client
RAC
Router
(Tunnel Endpoint)
(Tunnel Endpoint)
Service Provider Network
Network
CPE Router
Subscriber Network
Bay DVPN 0698 9
BayDVS
• Description
• Topology
• Operation Algorithm
• Security
Bay DVPN 0698 10
BayDVS
Description
• Mobile IP based tunneling solution
• Requires only IP/PPP on Remote Node
• No requirements for Customer Premise Equipment
• Provides addressing and routing isolation
• Allows authentication by Service Provider or Subscriber
• Allows address assignment by Service Provider or Subscriber
Bay DVPN 0698 11
BayDVS
Topology
Service Provider
IP Network
Dial-in User
RAS
TMS
GW
CPE
AS
DHCP
Frame
Relay
Subscriber Network
Bay DVPN 0698 12
BayDVS
Operation Algorithm
Remote
Node
Connect
Remote
Access Server
Tunnel
Management System
Authentication
Server
Gateway
DHCP
Server
Local
Node
LCP negotiation
CHAP initiation
Auth/info request
Grant w/info
MIP auth request
Auth request
Grant w/info
MIP auth response
MIP DAA request
DHCP discover/request
DHCP response/ack
MIP DAA response
MIP registration request
MIP registration response
CHAP completion
NCP negotiation
OPEN COMMUNICATION
Disconnect
MIP terminate request
MIP terminate response
Terminate message
Bay DVPN 0698 13
BayDVS
Operation Algorithm - Authentication
Remote Access
Server
Tunnel
Management System
Authentication
Server
Gateway
Auth/info request
Grant w/info
MIP authentication request
Auth request
Grant w/info
MIP authentication response
• RAS acquires provisioned information for User’s Subscriber
• RAS authenticates user with Subscriber’s Authentication Server
Bay DVPN 0698 14
BayDVS
Operation Algorithm - Dynamic Addressing
Remote Access
Server
DHCP
Server
Gateway
MIP DAA request
DHCP discover
DHCP response
MIP DAA response
MIP DAA request
DHCP request
DHCP ack
MIP DAA response
• RAS “discovers” DHCP server in Subscriber site
• RAS requests IP address from DHCP server
Bay DVPN 0698 15
BayDVS
Security
• CHAP or PAP user authentication
• User authentication managed by provider or subscriber
• MD-5 authentication of tunnel establishment
Bay DVPN 0698 16
Comparison of L2TP and BayDVS
• Scaling and Performance
– BayDVS Payload Packet
IP Payload
GRE (8 bytes)
IP (20 bytes)
– L2TP Payload Packet
IP Payload
PPP Frame
L2TP (12 bytes)
UDP (8 bytes)
IP (20 bytes)
• Interoperability
• Subscriber Requirements
• End-to-End (between RC and LNS) Encryption and
Compression
• Address and Routing Isolation
Bay DVPN 0698 17