CPE-based VPNs

Download Report

Transcript CPE-based VPNs

CPE-based VPNs
Hans De Neve
Alcatel
Network Strategy Group
All rights reserved © 2000, Alcatel — 1
Customer Premises Equipment
based
Virtual Private Networks

Global VPN requirements

Deployment View


What sort of connectivity does it provide ?
Technology View


What does a typical CPE VPN look like ?
Network View


Contents
What are the underlying technologies ?
Differentiation and Success Factors

Where are the factors today, what will they be in future ?
All rights reserved © 2000, Alcatel — 2
Customer Premises Equipment
based
Virtual Private Networks


Global VPN requirements
Connectivity

IP connectivity between geographically dislocated sites using
private addressing

transparent to underlying shared infrastructure

=> tunnelling mechanism
Security

data privacy (e.g. encryption)

authentication and integrity

Scalability

Management

...
All rights reserved © 2000, Alcatel — 3
Customer Premises Equipment
based
Virtual Private Networks


Proposed Technology :
IPsec
IP security offers

tunnelling (forwarding in shared internet is normal IP
forwarding)

authentication and integrity

cryptographic encryption
IPsec can be used with IKE

IKE = Security Association negotiation and Key
Exchange Protocol
All rights reserved © 2000, Alcatel — 4
Customer Premises Equipment
based
Virtual Private Networks
Corp.
server
CPE VPN Deployment View
Branch Office
Headquarters
Finance
server
Policy
manager
VPN
gateway
Policy
manager
LAN-based
VPN client
VPN
gateway
Dial-up
VPN clients
ASP Data
center
Internet
Uplink
PVC 256k
256K
128K
Domestic
Sales
International
Dial-up
Sales
VPN clients
512K
512K
Web
Surfers
VPN
gateway
VPN
Site-Site
LAN-based
VPN client
Customer
Business
Partner
All rights reserved © 2000, Alcatel — 5
Customer Premises Equipment
based
Virtual Private Networks
CPE VPN Network View
new IP header IPsec header IP header
IP header
IP data
IP data
possibly encrypted
IPSEC Connectivity
IP routing / MPLS Traffic Engineering
CPE
L2 Access
Network
L3 Access
+
Distribution
+
L3 Edge
Service
Provider
Network
L3 Access
+
Distribution
+
L3 Edge
L2 Access
Network
CPE
All rights reserved © 2000, Alcatel — 6
CPE VPN
Network Topologies
Customer Premises Equipment
based
Virtual Private Networks
HUB and SPOKE topology
Site 2
Site 1
Internet
Site 3
Site 4
IPsec tunnel
All rights reserved © 2000, Alcatel — 7
CPE VPN
Network Topologies
Customer Premises Equipment
based
Virtual Private Networks
Full Mesh topology
Site 2
Site 1
Internet
Site 3
Site 4
IPsec tunnel
All rights reserved © 2000, Alcatel — 8
Customer Premises Equipment
based
Virtual Private Networks
CPE VPN - Dial up VPN Client
IP over PPP
Option 1
L2TP
CPE
L2 Access
Network
L3 Access
+
Distribution
+
L3 Edge
Service
Provider
Network
L3 Access
+
Distribution
+
L3 Edge
L2 Access
Network
Dial Up
Client
IP over PPP
IP
Option 2
IPSEC
All rights reserved © 2000, Alcatel — 9
Customer Premises Equipment
based
Virtual Private Networks


CPE VPN
Gateway Technologies
IKE Daemons

Phase I, Phase II negotiations to generate/update IPSEC keys and
setting up of Security Associations (IPsec tunnels)

Use of certificates v/s shared secret for authentication

Proposal exchange and agreement, exchange of proxy ids
IPSEC Drivers

Handling of IP packets based on IP header and proxy ids

Encryption using IKE negotiated keys and encryption algorithm

Encapsulation of IP packets using IPSEC headers
All rights reserved © 2000, Alcatel — 10
Customer Premises Equipment
based
Virtual Private Networks Differentiation



CPE VPN Gateway
& Success Factors - Today
Number of concurrent IPSEC tunnels supported

Maps to memory and CPU required to maintain state for tunnels

Critical for dial up scenarios and large number of branch offices

Critical for multi tenant MAN service networks
Throughput over the IPSEC tunnels

Maps to encryption/decryption speeds of the CPU/ASIC

Critical for the HUB site or in case of gigabit campus networks

Critical for gigabit IP access service networks
Restoration of tunnels in case of VPN gateway failure
All rights reserved © 2000, Alcatel — 11
Customer Premises Equipment
based
Virtual Private Networks Differentiation


CPE VPN Gateway
& Success Factors - Future
Enterprise market as a pure IP overlay VPN solution

Number of IPSEC tunnels, throughput over IPSEC tunnels, recovery

Dynamic membership of sites to a VPN for Site-Site VPNs

Integration with PKI infrastructure, AAA for VPN Clients
Carrier/Service Provider market as a vehicle for IPVPN services

Integration of configuration with service provisioning solutions

Integration with IPVPN service functionality such as Firewall, QoS

Integration with data collection for services (assurance + billing)
All rights reserved © 2000, Alcatel — 12
Customer Premises Equipment
based
Virtual Private Networks
CPE IPVPN
Vehicle for IPVPN Services
Service provider management
Billing data
SLA info.
Installation
team
Network
team
Policy
server
Security
team
Policy
route
r
Internet
Web
serve
r
Corp.
serve
r
Policy
router
New York
Headquarters
Geneva
office
HR:



WW users
adds/changes
IS Dept:
US
security
policy
mgmt.
IS enterprise management
Policy
route
r

IS Dept:
Europe
security
policy mgmt.
Policy
route
r
Tokyo
office

IS Dept:
Asia security
policy mgmt.
All rights reserved © 2000, Alcatel — 13