CPE-based VPNs
Download
Report
Transcript CPE-based VPNs
CPE-based VPNs
Hans De Neve
Alcatel
Network Strategy Group
All rights reserved © 2000, Alcatel — 1
Customer Premises Equipment
based
Virtual Private Networks
Global VPN requirements
Deployment View
What sort of connectivity does it provide ?
Technology View
What does a typical CPE VPN look like ?
Network View
Contents
What are the underlying technologies ?
Differentiation and Success Factors
Where are the factors today, what will they be in future ?
All rights reserved © 2000, Alcatel — 2
Customer Premises Equipment
based
Virtual Private Networks
Global VPN requirements
Connectivity
IP connectivity between geographically dislocated sites using
private addressing
transparent to underlying shared infrastructure
=> tunnelling mechanism
Security
data privacy (e.g. encryption)
authentication and integrity
Scalability
Management
...
All rights reserved © 2000, Alcatel — 3
Customer Premises Equipment
based
Virtual Private Networks
Proposed Technology :
IPsec
IP security offers
tunnelling (forwarding in shared internet is normal IP
forwarding)
authentication and integrity
cryptographic encryption
IPsec can be used with IKE
IKE = Security Association negotiation and Key
Exchange Protocol
All rights reserved © 2000, Alcatel — 4
Customer Premises Equipment
based
Virtual Private Networks
Corp.
server
CPE VPN Deployment View
Branch Office
Headquarters
Finance
server
Policy
manager
VPN
gateway
Policy
manager
LAN-based
VPN client
VPN
gateway
Dial-up
VPN clients
ASP Data
center
Internet
Uplink
PVC 256k
256K
128K
Domestic
Sales
International
Dial-up
Sales
VPN clients
512K
512K
Web
Surfers
VPN
gateway
VPN
Site-Site
LAN-based
VPN client
Customer
Business
Partner
All rights reserved © 2000, Alcatel — 5
Customer Premises Equipment
based
Virtual Private Networks
CPE VPN Network View
new IP header IPsec header IP header
IP header
IP data
IP data
possibly encrypted
IPSEC Connectivity
IP routing / MPLS Traffic Engineering
CPE
L2 Access
Network
L3 Access
+
Distribution
+
L3 Edge
Service
Provider
Network
L3 Access
+
Distribution
+
L3 Edge
L2 Access
Network
CPE
All rights reserved © 2000, Alcatel — 6
CPE VPN
Network Topologies
Customer Premises Equipment
based
Virtual Private Networks
HUB and SPOKE topology
Site 2
Site 1
Internet
Site 3
Site 4
IPsec tunnel
All rights reserved © 2000, Alcatel — 7
CPE VPN
Network Topologies
Customer Premises Equipment
based
Virtual Private Networks
Full Mesh topology
Site 2
Site 1
Internet
Site 3
Site 4
IPsec tunnel
All rights reserved © 2000, Alcatel — 8
Customer Premises Equipment
based
Virtual Private Networks
CPE VPN - Dial up VPN Client
IP over PPP
Option 1
L2TP
CPE
L2 Access
Network
L3 Access
+
Distribution
+
L3 Edge
Service
Provider
Network
L3 Access
+
Distribution
+
L3 Edge
L2 Access
Network
Dial Up
Client
IP over PPP
IP
Option 2
IPSEC
All rights reserved © 2000, Alcatel — 9
Customer Premises Equipment
based
Virtual Private Networks
CPE VPN
Gateway Technologies
IKE Daemons
Phase I, Phase II negotiations to generate/update IPSEC keys and
setting up of Security Associations (IPsec tunnels)
Use of certificates v/s shared secret for authentication
Proposal exchange and agreement, exchange of proxy ids
IPSEC Drivers
Handling of IP packets based on IP header and proxy ids
Encryption using IKE negotiated keys and encryption algorithm
Encapsulation of IP packets using IPSEC headers
All rights reserved © 2000, Alcatel — 10
Customer Premises Equipment
based
Virtual Private Networks Differentiation
CPE VPN Gateway
& Success Factors - Today
Number of concurrent IPSEC tunnels supported
Maps to memory and CPU required to maintain state for tunnels
Critical for dial up scenarios and large number of branch offices
Critical for multi tenant MAN service networks
Throughput over the IPSEC tunnels
Maps to encryption/decryption speeds of the CPU/ASIC
Critical for the HUB site or in case of gigabit campus networks
Critical for gigabit IP access service networks
Restoration of tunnels in case of VPN gateway failure
All rights reserved © 2000, Alcatel — 11
Customer Premises Equipment
based
Virtual Private Networks Differentiation
CPE VPN Gateway
& Success Factors - Future
Enterprise market as a pure IP overlay VPN solution
Number of IPSEC tunnels, throughput over IPSEC tunnels, recovery
Dynamic membership of sites to a VPN for Site-Site VPNs
Integration with PKI infrastructure, AAA for VPN Clients
Carrier/Service Provider market as a vehicle for IPVPN services
Integration of configuration with service provisioning solutions
Integration with IPVPN service functionality such as Firewall, QoS
Integration with data collection for services (assurance + billing)
All rights reserved © 2000, Alcatel — 12
Customer Premises Equipment
based
Virtual Private Networks
CPE IPVPN
Vehicle for IPVPN Services
Service provider management
Billing data
SLA info.
Installation
team
Network
team
Policy
server
Security
team
Policy
route
r
Internet
Web
serve
r
Corp.
serve
r
Policy
router
New York
Headquarters
Geneva
office
HR:
WW users
adds/changes
IS Dept:
US
security
policy
mgmt.
IS enterprise management
Policy
route
r
IS Dept:
Europe
security
policy mgmt.
Policy
route
r
Tokyo
office
IS Dept:
Asia security
policy mgmt.
All rights reserved © 2000, Alcatel — 13