1 / 24

MPLS / VPN Connectivity between VPNs

MPLS / VPN Connectivity between VPNs. JET 2004/03/15. Outline. Security of the MPLS Architecture Case Study : SuperNet Connectivity between VPNs Overlapping Virtual Private Networks Multiprotocol BGP in the SuperNet Network Conclusions. Security of the MPLS Architecture.

ion
Télécharger la présentation

MPLS / VPN Connectivity between VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPLS / VPNConnectivity between VPNs JET 2004/03/15

  2. Outline • Security of the MPLS Architecture • Case Study:SuperNet • Connectivity between VPNs • Overlapping Virtual Private Networks • Multiprotocol BGP in the SuperNet Network • Conclusions

  3. Security of the MPLS Architecture • Address Space and Routing Separation • Hiding of the MPLS Core Structure • Resistance to Attacks • Impossibility of Label Spoofing

  4. Address Space and Routing Separation • Any VPN must be able to use the same address space as anyother VPN • Any VPN must be able to use the same address space as the MPLS core • Routing between any two VPNs must be independent • Routing between any VPN and the core must be independent ----Format of a VPN IPv4 Address ----

  5. Hiding of the MPLS Core Structure IP(PE;L0) VRF CE1 VRF CE2 • Attacks become more difficult • As a comparable Layer 2 (such as Frame Relay or ATM) infrastructure Visible Address Space MPLS Core PE CE 1 IP(CE1) IP(PE;fa0) CE 2 IP(PE;fa1) IP(CE2)

  6. Resistance to Attacks • The MPLS core can be attacked in two basic ways: • By attacking the PE routers directly • By attacking the signaling mechanisms of MPLS (mostly routing)

  7. Impossibility of Label Spoofing • In Cisco routers, the implementation is such that packets that arrive on a CE interface with a label will be dropped • There is strict addressing separation within the PE router, and each VPN has its own VRF • The VPN that the spoofed packet originated from

  8. Case Study:SuperNet 財務 資訊 忠孝 高雄 台北總部 仁愛 嘉義 台南 台北 POP : Point of Presence C EuroBank CE CE SuperNet 台北POP 台中POP 高雄POP CE 高雄總部 C CE PE P PE CE CE CE CE Eurobank Fastfood

  9. Address Space of EuroBank and FastFood

  10. SuperCom can traditionally solve the overlapping addresses issue in three ways • It can persuade the customers to renumber their networks. Most customers would not be willing to do that and would rather find another service provider. • It can implement the VPN service with IP-over-IP tunnels, where the customer IP addresses are hidden from the service provider routers. • It can implement a complex network address translation (NAT) scheme

  11. VPN Routing and Forwarding Tables • Major obstacles of the peer-to-peer VPN implementations -- The overlapping addresses • MPLS/VPN technology provides an elegant solution • Each VPN has its own routing and forwarding table in the router • Any customer is provided access only to the set of routes contained within that table • PE router in an MPLS/VPN network thus contains a number of per-VPN routing tables • A global routing table that is used to reach other routers in the provider network • A number of virtual routers are created in a single physical router

  12. Virtual Routers Created in a PE Router 忠孝 台北總部 仁愛 台北 Eurobank Virtual Router A global Routing 台中 Fastfood Virtual Router SuperNet台北 POP

  13. More structures are associated with each virtual router • A forwarding table that is derived from the routing table and is based on CEF (Cisco Express Forwarding) technology. • A set of interfaces that use the derived forwarding table. • Rules that control the import and export of routes from and into the VPN routing table. These rules were introduced to support overlapping VPNs • A set of routing protocols/peers, which inject information into the VPN routing table. This includes static routing. • Router variables associated with the routing protocol that is used to populate the VPN routing table

  14. VRF—VPN routing/forwarding instance • A VRF consists of • an IP routing table • a derived forwarding table • a set of interfaces that use the forwarding table • a set of rules and routing protocols that determine what goes into the forwarding table • In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router

  15. Connectivity between VPNs PE IP PACKET Routing Context 1 CE 1 ACL Routing Protocol RoutingTable VRFForwardingTable Routing Context 2 Routing Protocol ACL CE 2 IP PACKET Control Plane(Binding Layer) Data Plane(Forwarding Layer)

  16. Overlapping Virtual Private Networks • Imagine that SuperCom wants to extend its service offering with a Voice over IP (VoIP) service with gateways to the public voice network IP Addresses of VoIP Gateways in SuperCom Network

  17. VoIP Service 財務 資訊 忠孝 高雄 台北總部 高雄總部 仁愛 VoIP Gateway VoIP Gateway 台北 嘉義 台南 Both EuroBank and FastFood decided to use the service, but only from their central sitesthe branch offices have no need for international voice connectivity. EuroBank SuperNet 台北POP 台中POP 高雄POP Eurobank Fastfood

  18. VPN Connectivity Requirements in SuperNet Network 忠孝 高雄 台北總部 高雄總部 仁愛 VoIP Gateway VoIP Gateway 台北 台南 嘉義

  19. VRFs in the PE Routers in the SuperNet Network

  20. Propagation of VPN Routing Information in the Provider Network • Two fundamentally different ways exist for approaching the VPN route exchange between PE routers • The PE routers could run a different routing algorithm for each VPN. • Scalability problems in service provider networks with a large number of • Face interesting design challenges when asked to provide support for overlapping VPNs. • The PE routers run a single routing protocol to exchange all VPN routes. To support overlapping address spaces of VPN customers, the IP addresses used by the VPN customers must be augmented with additional information to make them unique

  21. IP subnets advertised by the CE routers to the PE routers are augmented with a 64-bit prefix called a route distinguisher to make them unique. Why MP-BGP ? • The number of VPN routes in a network can become very large. • This BGP feature supports keeping VPN routing information out of the provider core routers (P routers). • BGP can carry any information attached to a route as an optional BGP attribute

  22. VoIP Service 忠孝 高雄 台北總部 高雄總部 仁愛 VoIP Gateway VoIP Gateway 台南 嘉義 台北 IGP for VoIP IGP for VoIP IGP for Eurobank IGP for Eurobank IGP for Fastfood IGP for Fastfood 高雄 台中 台北 SuperNet

  23. Multiprotocol BGP in the SuperNet Network 忠孝 高雄 台北總部 仁愛 Step 2Advertise the VRF rout by MP-BGP cross the P Step 4 advertisethe route information for CE OSPF RIP RIP MP-BGP static route Step 1 run each routing protocol for per VRF Step 3 Receive the route information and save with VRF

  24. Conclusion • How to connect two sites in a VPN that the two sites with the same address space ?

More Related