340 likes | 507 Vues
Deploying VPN. Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com. Forewords. Focus mainly on VPN for one organization. Agenda. Cisco Definition of VPN Using Layer 3 Tunnels & Routing Security of the Above Existing Techniques for Dynamic VPN Deployment Examples.
E N D
Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com
Forewords Focus mainly on VPN for one organization
Agenda • Cisco Definition of VPN • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples
“ ” Virtual Private Network (VPN) Defined A Virtual Private Network Carries Private Traffic Over a Public Network Cisco 'official' definition
What Is a “Public” Network? • In this context, any network sharedamong different administrative domains • A shared network such as the Internet • A privately owned network which services many external/internal customers
What is 'Private' Traffic? • Can be anything desired by an organization • Confidentiality => IPSec • IP Routing independance (address and IGP) => MPLS & RFC 2547 • QoS end to end • Efficient multicast
Main Office POP WAN VPN POP Extranet VPN Extends WANs to business partners Business Partner Mobile Worker The Three Categories of VPN Intranet VPN Low cost, tunneled connections with rich VPN services, like IPSec encryption and QoS to ensure reliable throughput Home Office Remote Office Remote Access VPN Secure, scalable, encrypted tunnels across a public network, client software
Technologies • A large choice • BGP/MPLS VPN • IPSec • Layer 3: IPinIP, GRE, IPv6 over IPv4 • Layer 2: L2TP • IEEE 802.1q VLAN My main focus
Another Cisco Taxonomy VPN Network Based VPN CPE Based L2VPN L3VPN IPSec/GRE MPLS VPN Network Based IPSec
Agenda • Cisco Definition of VPN • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples
Examples • The most common layer 3 tunnels are • IP in IP: RFC 2003 • GRE: RFC 2784 • The most common layer 2 tunnels are • PPTP, L2F: deprecated • L2TP: RFC 2661 • L2TPv3: aka UTI Default on Cisco routers
Original IP header Protocol=p IP payload 20 bytes IPSec ESP without ESP auth encapsulation (after encapsulation) ESP header Protocol=4 (IPinIP) Original IP header Protocol=p IP payload ESP trailer 16 bytes 20 bytes 2-10 bytes IPSec packet with new IP header (on the wire) External IP header Protocol=50 (ESP) ESP header Protocol=4 Original IP header Protocol=p IP payload ESP trailer 20 bytes 16 bytes 20 bytes 2-10 bytes Encrypted payload IPSec Tunnel Mode Encapsulation Original IP datagram
Original IP header Protocol=p IP payload 20 bytes IPinIP Encapsulation External IP header Protocol=4 (IPinIP) Original IP header Protocol=p IP payload 20 bytes 20 bytes After IPSec Transport Mode External IP header Protocol=50 (ESP) ESP header Protocol=4 Original IP header Protocol=p IP payload ESP trailer 16 bytes 20 bytes 2-10 bytes 20 bytes Encrypted payload IPinIP + IPSec Transport Mode Original IP datagram
Differences with IPSec Tunnel Mode • Same syntax (bits on the wire): • IPSec Tunnel Mode • IPinIP + IPSec Transport Mode • Is it the same semantic ? No • Because SPD is now replaced by routing • Ease of deployment • Resiliency • Less security
Difference: SPD & SAD • Trivial selectors • Easy provisioning One pair of SA Very scalable • IPinIP + IPSec Transport Mode • <L3 endpoint, L3 endpoint, IPinIP, *,*> • Usually one pair of SA • IPSec Tunnel Mode • <protected net., protected net.,*,*,*> • Can potentially be multiple pairs of SA
Difference: Cisco Router IOS view • IPinIP + IPSec: is a L3 tunnel interface • Routing Protocol • Multicast, .. • IPSec Tunnel mode: is not This means strong resilience And fast re-routing
Difference: SA Selection • IPinIP + IPSec Transport Mode • L3 tunnel is selected by FIB • FIB is dynamic (insecure) • IPSec Tunnel Mode • IPSec SA selected by SAD • SAD is static (secure)
Traffic can be Routed Through 2 Hubs Central Site Hub 2 (active) Hub 1 (active) + Easier. + Hub are always under 50% load. - Asymmetric routing
Traffic can be Load Balanced Central Site Hub 2 (active) Hub 1 (active) Need to tune IGP to always select the GREEN tunnels. + Symmetric routing + Both hubs running at 50%
Agenda • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples
Agenda • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples
Next Hop Resolution Protocol, RFC 2332 • IETF protocol • Used on NBMA Non Broadcast Multi-Access networks (Frame Relay, X.25, …) to discover peers • Can also be used on multi-point GRE, mGRE • Specific kind of GRE tunnel • Fan-out like: one hub and multiple spokes • Hub can speak direct to all spokes • Spokes can only talk to hub • Cannot be used over IPinIP since NHRP does not run over IP
NHRP over mGRE NHRP Server NHRP: resolution request for Y NHRP Cache Client Y is via 3.3.3.3 mGRE NHRP: resolution Reply: Y is through 3.3.3.3 NHRP: registration Reply: OK NHRP: registration Request: Y is 3.3.3.3 3.3.3.3 2.2.2.2 IP: X-Y NHRP Client X NHRP Client Y NHRP Cache Client Y is via 3.3.3.3
Tunnel Endpoint Discovery Proposed to IETF IPSP WG A to B must be protected no SA => send probe Alice X1 IKE: A to B (proxy=X1) IP: A to B X2 Y IKE: Y to X1 Traffic to B must be protected no SA & probe received => block & answer probe Bob
NRHP, TED and Routing • NHRP+mGRE requires routing inside the GRE tunnel to learn about connected networks • TED requires routing in the core to learn about connected networks
Agenda • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples
Case #1: 1500 Nodes Hierarchical Network With IPX • Customer: large retail bank • Requirements: • Mix of IP and IPX traffic • Large scale 1500 nodes • Hierarchical structure: branch, regional office • Bandwidth: 128 kbps, 512 kbps & 10 Mbps • Outsourced IP services
Case #1: Issues • Large scale • Need to use a layered structure • Mix of IPX & IP • Use of GRE encapsulation • High Availability (Resilience) • Use routing protocol (EIGRP for IP & IPX) • Outsourced IP services • 1 router managed by IP Service Provider • 1 router managed by customer (IPSec)
Case #1: IPSec Overlay Network HQ approx. 2; 200 tunnels per router, can be split over several routers RO approx. 600; 15 tunnels to branches 4 tunnels to BO BO approx. 800; 1 tunnel per branch
Case #2: MPLS BGP VPN & IPSec • Customer: SP for a bank • Requirements • Outsourced network: connectivity & security • Double management ? • Interworking with MPLS (RFC 2547) • 300 Nodes
Case #2: Network Green VPN Use of Tunnel Endpoint Discovery MPLS Network Red VPN 2 Mbps
Case #3: Mapping IPSec Remote Access to another VPN • SP customer • Wants to connect remote user over a remote access IPSec VPN to • Specific L3 VPN: GRE, BGP/MPLS • Specific L2 VPN: Frame Relay, 802.1Q VLAN • Solution: IPSec termination in different VRF based on IKE identity
Case #3: IPSec to BGP/MPLS VPN Branch Office IPSec VPN MPLS/VPN Customer A Remote Access PE MPLS Network Internet IPSec-AGG Internet PE Gateway PE Customer B Telecommuter/SOHO Mapping offnet users into BGP/MPLS VPNs.