1 / 33

Deploying VPN

Deploying VPN. Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com. Forewords. Focus mainly on VPN for one organization. Agenda. Cisco Definition of VPN Using Layer 3 Tunnels & Routing Security of the Above Existing Techniques for Dynamic VPN Deployment Examples.

kyros
Télécharger la présentation

Deploying VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deploying VPN Eric Vyncke Cisco Systems Field Distinguished Engineer evyncke@cisco.com

  2. Forewords Focus mainly on VPN for one organization

  3. Agenda • Cisco Definition of VPN • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples

  4. ” Virtual Private Network (VPN) Defined A Virtual Private Network Carries Private Traffic Over a Public Network Cisco 'official' definition

  5. What Is a “Public” Network? • In this context, any network sharedamong different administrative domains • A shared network such as the Internet • A privately owned network which services many external/internal customers

  6. What is 'Private' Traffic? • Can be anything desired by an organization • Confidentiality => IPSec • IP Routing independance (address and IGP) => MPLS & RFC 2547 • QoS end to end • Efficient multicast

  7. Main Office POP WAN VPN POP Extranet VPN Extends WANs to business partners Business Partner Mobile Worker The Three Categories of VPN Intranet VPN Low cost, tunneled connections with rich VPN services, like IPSec encryption and QoS to ensure reliable throughput Home Office Remote Office Remote Access VPN Secure, scalable, encrypted tunnels across a public network, client software

  8. Technologies • A large choice • BGP/MPLS VPN • IPSec • Layer 3: IPinIP, GRE, IPv6 over IPv4 • Layer 2: L2TP • IEEE 802.1q VLAN My main focus

  9. Another Cisco Taxonomy VPN Network Based VPN CPE Based L2VPN L3VPN IPSec/GRE MPLS VPN Network Based IPSec

  10. Agenda • Cisco Definition of VPN • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples

  11. Examples • The most common layer 3 tunnels are • IP in IP: RFC 2003 • GRE: RFC 2784 • The most common layer 2 tunnels are • PPTP, L2F: deprecated • L2TP: RFC 2661 • L2TPv3: aka UTI Default on Cisco routers

  12. Original IP header Protocol=p IP payload 20 bytes IPSec ESP without ESP auth encapsulation (after encapsulation) ESP header Protocol=4 (IPinIP) Original IP header Protocol=p IP payload ESP trailer 16 bytes 20 bytes 2-10 bytes IPSec packet with new IP header (on the wire) External IP header Protocol=50 (ESP) ESP header Protocol=4 Original IP header Protocol=p IP payload ESP trailer 20 bytes 16 bytes 20 bytes 2-10 bytes Encrypted payload IPSec Tunnel Mode Encapsulation Original IP datagram

  13. Original IP header Protocol=p IP payload 20 bytes IPinIP Encapsulation External IP header Protocol=4 (IPinIP) Original IP header Protocol=p IP payload 20 bytes 20 bytes After IPSec Transport Mode External IP header Protocol=50 (ESP) ESP header Protocol=4 Original IP header Protocol=p IP payload ESP trailer 16 bytes 20 bytes 2-10 bytes 20 bytes Encrypted payload IPinIP + IPSec Transport Mode Original IP datagram

  14. Differences with IPSec Tunnel Mode • Same syntax (bits on the wire): • IPSec Tunnel Mode • IPinIP + IPSec Transport Mode • Is it the same semantic ? No • Because SPD is now replaced by routing • Ease of deployment • Resiliency • Less security

  15. Difference: SPD & SAD • Trivial selectors • Easy provisioning One pair of SA  Very scalable • IPinIP + IPSec Transport Mode • <L3 endpoint, L3 endpoint, IPinIP, *,*> • Usually one pair of SA • IPSec Tunnel Mode • <protected net., protected net.,*,*,*> • Can potentially be multiple pairs of SA

  16. Difference: Cisco Router IOS view • IPinIP + IPSec: is a L3 tunnel interface • Routing Protocol • Multicast, .. • IPSec Tunnel mode: is not This means strong resilience And fast re-routing

  17. Difference: SA Selection • IPinIP + IPSec Transport Mode • L3 tunnel is selected by FIB • FIB is dynamic (insecure) • IPSec Tunnel Mode • IPSec SA selected by SAD • SAD is static (secure)

  18. Traffic can be Routed Through 2 Hubs Central Site Hub 2 (active) Hub 1 (active) + Easier. + Hub are always under 50% load. - Asymmetric routing

  19. Traffic can be Load Balanced Central Site Hub 2 (active) Hub 1 (active) Need to tune IGP to always select the GREEN tunnels. + Symmetric routing + Both hubs running at 50%

  20. Agenda • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples

  21. Agenda • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples

  22. Next Hop Resolution Protocol, RFC 2332 • IETF protocol • Used on NBMA Non Broadcast Multi-Access networks (Frame Relay, X.25, …) to discover peers • Can also be used on multi-point GRE, mGRE • Specific kind of GRE tunnel • Fan-out like: one hub and multiple spokes • Hub can speak direct to all spokes • Spokes can only talk to hub • Cannot be used over IPinIP since NHRP does not run over IP

  23. NHRP over mGRE NHRP Server NHRP: resolution request for Y NHRP Cache Client Y is via 3.3.3.3 mGRE NHRP: resolution Reply: Y is through 3.3.3.3 NHRP: registration Reply: OK NHRP: registration Request: Y is 3.3.3.3 3.3.3.3 2.2.2.2 IP: X-Y NHRP Client X NHRP Client Y NHRP Cache Client Y is via 3.3.3.3

  24. Tunnel Endpoint Discovery Proposed to IETF IPSP WG A to B must be protected no SA => send probe Alice X1 IKE: A to B (proxy=X1) IP: A to B X2 Y IKE: Y to X1 Traffic to B must be protected no SA & probe received => block & answer probe Bob

  25. NRHP, TED and Routing • NHRP+mGRE requires routing inside the GRE tunnel to learn about connected networks • TED requires routing in the core to learn about connected networks

  26. Agenda • Using Layer 3 Tunnels & Routing • Security of the Above • Existing Techniques for Dynamic VPN • Deployment Examples

  27. Case #1: 1500 Nodes Hierarchical Network With IPX • Customer: large retail bank • Requirements: • Mix of IP and IPX traffic • Large scale 1500 nodes • Hierarchical structure: branch, regional office • Bandwidth: 128 kbps, 512 kbps & 10 Mbps • Outsourced IP services

  28. Case #1: Issues • Large scale • Need to use a layered structure • Mix of IPX & IP • Use of GRE encapsulation • High Availability (Resilience) • Use routing protocol (EIGRP for IP & IPX) • Outsourced IP services • 1 router managed by IP Service Provider • 1 router managed by customer (IPSec)

  29. Case #1: IPSec Overlay Network HQ approx. 2; 200 tunnels per router, can be split over several routers RO approx. 600; 15 tunnels to branches 4 tunnels to BO BO approx. 800; 1 tunnel per branch

  30. Case #2: MPLS BGP VPN & IPSec • Customer: SP for a bank • Requirements • Outsourced network: connectivity & security • Double management ? • Interworking with MPLS (RFC 2547) • 300 Nodes

  31. Case #2: Network Green VPN Use of Tunnel Endpoint Discovery MPLS Network Red VPN 2 Mbps

  32. Case #3: Mapping IPSec Remote Access to another VPN • SP customer • Wants to connect remote user over a remote access IPSec VPN to • Specific L3 VPN: GRE, BGP/MPLS • Specific L2 VPN: Frame Relay, 802.1Q VLAN • Solution: IPSec termination in different VRF based on IKE identity

  33. Case #3: IPSec to BGP/MPLS VPN Branch Office IPSec VPN MPLS/VPN Customer A Remote Access PE MPLS Network Internet IPSec-AGG Internet PE Gateway PE Customer B Telecommuter/SOHO Mapping offnet users into BGP/MPLS VPNs.

More Related