Embed Size (px)
Citation preview
1
VPN and DSL WAN Design
2
Chapter Topics
DSL Technologies VPNs
3
DSL Technologies
4
DSL Technologies When used with VPN technologies, DSL
can provide WAN connectivity for remote offices at a lower cost than dedicated services.
DSL increases connectivity options for fixed remote access and extranet offices and users
DSL connection is “always on” Charges are typically a fixed monthly fee In some major markets, private DSL
access is available permanent virtual circuits (PVCs) extend the
enterprise network to the DSL access device
5
DSL Technologies
DSL is favorably priced based on cost for equivalent bandwidth when compared to dial-up access
Provides price advantages over leased lines and packet network services
Disadvantages of DSL include spotty availability due to distance and
infrastructure quality lack of guaranteed transport bandwidth
through the intermediate public networks security issues within the Internet cable modems offer comparable service for
remote access at a similar cost
6
DSL Types
DSL is a physical layer technology Marketplace has many variations Forms of DSL include the following:
ADSL SDSL IDSL High-bit-rate DSL (HDSL) VDSL
Two leading schemes are SDSL and ADSL
7
Basic DSL Architecture
8
ADSL – Asymmetric DSL
Targeted for residential customers Defined by the American National
Standards Institute (ANSI) T1.413 standard
Provides asymmetric speed with a downlink speed (from the central office to the customer) faster than the uplink speed
9
ADSL
Downstream rates range from 256 kbps to 8 Mbps
Upstream rates range from 16 kbps to 800 kbps
ADSL transmissions work at distances up to 18,000 ft (5488 m) over a single copper twisted pair
10
ADSL
ADSL G.lite is a variant specification that reduces the device requirements of ADSL eliminates the requirement for special wiring
installation services provides rates up to 1.5 Mbps
Another variant is Rate Adaptive ADSL (RADSL) Allows the DSL modem to adapt its speed
based on the quality and length of the line
11
ADSL Sample Services
Some examples of services are 384 kbps download/128 kbps uplink 768 kbps download/ 128 kbps uplink 786 kbps download/ 256 kbps uplink 1.5 Mbps download/128 kbps uplink 1.5 Mbps download/384 kbps uplink 6 Mbps download/384 Kbps uplink
12
HDSL – High Bit-rate DSL
Provides 1.544 Mbps of bandwidth but uses two twisted-pair lines (4 wires)
Range is limited to 12,000 ft (3658.5 m) Signal repeaters can extend the service
Used primarily for digital-loop carrier systems, interexchange points of presence (POPs), and private data networks
HDSL-2 is a two-wire version that provides the same speeds or double the speed with four wires
13
SDSL – Symmetric DSL
Provides equal bandwidth for both the uplink and downlink lines
Targeted to business customers to replace their more expensive T1 circuits
Uses a single twisted-pair line Operating range limited to 22,000 ft
14
SDSL – Symmetric DSL
Often marketed as business DSL Speeds up to 2.3 Mbps Service examples are
144 kbps symmetric 192 kbps symmetric 384 kbps symmetric 768 kbps symmetric 1.1 Mbps symmetric 1.5 Mbps symmetric
15
IDSL – ISDN DSL
Developed to provide DSL service to locations using existing ISDN facilities Redirects ISDN traffic to a DSLAM Maintains all the electrical capabilities of ISDN CPE is still any ISDN Basic Rate Interface (BRI)
bridge/router Provides a flat rate for the ISDN type service
versus the per-call rate of ISDN. Provide the same data capabilities over
longer local loop facilities IDSL is cheaper than ISDN
16
VDSL – Very High Rate DSL
Asymmetric DSL services at speeds much greater than ADSL
Uses a single pair to provide up to 52 Mbps downlink speeds and up to 16 Mbps uplink speeds
Only selected areas offer VDSL Limited to 4000 ft from the central
office
17
LRE over VDSL
Provides Ethernet services over existing Category 1/2/3 twisted-pair wiring
Speeds from 5 to 15 Mbps (full duplex)
Distances up to 5000 ft.
18
DSL Specifications
19
VPNs
20
Foundation
VPNs create private tunnels across the Internet
Create these tunnels from a single host to a VPN concentrator
Create site-to-site tunnels between offices
21
VPN Tunnels
You can use several different technologies to create VPN tunnels: GRE Point-to-Point Tunneling Protocol (PPTP) Microsoft Point-to-Point Encryption
(MPPE) VPDN IPSec MPLS
22
GRE
Cisco tunneling protocol that encapsulates entire packets into new IP headers creates a virtual point-to-point link between
two Cisco routers new header has the source and destination
addresses of the tunnel end points virtual link crosses an IP network described in RFC 1701 created to tunnel IP and other packet types Encapsulated packets types can be IPpackets
or non-IP packets, such as Novell IPX or AppleTalk packets
23
PPTP
Described in RFC 2637 Network protocol developed by a vendor
consortium Allows for transfers of data from client PCs to
enterprise servers using tunneled PPP through an IP network
Client software is deployed in Windows 95, ME, NT, 2000, and XP
Cisco added support for PPTP to Cisco IOS routers, PIX Firewalls, and VPN concentrators
24
MPPE
Microsoft protocol Part of Microsoft’s PPTP client VPN
solution Converts PPP packets into an
encrypted form Used for creating VPNs over dial-up
networks Most Cisco access platforms support
MPPE
25
VPDN
A VPDN is a network that extends remote access to a private network using a shared infrastructure
Cisco protocol Allows a private dial-in service to
span across several remote-access servers (RAS)
26
VPDN
Use Layer 2 tunnel technologies to extend the network connection from a remote user across an Internet service provider (ISP) network to a private network
Layer 2 technologies include Layer 2 Forwarding Protocol (L2F) Layer 2 Tunnel Protocol (L2TP) PPTP
27
VPDN
No need to connect to central office through the PSTN VPDN users connect to the local ISP ISP forwards the PPP session to a tunnel
server Forwarding calls through the
Internet will save money
28
VPDN Tunnel
29
IPSec
Provides a set of security services at the IP layer
Defined in RFC 2401 Architecture IPv4 & IPv6 can use IPSec is a set of protocols, key
management, and algorithms for authentication and encryption.
30
IPSec
Two central protocols for IPSec are IP AH
provides data-connection integrity and data-origin authentication for connectionless IP communications
can use AH alone or with ESP described in RFC 2402
ESP provides data confidentiality, data-origin
authentication, and limited traffic-flow confidentiality
described in RFC 2406
31
IPSec - IKE
uses the Internet Key Exchange (IKE) protocol for the automatic exchange of keys to form security associations (SA) between two systems IKE is not used if the SAs are configured
manually eliminates the need to manually specify all of
the IPSec SA parameters of both peers and allows encryption keys to change during IPSec sessions
IKE is described in RFC 2409
32
IPSec Algorithms
ESP protocol uses encryption algorithms such as DES and 3DES for bulk encryption and for data confidentiality during IKE key exchange
33
IPSec Connection Steps
IPSec operation follows five steps: Step 1: Process initiation
Specification of the type of traffic to be encrypted
Step 2: IKE Phase 1 Authenticates the IPSec peers and sets up a
secure channel between the peers to enable IKE exchanges
Step 3: IKE Phase 2 negotiates the IPSec SA
Step 4: Data transfer Step 5: Tunnel termination
Tunnel is terminated if the IPSec SA are deleted or their lifetimes expire
34
AH
Provides connectionless integrity (data integrity) for packet headers and data payload and authentication
Does not provide confidentiality Authentication comes from applying
a one-way hash function to the packet to create a message digest
35
AH Hash
36
AH - Hash
Hot all the IP header fields are used to hash the IP header
fields that change are not part of the hash process Time-To-Live
37
ESP
Provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service and limited traffic-flow confidentiality as negotiated by the end points when they establish a SA Packet authentication is provided by an
optional field Authentication is performed after
encryption Encryption through 56-bit DES and
3DES.
38
ESP Tunnel Mode
Provides protection of the IP header fields only in tunnel mode original IP header and payload are
encrypted
39
ESP Transport Mode
Only the IP data is encrypted ESP inserts an IPSec header
between the original IP header and the encrypted data
40
DES and 3DES
DES is an older U.S. Government-approved standard widely used for encryption Uses a 56-bit key to scramble and
unscramble messages Exported DES uses a 40-bit bit version DES breaks data into 64-bit blocks and
then processes it with a 56-bit shared secret key
41
DES and 3DES
Latest DES standard uses a 3-by-56 bit key a 168-bit key called Triple DES input is encrypted three times data is broken into 64-bit blocks
3DES then processes each block three times, each time with an independent key
42
DES and 3DES
Two IPSec peers must first exchange their shared secret key Can encrypt and decrypt the message
or generate and verify a message authentication code
After the two IPSec peers obtain their shared keys, they can use DES or 3DES for data encryption
43
HMACs
Both AH and ESP use HMACs to ensure data integrity and authentication
HMACs use hash functions and private keys to perform message authentication
IPSec specifies the use of HMAC-MD5 and HMAC-SHA-1 for IKE and IPSec.
44
MD5 A hash algorithm used to authenticate
packet data Uses a 128-bit key to perform a hash
function to produce a 128-bit authentication value of the input data Message digest serves as a signature of the
data Signature is inserted into the AH or ESP
headers Receiving IPSec peer computes the
authentication value of the received packet and compares it to the value stored in the received packet
45
SHA-1
A hash algorithm used to authenticate packet data
Uses a 160-bit secret key to produce a 160-bit authentication value of the input data Signature is inserted into the AH or ESP
headers Receiving IPSec peer computes the
authentication value of the received packet and compares it to the value stored in the received packet
46
Diffie-Hellman
A key-agreement algorithm used by two end devices to agree on a shared secret key
IKE uses Diffie-Hellman for key exchange during IKE Phase 1 secret keys are then used by
encryption algorithms
47
Diffie-Hellman: How it Works Each Diffie-Hellman peer generates a
public and private key pair public key is calculated from the private key private key is kept secret public keys are exchanged between the peers peer then computes the same shared secret
number by combining the other’s public key and its own private key
shared secret number is converted into a shared secret key
shared secret key is never exchanged
48
WAN Design Using IPSec Tunnels
Enterprises can reduce their WAN costs by replacing traditional circuits (FR/ATM/Dedicated Cirucits) with site-to-site VPN tunnels over the Internet Point-to-point IPSec tunnels replace the
permanent circuits Access to the Internet can come
from dial-up, cable-modem, or DSL technologies
49
Wan Design Using IPSec Tunnels
50
MPLS
A transport service that can provide VPNs
An advantage of using MPLS for VPN service is the ability to offer service guarantees Guarantees are not currently possible
when using the Internet to transport VPNs
51
MPLS
Specifies ways that you can map Layer 3 traffic to connection-oriented Layer 2 transport protocols
Adds a label containing specific routing information to each IP packet directing traffic through explicitly defined paths
52
MPLS
Allows managers to implement policies to assign labels to various classes of traffic Enables the service providers to offer
different classes of services (CoSs) to different traffic types or from different customers
SPs can provide VPN services provisioned to give the appropriate priority to premium customers
53
MPLS Label MPLS label is inserted between the
Layer 2 header and the Layer 3 header of a Layer 2 frame
Applies for Packet over SONET (POS), Ethernet, Frame Relay, and labels over ATM In ATM networks with label switching,
the label is mapped into the virtual path identifier/virtual channel identifier (VPI/VCI) fields of the ATM header
MPLS label field is 32 bits in length actual label (tag) is 20 bits
54
MPLS Labels
MPLS adds labels to the packets at the edge of the network and removes them at the other end
Labels are assigned packets based on a grouping Each group is assigned a service class
Core of the network reads the labels and provides the appropriate services
55
MPLS Label Switch Routers
forward packets based on the label and not on routing protocols
If the MPLS network uses ATM, the LSRs are called ATM LSRs
Edge LSR is responsible for adding the label to the packet label is removed before the packet is
sent from the MPLS network
56
MPLS LSRs
57
MPLS VPN Router Types
MPLS VPN architectures have four router types: P router—The service provider’s internal core
routers. These routers do not have to maintain VPN routes.
C router—The customer’s internal routers. They do not connect to the provider. These routers do not maintain VPN routes.
CE router—The edge routers on the customer side that connect to the service provider. These routers do not maintain VPN routes.
PE router—The edge routers on the service-provider side that connect with the customer’s CE routers. PE routers maintain VPN routes for the VPNs associated with the connected interfaces.
58
MPLS VPN Routers
59
WAN Design Using MPLS VPNs
Each site in the VPN service is a peer Because of the peering of all sites, a
logical mesh topology is acquired SP contracts CoSs for the enterprise SP benefits because it can isolate
customers into security groups, provide CoSs, and scale VPN networks
60
WAN Design Using MPLS VPNs
61
DSL Summary
62
VPN Summary
