CE443 – Computer Networks

Virtual Private NetworkVPN, VRF, and MPLS

Behnam MomeniComputer Engineering Department

Sharif University of Technology

Acknowledgments: Lecture slides are from Computer networks coursethought by Jennifer Rexford at Princeton University. When slides areobtained from other sources, a reference will be noted on the bottom ofthat slide. A full list of references is provided on the last slide.

Appliances

32

At Connection Point to the Internet

• Improve performance between edge networks– E.g., multiple sites of the same company– Through buffering, compression, caching, …

• Incrementally deployable– No changes to the end hosts or the rest of the Internet– Inspects the packets as they go by, and takes action

Appliance ApplianceInternet

33

Example: Improve TCP Throughput

• Appliance with a lot of local memory

• Sends ACK packets quickly to the sender

• Overwrites the receive window with a large value

• Or, even run a new and improved version of TCP

Appliance ApplianceInternet

ACK

34

Example: Compression

• Compress the packet

• Send the compressed packet

• Uncompress at the other end

• Maybe compress across successive packets

Appliance ApplianceInternet

35

Example: Caching

• Cache copies of the outgoing packets

• Check for sequences of bytes that match past data

• Just send a pointer to the past data

• And have the receiving appliance reconstruct

Appliance ApplianceInternet

36

Example: Encryption

• Two sites share keys for encrypting traffic

• Sending appliance encrypts the data

• Receiving appliance decrypts the data

• Protects the sites from snoopers on the Internet

Appliance ApplianceInternet

SecurityCryptography vs. Isolation

Symmetric Cryptography

[Peterson]

Asymmetric Cryptography

[Peterson]

Information Security

● Confidentiality

– Encryption/Decryption

● Key is required for access to plain text (e.g. SSH, TLS)

– Isolation / Reference Monitor

● Adversary has no read access to data by design (e.g. Firewall, VLAN)● Integrity

– Authentication Code

● Key is required to generate the correct code (e.g. HMAC, Watermarking)

– Isolation

● Adversary has no write access to data by design (e.g. File System ACLs)● Availability

– Isolation

● Dedicated resources for different users (e.g. Integrated Services in QoS)

Virtual Private NetworkVPN

Layer 3 VPN

● IP Tunnel

– Put a complete IP packet (i.e. IP header, Transport header, PDU) in the payload of another IP packet

● Connectivity

– Two end hosts

– A host to a network

– Two networks

● Overlay Network

– Doesn't need any special support from the middle routers

Secure Shell (SSH)

● Proxy Scenario

– Port Forwarding / SOCKS Proxy

– Transport Layer (TCP)

● Three TCP connections are involved

– Client connects to one end point of SSH connection

– Payload is extracted and transferred through the SSH connection

– Payload is forwarded over the third connection

● From the other end point of SSH connection to the server● VPN Scenario

– Linux TUN Devices (Layer 3 VPN)

● Carries IP packet as a payload within the SSH connection

– Linux TAP Devices (Layer 2 VPN)

Secure Shell (SSH)

● SSH-CONN Protocol

[Peterson]

BGP/MPLS IP Layer 3 VPN

BGP/MPLS IP Layer 3 VPN

● Border Gateway Protocol (BGP)

– Allows routers to exchange routing information over TCP

– eBGP: Between Autonomous Systems

– iBGP: Within An Autonomous System

– Will be covered in future lectures in details

● Multiprotocol Label Switching (MPLS)

– Layer 2.5

– Stack of labels / Switching based on labels instead of IP addresses

● VPN Routing and Forwarding (VRF)

– An IP routing table which is kept for a VPN instance

Terminology

● Service Provider (SP)

– The backbone network which provides VPN service

● Customer

– The client which has a contract with SP to receive VPN service

– Has multiple Sites

● Site

– One or more networks of a customer which can communicate with each other, without using the VPN service, and their communication method is preferred over using the VPN service

– Usualy each site consists of hosts which are in one geographical proximity, but it may consist of multiple geographically different networks which are connected, for example using a leased line

– One topological (instead of geographical) set of hosts and routers

Terminology

● Customer Edge Router (CE)

– A customer's router which is connected to the SP's network

● Customer Router (C)

– Any customer's router which is not a CE

● Provider Edge Router (PE)

– A router of SP which is connected to the customer's network

● Provider Router (P)

– A router of SP which is not a PE

● Attachment Circuit

– The layer 2 mechanism which connects a CE to a PE

– For example, ATM Virtual Circuits (VCs), Frame Relay VCs, Ethernet interfaces, Virtual Local Area Network (VLAN) on Ethernet interfaces, Layer 2 Tunneling Protocol (L2TP) tunnels, IPsec tunnels, and so on

Terminology

● Interior Gateway Protocol (IGP)

– Any routing protocol which can be used in a Autonomous System (AS)

– For example: OSPF and RIP

● Exterior Gateway Protocol (EGP)

– Any routing protocol which can be used between Ases

– For example: eBGP

Topology

● Site

– Every site can be part of one or more VPN instances

– It must have at least one CE

– It may be optionally divided into smaller networks; for example using VLAN

● CE – PE Relationship

– The PE recognizes CE based on the physical interface used by CE

– And optionally parts of layer 2 header used by CE (for example VLAN ID)

● VPN Routing and Forwarding (VRF)

– PE assigns packets of each CE to one or more VRF tables by configuration

– Needs a method to populate routing entries in a VRF table

VPN Routing and Forwarding (VRF)

● Tunneling

– It is not required to distinguish VPNs based on tunneled packets

– It is possible to distinguish them based on layer 2 information

● For example: physical Interface of incoming packet + VLAN ID

– Incoming packets: Ingress

– Outgoing packets: Egress

● Strawman Solution

– Run a different IGP instance per VPN to populate VRF tables

● Five independent OSPF instnaces for Five VPNs● Security Impacts

– How to isolate routing of different customers?

– What about overlapping addressing spaces?

● Scalability Problem

– SP network is the same for all customers; repeated in all IGP instances

Populating VRF Table

● Two kinds of routes

– Customer routes which can be learned from CE

– SP routes which are independent of VPNs

● CE Routes

– Static Configuration (admin knows address space of each CE)

– PE and CE can be IGP peers (e.g. speak OSPF with each other)

– PE and CE can be BGP peers (i.e. they speak eBGP)

● SP Routes

– One IGP instance in the SP network

– Security concerns: SP routing is independent of customers

– Scalability: there is only one running IGP instance

● Combining two kinds of routing information

Border Gateway Protocol (BGP)

● PE routers speak iBGP with each other

– Share routes which are learned from CE routers of one VPN instance

– Populate all learned routes in corresponding VRF table

● Overlapping Address Spaces

– Add a 8-bytes Route Distinguisher (RD) to the 4-bytes IP Address

– RD contains AS number and an administrator assigned number

● VPN-IPv4 Address Family

– Use Multiprotocol extensions for BGP (BGP-MP)

● iBGP Sessions

– Full mesh between PE routers or

– Using Route Reflectors (RR)

Routing Decision

● Find the egress PE router

– Based on iBGP information

● Find the next hop

– Based on IGP information

● Overhead

– Every router needs to know about the default routing table

● Populated by IGP● This is normal; independent of VPNs

– Every router needs to know about all VRF tables of all VPNs

● To know about the egress PE router● Could be removed with help of tunneling

– Every router needs to know that which VRFs should be used

● Based on layer 2 information?● Tunneling can help here too

Tunneling

● Tunneling Technology

– IP Tunnel

● Scalability problem● One full mesh of tunnels between PE routers per VPN instance

– Multiprotocol Label Switching (MPLS)

● Nested tunnels resolves scalability problem● One full mesh of outer tunnels between PE routers for all VPN

instances● One inner tunnel for each egress FEC advertised by each PE

● Quality of Service (QoS) / Class of Service (CoS)

– Can be assigned to tunnels

● Forwarding Equivalence Class (FEC)

– A set of addresses which can be routed/forwarded equivalently

Multiprotocol Label Switching (MPLS)

● Can encapsulate any packet (Ethernet Frame, IP Packet, etc.)

● Can be forwarded over any layer 2 link

– Acts as a glue

– Prepends a label header to the packet

● Label Pushing

– At the ingress node, based on FEC of the packet, a label is pushed

● Label Swapping

– At middle routers, labels are swapped and then forwarded

– A map between (ingress interface, label) to (egress interface, new label)

● Label Popping

– At the egress router, label is popped, followed by normal forwarding

● Based on FEC

Multiprotocol Label Switching (MPLS)

● Supports an stack of labels

– Each label header contains a 20 bits label

● And one bit to indicate last label in the labels stack

– Adding a label header is useful for combining multiple tunnels into an outer tunnel

● Label Switching Router (LSR)

● Label Switching Path (LSP)

● Traffic Engineering

– Select LSPs based on QoS/CoS features (RSVP-TE and LDP)

● Nested Tunnels

– Reduce number of required labels

– Common parts of LSPs can be replaced by an outer label

Label Stack – MPLS-BGP

● Every PE router adds a label to its learned prefixes

– PE learns routes to some FEC from CE

– PE assigns (locally) a label to that FEC before advertising it in iBGP

– Labeled addresses will be advertised in iBGP sessions using MPLS-BGP

– This label is called VPN Label

● Ingress PE adds VPN label at the bottom of labels stack

– Ingress PE like other PE routers learns advertised labeled addresses

– It imports those paths into corresponding VRF tables

– Destination IP address of ingress packet is looked up in the VRF

– VPN label is pushed as the only label of packet

● Converting IP packet to an MPLS packet

Label Stack – Forwarding

● Ingress PE knows about egress PE

– PE found BGP next hop and pushed corresponding VPN label

– It knows a path towards egress PE through IGP

– There is one LSP between those PE routers

● It has label in the ingress PE which is called Tunnel Label● Tunnel label will be swapped during the LSP

– Every middle LSR swaps the outer tunnel label and forwards it

– Other labels may be pushed and popped during the path

– Egress PE, or in case of penultimate hop popping its previous LSR will pop the tunnel label

● Egress PE decides based on VPN label

– Egress PE pops the VPN label which is the last label

– Selects related VRF, and routes based on FEC of the normal packet

Example

[Christophe]

Virtual Private LAN ServiceVPLS

Virtual Private LAN Service (VPLS)

● Legacy networks which do not use IP

– SNA, IPX, etc.

● Point to Point Layer 2 Connectivity

– Pseudo Wire (PW)

– Carry layer 2 frame instead of layer 3 packet in the MPLS packet

– No forwarding/routing decision is required

● Blindly forward everything from an end of the PW to its other end

– Layer 2 header fields may be discarded

● VPN label is enough to restore them later● Multipoint Layer 2 Connectivity

– Use PW as building blocks

– SP backbone network acts as a big switch

● MAC address learning and aging over PWs

Multicast and MPLS

● Every node can maintain a set of next hops

– When a packet is received over interface x with label L1

● Forwards it over interface y with label L2● And forwards it over interface z with label L3 and so on

Acknowledgments/References

● [Peterson] Larry L. Peterson, Bruce S. Davie, “Computer Networks: A Systems Approach,” 5th Edition, Chapter 8, Morgan Kaufmann Publishers, March 25, 2011.

● [Christophe] Dave Christophe, “MPLS L2/L3 Virtual Private Networks (VPNs),” An MFA Forum Sponsored Tutorial, 2007.

● [RFC4364] E. Rosen, Y. Rekhter, “BGP/MPLS IP Virtual Private Networks (VPNs),” RFC 4364, February 2006.Online: http://tools.ietf.org/html/rfc4364