Upload
buidan
View
220
Download
2
Embed Size (px)
Citation preview
CE443 – Computer Networks
Virtual Private NetworkVPN, VRF, and MPLS
Behnam MomeniComputer Engineering Department
Sharif University of Technology
Acknowledgments: Lecture slides are from Computer networks coursethought by Jennifer Rexford at Princeton University. When slides areobtained from other sources, a reference will be noted on the bottom ofthat slide. A full list of references is provided on the last slide.
32
At Connection Point to the Internet
• Improve performance between edge networks– E.g., multiple sites of the same company– Through buffering, compression, caching, …
• Incrementally deployable– No changes to the end hosts or the rest of the Internet– Inspects the packets as they go by, and takes action
Appliance ApplianceInternet
33
Example: Improve TCP Throughput
• Appliance with a lot of local memory
• Sends ACK packets quickly to the sender
• Overwrites the receive window with a large value
• Or, even run a new and improved version of TCP
Appliance ApplianceInternet
ACK
34
Example: Compression
• Compress the packet
• Send the compressed packet
• Uncompress at the other end
• Maybe compress across successive packets
Appliance ApplianceInternet
35
Example: Caching
• Cache copies of the outgoing packets
• Check for sequences of bytes that match past data
• Just send a pointer to the past data
• And have the receiving appliance reconstruct
Appliance ApplianceInternet
36
Example: Encryption
• Two sites share keys for encrypting traffic
• Sending appliance encrypts the data
• Receiving appliance decrypts the data
• Protects the sites from snoopers on the Internet
Appliance ApplianceInternet
Information Security
● Confidentiality
– Encryption/Decryption
● Key is required for access to plain text (e.g. SSH, TLS)
– Isolation / Reference Monitor
● Adversary has no read access to data by design (e.g. Firewall, VLAN)● Integrity
– Authentication Code
● Key is required to generate the correct code (e.g. HMAC, Watermarking)
– Isolation
● Adversary has no write access to data by design (e.g. File System ACLs)● Availability
– Isolation
● Dedicated resources for different users (e.g. Integrated Services in QoS)
Layer 3 VPN
● IP Tunnel
– Put a complete IP packet (i.e. IP header, Transport header, PDU) in the payload of another IP packet
● Connectivity
– Two end hosts
– A host to a network
– Two networks
● Overlay Network
– Doesn't need any special support from the middle routers
Secure Shell (SSH)
● Proxy Scenario
– Port Forwarding / SOCKS Proxy
– Transport Layer (TCP)
● Three TCP connections are involved
– Client connects to one end point of SSH connection
– Payload is extracted and transferred through the SSH connection
– Payload is forwarded over the third connection
● From the other end point of SSH connection to the server● VPN Scenario
– Linux TUN Devices (Layer 3 VPN)
● Carries IP packet as a payload within the SSH connection
– Linux TAP Devices (Layer 2 VPN)
BGP/MPLS IP Layer 3 VPN
● Border Gateway Protocol (BGP)
– Allows routers to exchange routing information over TCP
– eBGP: Between Autonomous Systems
– iBGP: Within An Autonomous System
– Will be covered in future lectures in details
● Multiprotocol Label Switching (MPLS)
– Layer 2.5
– Stack of labels / Switching based on labels instead of IP addresses
● VPN Routing and Forwarding (VRF)
– An IP routing table which is kept for a VPN instance
Terminology
● Service Provider (SP)
– The backbone network which provides VPN service
● Customer
– The client which has a contract with SP to receive VPN service
– Has multiple Sites
● Site
– One or more networks of a customer which can communicate with each other, without using the VPN service, and their communication method is preferred over using the VPN service
– Usualy each site consists of hosts which are in one geographical proximity, but it may consist of multiple geographically different networks which are connected, for example using a leased line
– One topological (instead of geographical) set of hosts and routers
Terminology
● Customer Edge Router (CE)
– A customer's router which is connected to the SP's network
● Customer Router (C)
– Any customer's router which is not a CE
● Provider Edge Router (PE)
– A router of SP which is connected to the customer's network
● Provider Router (P)
– A router of SP which is not a PE
● Attachment Circuit
– The layer 2 mechanism which connects a CE to a PE
– For example, ATM Virtual Circuits (VCs), Frame Relay VCs, Ethernet interfaces, Virtual Local Area Network (VLAN) on Ethernet interfaces, Layer 2 Tunneling Protocol (L2TP) tunnels, IPsec tunnels, and so on
Terminology
● Interior Gateway Protocol (IGP)
– Any routing protocol which can be used in a Autonomous System (AS)
– For example: OSPF and RIP
● Exterior Gateway Protocol (EGP)
– Any routing protocol which can be used between Ases
– For example: eBGP
Topology
● Site
– Every site can be part of one or more VPN instances
– It must have at least one CE
– It may be optionally divided into smaller networks; for example using VLAN
● CE – PE Relationship
– The PE recognizes CE based on the physical interface used by CE
– And optionally parts of layer 2 header used by CE (for example VLAN ID)
● VPN Routing and Forwarding (VRF)
– PE assigns packets of each CE to one or more VRF tables by configuration
– Needs a method to populate routing entries in a VRF table
VPN Routing and Forwarding (VRF)
● Tunneling
– It is not required to distinguish VPNs based on tunneled packets
– It is possible to distinguish them based on layer 2 information
● For example: physical Interface of incoming packet + VLAN ID
– Incoming packets: Ingress
– Outgoing packets: Egress
● Strawman Solution
– Run a different IGP instance per VPN to populate VRF tables
● Five independent OSPF instnaces for Five VPNs● Security Impacts
– How to isolate routing of different customers?
– What about overlapping addressing spaces?
● Scalability Problem
– SP network is the same for all customers; repeated in all IGP instances
Populating VRF Table
● Two kinds of routes
– Customer routes which can be learned from CE
– SP routes which are independent of VPNs
● CE Routes
– Static Configuration (admin knows address space of each CE)
– PE and CE can be IGP peers (e.g. speak OSPF with each other)
– PE and CE can be BGP peers (i.e. they speak eBGP)
● SP Routes
– One IGP instance in the SP network
– Security concerns: SP routing is independent of customers
– Scalability: there is only one running IGP instance
● Combining two kinds of routing information
Border Gateway Protocol (BGP)
● PE routers speak iBGP with each other
– Share routes which are learned from CE routers of one VPN instance
– Populate all learned routes in corresponding VRF table
● Overlapping Address Spaces
– Add a 8-bytes Route Distinguisher (RD) to the 4-bytes IP Address
– RD contains AS number and an administrator assigned number
● VPN-IPv4 Address Family
– Use Multiprotocol extensions for BGP (BGP-MP)
● iBGP Sessions
– Full mesh between PE routers or
– Using Route Reflectors (RR)
Routing Decision
● Find the egress PE router
– Based on iBGP information
● Find the next hop
– Based on IGP information
● Overhead
– Every router needs to know about the default routing table
● Populated by IGP● This is normal; independent of VPNs
– Every router needs to know about all VRF tables of all VPNs
● To know about the egress PE router● Could be removed with help of tunneling
– Every router needs to know that which VRFs should be used
● Based on layer 2 information?● Tunneling can help here too
Tunneling
● Tunneling Technology
– IP Tunnel
● Scalability problem● One full mesh of tunnels between PE routers per VPN instance
– Multiprotocol Label Switching (MPLS)
● Nested tunnels resolves scalability problem● One full mesh of outer tunnels between PE routers for all VPN
instances● One inner tunnel for each egress FEC advertised by each PE
● Quality of Service (QoS) / Class of Service (CoS)
– Can be assigned to tunnels
● Forwarding Equivalence Class (FEC)
– A set of addresses which can be routed/forwarded equivalently
Multiprotocol Label Switching (MPLS)
● Can encapsulate any packet (Ethernet Frame, IP Packet, etc.)
● Can be forwarded over any layer 2 link
– Acts as a glue
– Prepends a label header to the packet
● Label Pushing
– At the ingress node, based on FEC of the packet, a label is pushed
● Label Swapping
– At middle routers, labels are swapped and then forwarded
– A map between (ingress interface, label) to (egress interface, new label)
● Label Popping
– At the egress router, label is popped, followed by normal forwarding
● Based on FEC
Multiprotocol Label Switching (MPLS)
● Supports an stack of labels
– Each label header contains a 20 bits label
● And one bit to indicate last label in the labels stack
– Adding a label header is useful for combining multiple tunnels into an outer tunnel
● Label Switching Router (LSR)
● Label Switching Path (LSP)
● Traffic Engineering
– Select LSPs based on QoS/CoS features (RSVP-TE and LDP)
● Nested Tunnels
– Reduce number of required labels
– Common parts of LSPs can be replaced by an outer label
Label Stack – MPLS-BGP
● Every PE router adds a label to its learned prefixes
– PE learns routes to some FEC from CE
– PE assigns (locally) a label to that FEC before advertising it in iBGP
– Labeled addresses will be advertised in iBGP sessions using MPLS-BGP
– This label is called VPN Label
● Ingress PE adds VPN label at the bottom of labels stack
– Ingress PE like other PE routers learns advertised labeled addresses
– It imports those paths into corresponding VRF tables
– Destination IP address of ingress packet is looked up in the VRF
– VPN label is pushed as the only label of packet
● Converting IP packet to an MPLS packet
Label Stack – Forwarding
● Ingress PE knows about egress PE
– PE found BGP next hop and pushed corresponding VPN label
– It knows a path towards egress PE through IGP
– There is one LSP between those PE routers
● It has label in the ingress PE which is called Tunnel Label● Tunnel label will be swapped during the LSP
– Every middle LSR swaps the outer tunnel label and forwards it
– Other labels may be pushed and popped during the path
– Egress PE, or in case of penultimate hop popping its previous LSR will pop the tunnel label
● Egress PE decides based on VPN label
– Egress PE pops the VPN label which is the last label
– Selects related VRF, and routes based on FEC of the normal packet
Virtual Private LAN Service (VPLS)
● Legacy networks which do not use IP
– SNA, IPX, etc.
● Point to Point Layer 2 Connectivity
– Pseudo Wire (PW)
– Carry layer 2 frame instead of layer 3 packet in the MPLS packet
– No forwarding/routing decision is required
● Blindly forward everything from an end of the PW to its other end
– Layer 2 header fields may be discarded
● VPN label is enough to restore them later● Multipoint Layer 2 Connectivity
– Use PW as building blocks
– SP backbone network acts as a big switch
● MAC address learning and aging over PWs
Multicast and MPLS
● Every node can maintain a set of next hops
– When a packet is received over interface x with label L1
● Forwards it over interface y with label L2● And forwards it over interface z with label L3 and so on
Acknowledgments/References
● [Peterson] Larry L. Peterson, Bruce S. Davie, “Computer Networks: A Systems Approach,” 5th Edition, Chapter 8, Morgan Kaufmann Publishers, March 25, 2011.
● [Christophe] Dave Christophe, “MPLS L2/L3 Virtual Private Networks (VPNs),” An MFA Forum Sponsored Tutorial, 2007.
● [RFC4364] E. Rosen, Y. Rekhter, “BGP/MPLS IP Virtual Private Networks (VPNs),” RFC 4364, February 2006.Online: http://tools.ietf.org/html/rfc4364