All rights reserved © 2000, Alcatel — 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Mar 27, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
All rights reserved © 2000, Alcatel — 1
CPE-based VPNs
Hans De Neve
Alcatel
Network Strategy Group
All rights reserved © 2000, Alcatel — 2
Contents
Global VPN requirements
Deployment View
What does a typical CPE VPN look like ?
Network View
What sort of connectivity does it provide ?
Technology View
What are the underlying technologies ?
Differentiation and Success Factors
Where are the factors today, what will they be in future ?
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 3
Global VPN requirements
Connectivity
IP connectivity between geographically dislocated sites using private addressing
transparent to underlying shared infrastructure
=> tunnelling mechanism
Security
data privacy (e.g. encryption)
authentication and integrity
Scalability
Management
...
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 4
Proposed Technology :IPsec
IP security offers
tunnelling (forwarding in shared internet is normal IP forwarding)
authentication and integrity
cryptographic encryption
IPsec can be used with IKE
IKE = Security Association negotiation and Key Exchange Protocol
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 5
Branch OfficeBranch Office
Dial-upVPN clients
Business Business PartnerPartner
VPN Site-Site
VPN gateway
Internet Internet Uplink Uplink PVCPVC International International
SalesSales
DomesticDomesticSalesSales Dial-up
VPN clients
VPN gateway
HeadquartersHeadquarters
ASP Data center
Finance server
Corp. server
256K256KPolicy
manager
Policy manager
256k
CPE VPN Deployment View
LAN-basedVPN client CustomerCustomer
WebWebSurfersSurfers
512K512K128K128K
512K512K
LAN-basedVPN client
VPN gateway
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 6
CPE VPN Network View
L2 AccessNetwork
ServiceProviderNetwork
L3 Access+
Distribution+
L3 Edge
CPEL2 AccessNetwork
L3 Access+
Distribution+
L3 Edge
IP routing / MPLS Traffic Engineering
IPSEC Connectivity
Customer Premises Equipmentbased
Virtual Private Networks
CPE
IP header IP data
new IP header IPsec header IP header IP data
possibly encrypted
All rights reserved © 2000, Alcatel — 7
CPE VPN Network Topologies
Internet
Customer Premises Equipmentbased
Virtual Private Networks
Site 1
Site 2
Site 3
Site 4
HUB and SPOKE topology
IPsec tunnel
All rights reserved © 2000, Alcatel — 8
CPE VPN Network Topologies
Internet
Customer Premises Equipmentbased
Virtual Private Networks
Site 1
Site 2
Site 3
Site 4
Full Mesh topology
IPsec tunnel
All rights reserved © 2000, Alcatel — 9
CPE VPN - Dial up VPN Client
L2 AccessNetwork
ServiceProviderNetwork
L3 Access+
Distribution+
L3 Edge
CPEL2 AccessNetwork
L3 Access+
Distribution+
L3 Edge
IPSEC
IP over PPP
IP over PPP
L2TP
IP
Option 1
Option 2
Dial UpClient
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 10
CPE VPN Gateway Technologies
IKE Daemons
Phase I, Phase II negotiations to generate/update IPSEC keys and setting up of Security Associations (IPsec tunnels)
Use of certificates v/s shared secret for authentication
Proposal exchange and agreement, exchange of proxy ids
IPSEC Drivers
Handling of IP packets based on IP header and proxy ids
Encryption using IKE negotiated keys and encryption algorithm
Encapsulation of IP packets using IPSEC headers
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 11
CPE VPN Gateway Differentiation & Success Factors - Today
Number of concurrent IPSEC tunnels supported
Maps to memory and CPU required to maintain state for tunnels
Critical for dial up scenarios and large number of branch offices
Critical for multi tenant MAN service networks
Throughput over the IPSEC tunnels
Maps to encryption/decryption speeds of the CPU/ASIC
Critical for the HUB site or in case of gigabit campus networks
Critical for gigabit IP access service networks
Restoration of tunnels in case of VPN gateway failure
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 12
Enterprise market as a pure IP overlay VPN solution
Number of IPSEC tunnels, throughput over IPSEC tunnels, recovery
Dynamic membership of sites to a VPN for Site-Site VPNs
Integration with PKI infrastructure, AAA for VPN Clients
Carrier/Service Provider market as a vehicle for IPVPN services
Integration of configuration with service provisioning solutions
Integration with IPVPN service functionality such as Firewall, QoS
Integration with data collection for services (assurance + billing)
CPE VPN Gateway Differentiation & Success Factors - Future
Customer Premises Equipmentbased
Virtual Private Networks
All rights reserved © 2000, Alcatel — 13
Policy server
Policy router
InstallatioInstallation teamn team
Security Security teamteam
Network Network teamteam
Billing Billing datadata
SLA info.SLA info.
IS enterprise management
HR:HR: WW users adds/
changes
IS Dept:IS Dept: US
security policy mgmt.
IS Dept:IS Dept: Asia security
policy mgmt.
Service provider management
IS Dept:IS Dept: Europe
security policy mgmt.
New York New York HeadquartersHeadquarters
Webserve
rPolicyrouterCorp.
server
GenevaGeneva officeoffice
Policyrouter
Tokyo Tokyo officeoffice
Policyrouter
Internet
CPE IPVPNVehicle for IPVPN Services
Customer Premises Equipmentbased
Virtual Private Networks
Related Documents
