Deploying VPN

1© 2003, Cisco Systems, Inc. All rights reserved.

Deploying VPN

Eric Vyncke

Cisco Systems

Field Distinguished Engineer

[email protected]

222© 2003, Cisco Systems, Inc. All rights reserved.Evyncke ucl vpn workshop

Forewords

Focus mainly on VPN for oneone organization


Agenda

• Cisco Definition of VPNCisco Definition of VPN

• Using Layer 3 Tunnels & Routing

• Security of the Above

• Existing Techniques for Dynamic VPN

• Deployment Examples


A Virtual Private Network Carries Private

Traffic Over a Public Network

Virtual Private Network (VPN) Defined

“

”Cisco 'official' definitionCisco 'official' definition


What Is a “Public” Network?

• In this context, any network shared among different administrative domains

• A shared network such as the Internet

• A privately owned network which services many external/internal customers


What is 'Private' Traffic?

• Can be anything desired by an organization

Confidentiality => IPSec

IP Routing independance (address and IGP) => MPLS & RFC 2547

QoS end to end

Efficient multicast


The Three Categories of VPN

RemoteOffice

MainOffice

WAN VPN

POP

HomeOffice

POP

MobileWorker

Remote Access VPNRemote Access VPN

Secure, scalable, Secure, scalable, encrypted tunnels encrypted tunnels across a public across a public network, client network, client softwaresoftware

Remote Access VPNRemote Access VPN

Secure, scalable, Secure, scalable, encrypted tunnels encrypted tunnels across a public across a public network, client network, client softwaresoftwareBusiness

Partner

Extranet VPNExtranet VPN

Extends WANs to Extends WANs to business business partnerspartners

Extranet VPNExtranet VPN

Extends WANs to Extends WANs to business business partnerspartners

Intranet VPNIntranet VPN

Low cost, tunneled Low cost, tunneled connections with connections with rich VPN services, rich VPN services, like IPSec like IPSec encryption and encryption and QoS to ensure QoS to ensure reliable throughputreliable throughput

Intranet VPNIntranet VPN

Low cost, tunneled Low cost, tunneled connections with connections with rich VPN services, rich VPN services, like IPSec like IPSec encryption and encryption and QoS to ensure QoS to ensure reliable throughputreliable throughput


Technologies

• A large choice

BGP/MPLS VPN

IPSec

Layer 3: IPinIP, GRE, IPv6 over IPv4

Layer 2: L2TP

IEEE 802.1q VLAN

My main focus


Another Cisco Taxonomy

L2VPN

MPLS VPN Network Based IPSec

L3VPN

Network Based VPN

IPSec/GRE

CPE Based

VPN


Agenda

• Cisco Definition of VPN

• Using Layer 3 Tunnels & RoutingUsing Layer 3 Tunnels & Routing





Examples

• The most common layer 3 tunnels are

IP in IP: RFC 2003

GRE: RFC 2784

• The most common layer 2 tunnels are

PPTP, L2F: deprecated

L2TP: RFC 2661

L2TPv3: aka UTI

Default on Cisco routers


IPSec Tunnel Mode Encapsulation

Original IP headerProtocol=p

IP payload

20 bytes

Original IP datagram

IPSec packet with new IP header (on the wire)


IP payloadESP headerProtocol=4

External IP headerProtocol=50 (ESP)

20 bytes 20 bytes16 bytes

ESPtrailer

2-10 bytes

IPSec ESP without ESP auth encapsulation (after encapsulation)


ESP headerProtocol=4 (IPinIP)

20 bytes16 bytes

ESP trailer

2-10 bytes

IP payload

Encrypted payload


IPinIP + IPSec Transport Mode


IP payload

20 bytes

Original IP datagram

External IP headerProtocol=4 (IPinIP)

20 bytes

IPinIP Encapsulation


20 bytes

IP payload

After IPSec Transport Mode


IP payloadESP headerProtocol=4

20 bytes16 bytes

ESPtrailer

2-10 bytes

External IP headerProtocol=50 (ESP)

20 bytes

Encrypted payload


Differences with IPSec Tunnel Mode

• Same syntax (bits on the wire):

IPSec Tunnel Mode

IPinIP + IPSec Transport Mode

• Is it the same semantic ? NoNo

• Because SPD is now replaced by routing

Ease of deployment

Resiliency

Less security


Difference: SPD & SAD

• IPinIP + IPSec Transport Mode

<L3 endpoint, L3 endpoint, IPinIP, *,*>

Usually one pair of SA

• IPSec Tunnel Mode

<protected net., protected net.,*,*,*>

Can potentially be multiple pairs of SA

Trivial selectorsEasy provisioning

One pair of SA Very scalable


Difference: Cisco Router IOS view

• IPinIP + IPSec: is a L3 tunnel interface

Routing Protocol

Multicast, ..

• IPSec Tunnel mode: is not

This means strong resilience

And fast re-routing


Difference: SA Selection

• IPinIP + IPSec Transport Mode

L3 tunnel is selected by FIB

FIB is dynamic (insecure)FIB is dynamic (insecure)

• IPSec Tunnel Mode

IPSec SA selected by SAD

SAD is static (secure)


Traffic can be Routed Through 2 HubsCentral Site

Hub 1 (active) Hub 2 (active)

+ Easier.+ Hub are always under 50% load.- Asymmetric routing


Traffic can be Load BalancedCentral Site

Hub 1 (active) Hub 2 (active)

Need to tune IGP Need to tune IGP to always select to always select the GREEN the GREEN tunnels.tunnels.

+ Symmetric routing+ Both hubs running at 50%


Agenda


• Security of the AboveSecurity of the Above




Agenda



• Existing Techniques for Dynamic VPNExisting Techniques for Dynamic VPN



Next Hop Resolution Protocol, RFC 2332

• IETF protocol

• Used on NBMA Non Broadcast Multi-Access networks (Frame Relay, X.25, …) to discover peers

• Can also be used on multi-point GRE, mGRE

Specific kind of GRE tunnel

Fan-out like: one hub and multiple spokes

Hub can speak direct to all spokes

Spokes can only talk to hub

• Cannot be used over IPinIP since NHRP does not run over IP


NHRP over mGRE

NHRP Server

NHRP Client YNHRP Client X

mGRE

IP: X

-Y

NHRP: resolu

tion

request f

or Y

2.2.2.2 3.3.3.3

NHRP: resolution

Reply: Y is through 3.3.3.3

NHRP CacheClient Y is via 3.3.3.3

NH

RP

: re

gis

trat

ion

R

equ

est:

Y is

3.3

.3.3

NH

RP

: re

gi s

trat

i on

Rep

l y:

OK

NHRP Cache

Client Y is via 3.3.3.3


Tunnel Endpoint Discovery

Alice

Bob

X1

Y

A to Bmust be protected

no SA => send probe

IP: A to B

IKE: A to B (proxy=X1)

Traffic to Bmust be protected

no SA & probe received=> block & answer probe

IKE: Y to X1

Proposed to IETFProposed to IETFIPSP WGIPSP WG

Proposed to IETFProposed to IETFIPSP WGIPSP WG

X2


NRHP, TED and Routing

• NHRP+mGRE requires routing inside the GRE tunnel to learn about connected networks

• TED requires routing in the core to learn about connected networks


Agenda




• Deployment ExamplesDeployment Examples


Case #1: 1500 Nodes Hierarchical Network With IPX

• Customer: large retail bank

• Requirements:

Mix of IP and IPX traffic

Large scale 1500 nodes

Hierarchical structure: branch, regional office

Bandwidth: 128 kbps, 512 kbps & 10 Mbps

Outsourced IP services


Case #1: Issues

• Large scale

Need to use a layered structure

• Mix of IPX & IP

Use of GRE encapsulation

• High Availability (Resilience)

Use routing protocol (EIGRP for IP & IPX)

• Outsourced IP services

1 router managed by IP Service Provider

1 router managed by customer (IPSec)


Case #1: IPSec Overlay Network

HQapprox. 2;200 tunnels per router,can be split over several routers

ROapprox. 600;15 tunnels to branches4 tunnels to BO

BOapprox. 800;1 tunnel per branch


Case #2: MPLS BGP VPN & IPSec

• Customer: SP for a bank

• Requirements

Outsourced network: connectivity & security

Double management ?

Interworking with MPLS (RFC 2547)

300 Nodes


Case #2: Network

MPLS Network

2 Mbps

Green VPNGreen VPN

Red VPNRed VPN

Use of Tunnel Endpoint Discovery


Case #3: Mapping IPSec Remote Access to another VPN

• SP customer

• Wants to connect remote user over a remote access IPSec VPN to

Specific L3 VPN: GRE, BGP/MPLS

Specific L2 VPN: Frame Relay, 802.1Q VLAN

• Solution: IPSec termination in different VRF based on IKE identity


Case #3: IPSec to BGP/MPLS VPN

MPLS NetworkInternet

IPSec-AGGPE

PE

PE

Branch Office

Telecommuter/SOHO

Remote Access

Customer A

Customer B

InternetGateway

MPLS/VPNIPSec VPN

Mapping offnet users into BGP/MPLS VPNs.

Deploying VPN

Documents