network based ip vpn architecture using virtual routers jessica yu cosine communications, inc. feb....
TRANSCRIPT
Network based IP VPN Architecture using Virtual Routers
Jessica Yu
CoSine Communications, Inc.
Feb. 19th, 2001
Objectives
Enable Service Provider to provide value added VPN services in a scalable manner
Scale to large number of VPN customers w.r.t. Router resources Operation and management
Utilize existing protocols and tools Provide:
separation of VPNs serviced by the same provider separation of VPNs and the provider network security using standard mechanisms
Virtual Router ConceptProvider’s Network
CustomerSite(s)
CustomerSite(s)
VPN Without VR
CECECE
P P
PP
CECECEPEPE
VPN With VR
P P
PP
CECECE CECECEVRVRVR
VRVRVR
Virtual Router Definition
A virtual router (VR) is an emulation of a physical router at the software and hardware levels
VRs have independent IP routing and forwarding tables and they are isolated from each other
Two main functions Constructing routing using any routing technology Forwarding packets to the next hops within the VPN domain
From the VPN user point of view, a virtual router provides the same functionality as a physical router
VPN Built with VRs
SP NetworkVR-1
VR-2SPVR
VR-1
VR-2
SPVR
VPN-1Sites
VPN-2Sites
VPN-2Sites
VPN-1Sites
Connecting multiple VRs to the Provider Network through the use of a single VR “the provider virtual router” - SPVR
VPN-1Sites
VPN Basic Building Blocks
Membership VRs belong to the same VPN share the same VPN-ID
Tunnel VR to VR tunnel, a point-to-point link from each VR’s view Tunnel mechanisms can be IPsec, GRE, IPinIP or MPLS, etc. Tunnel type
Per VPN tunnel (originate at VR) or aggregated two level tunnel (originate at SPVR)
Routing Independent from SP backbone routing Each VPN can have its own choice of routing protocols
VPN Establishment with VRs
Like all VPN implementation mechanisms, membership information needs to be disseminated
In VR model, membership information can be distributed with the following mechanism
Manual configuration Directory based mechanism Utilize routing protocol
BGP Auto-discovery
Inter-domain VPN Support
With VR model, the mechanisms for multiple domain VPN remains the same as single domain VPN
Main requirements Providers support a common tunnel mechanism The ability to assign unambiguous VPN identification across the
domains
Inter-domain VPN Support
SP NetworkVR-1
VR-2SPVR
VPN-1Sites
VPN-2Sites
VR-1
VR-2
SPVR
VPN-2Sites
VPN-1Sites
SP NetworkSP Network
VPN-1Sites
VPN-1Sites
Extranet Support
Two or more corporate have network access to a limited amount of each other’s corporate data
It’s a matter of control of who can access what data, i.e. a policy decision
VR model supports extranet by allowing two or more VRs connect to each other with policy control for data flow
VR VPN Properties
VPNs built with VRs are overlay model The Provider routers (P) are VPN unaware – scalable Routing for each VPN is the same as regular network
routing The choice of the backbone protocols is not constrained
by the VPNs and vise versa No protocol modifications needed No tool (debugging, management,etc.) modifications
needed Deployment will not impact normal operation of the
provider network
Scalability
Only PEs handle VPN type information, other provider routers are VPN unaware
Establishment and reconfigure can use Directory based tool and BGP-auto discovery – no manual configuration is necessarily
Deployment Status
A number of SPs have already deployed VPN implemented with VR model in their network and providing Network Based VPN service
Reference
ftp://ftp.ietf.org/internet-drafts/draft-oluldbrahim-vpn-vr-02.txt