Network based IP VPN Architecture using Virtual Routers

Jessica Yu

CoSine Communications, Inc.

Feb. 19th, 2001

Objectives

Enable Service Provider to provide value added VPN services in a scalable manner

Scale to large number of VPN customers w.r.t. Router resources Operation and management

Utilize existing protocols and tools Provide:

separation of VPNs serviced by the same provider separation of VPNs and the provider network security using standard mechanisms

Virtual Router ConceptProvider’s Network

CustomerSite(s)

CustomerSite(s)

VPN Without VR

CECECE

P P

PP

CECECEPEPE

VPN With VR

P P

PP

CECECE CECECEVRVRVR

VRVRVR

Virtual Router Definition

A virtual router (VR) is an emulation of a physical router at the software and hardware levels

VRs have independent IP routing and forwarding tables and they are isolated from each other

Two main functions Constructing routing using any routing technology Forwarding packets to the next hops within the VPN domain

From the VPN user point of view, a virtual router provides the same functionality as a physical router

VPN Built with VRs

SP NetworkVR-1

VR-2SPVR

VR-1

VR-2

SPVR

VPN-1Sites

VPN-2Sites

VPN-2Sites

VPN-1Sites

Connecting multiple VRs to the Provider Network through the use of a single VR “the provider virtual router” - SPVR

VPN-1Sites

VPN Basic Building Blocks

Membership VRs belong to the same VPN share the same VPN-ID

Tunnel VR to VR tunnel, a point-to-point link from each VR’s view Tunnel mechanisms can be IPsec, GRE, IPinIP or MPLS, etc. Tunnel type

Per VPN tunnel (originate at VR) or aggregated two level tunnel (originate at SPVR)

Routing Independent from SP backbone routing Each VPN can have its own choice of routing protocols

VPN Establishment with VRs

Like all VPN implementation mechanisms, membership information needs to be disseminated

In VR model, membership information can be distributed with the following mechanism

Manual configuration Directory based mechanism Utilize routing protocol

BGP Auto-discovery

Inter-domain VPN Support

With VR model, the mechanisms for multiple domain VPN remains the same as single domain VPN

Main requirements Providers support a common tunnel mechanism The ability to assign unambiguous VPN identification across the

domains

Inter-domain VPN Support

SP NetworkVR-1

VR-2SPVR

VPN-1Sites

VPN-2Sites

VR-1

VR-2

SPVR

VPN-2Sites

VPN-1Sites

SP NetworkSP Network

VPN-1Sites

VPN-1Sites

Extranet Support

Two or more corporate have network access to a limited amount of each other’s corporate data

It’s a matter of control of who can access what data, i.e. a policy decision

VR model supports extranet by allowing two or more VRs connect to each other with policy control for data flow

VR VPN Properties

VPNs built with VRs are overlay model The Provider routers (P) are VPN unaware – scalable Routing for each VPN is the same as regular network

routing The choice of the backbone protocols is not constrained

by the VPNs and vise versa No protocol modifications needed No tool (debugging, management,etc.) modifications

needed Deployment will not impact normal operation of the

provider network

Scalability

Only PEs handle VPN type information, other provider routers are VPN unaware

Establishment and reconfigure can use Directory based tool and BGP-auto discovery – no manual configuration is necessarily

Deployment Status

A number of SPs have already deployed VPN implemented with VR model in their network and providing Network Based VPN service

Reference

ftp://ftp.ietf.org/internet-drafts/draft-oluldbrahim-vpn-vr-02.txt