virtual private networks advanced technologieswh.cs.vsb.cz/sps/images/9/9a/vpn-advanced.pdf ·...

© 2010 Petr Grygarek 1

Virtual Private Networks Virtual Private Networks Advanced Technologies Advanced Technologies

Petr GrygPetr Grygáárekrek

Agenda:Supporting Technologies (GRE, NHRP)Dynamic Multipoint VPNs (DMVPN)Group Encrypted Transport VPNs (GET VPN)Multicast VPNs (mVPN)

2© 2010 Petr Grygarek

Generic Routing Encapsulation Generic Routing Encapsulation (GRE)(GRE)


GRE Principle (1)GRE Principle (1)• RFC 1701 - encapsulation of an arbitrary L3 RFC 1701 - encapsulation of an arbitrary L3

protocol over another arbitrary L3 layerprotocol over another arbitrary L3 layer• defines additional header (4-20B)defines additional header (4-20B)

• ““key“ field may potentially identify VRF key“ field may potentially identify VRF

• multiple overlapping IP rangesmultiple overlapping IP ranges

• RFC 1702 - encapsulates IP in IPRFC 1702 - encapsulates IP in IP• accompanies RFC 1701accompanies RFC 1701

• IP protocol type 47IP protocol type 47

• Allows the creation of tunnels over the shared Allows the creation of tunnels over the shared infrastructureinfrastructure• Originally P2P, support for P2MP interfaces added laterOriginally P2P, support for P2MP interfaces added later


GRE Principle (2)GRE Principle (2)• Completely statelessCompletely stateless

• Low overheadLow overhead

• Tunnel interface is by default always up Tunnel interface is by default always up • even if the remote point is unavailableeven if the remote point is unavailable

• GRE keepalives allow to keep tunnel interface GRE keepalives allow to keep tunnel interface up/down based on peer availabilityup/down based on peer availability

• GRE encapsulation process may be hardware-GRE encapsulation process may be hardware-accelerated on some platformsaccelerated on some platforms• But be aware that decapsulation may be still CPU-But be aware that decapsulation may be still CPU-

based ;-) in on some platformsbased ;-) in on some platforms


Usage of GREUsage of GRE

• Data tunnels over IP infrastructureData tunnels over IP infrastructure• Unencrypted in the original implementationUnencrypted in the original implementation

• Passing routing information between VPN sitesPassing routing information between VPN sites


GRE Point-to-point InterfaceGRE Point-to-point Interface

Configuration parameters:Configuration parameters:

• Tunnel Source AddressTunnel Source Address

• Local endpoint physical interfaceLocal endpoint physical interface• implies local tunnel endpoint physical IP addressimplies local tunnel endpoint physical IP address

• Remote endpoint physical (IP) addressRemote endpoint physical (IP) address

• Optional tunnel protection parametersOptional tunnel protection parameters

Routing over tunnel may be configured via remote endpoint tunnel addressRouting over tunnel may be configured via remote endpoint tunnel address


GRE Multipoint InterfaceGRE Multipoint Interface• Tunnel interface addressTunnel interface address

• Local endpoint physical interfaceLocal endpoint physical interface

• Optional tunnel protection parametersOptional tunnel protection parameters

• No destination endpoint addressesNo destination endpoint addresses• Neither tunnel nor physicalNeither tunnel nor physical

• Destination physical addresses are determined by Destination physical addresses are determined by (ARP-like) NHRP „database“(ARP-like) NHRP „database“• Maps the destination tunnel (inner, overlay) address to the Maps the destination tunnel (inner, overlay) address to the

corresponding physical (underlay) IP addresscorresponding physical (underlay) IP address

• List of peers where multicasts have to be forwardedList of peers where multicasts have to be forwarded


Next-Hop Resolution Protocol Next-Hop Resolution Protocol (NHRP)(NHRP)

RFC 2332RFC 2332


NHRP PrincipleNHRP Principle• Allows systems connected to NBMA network to Allows systems connected to NBMA network to

dynamically learn “physical” (“NBMA”) addresses dynamically learn “physical” (“NBMA”) addresses of other systems to let them them communicate of other systems to let them them communicate directlydirectly• NBMA may be either connection-oriented network (FR, NBMA may be either connection-oriented network (FR,

ATM) or IP infrastructureATM) or IP infrastructure• Direct communication may require to establish a SVC Direct communication may require to establish a SVC

• NBMA addresses may be either “physical” (underlay) IP NBMA addresses may be either “physical” (underlay) IP addresses or L2 addresses (DLCI, VPI/VCI)addresses or L2 addresses (DLCI, VPI/VCI)

• May be understood as analogy of ARP for NBMAMay be understood as analogy of ARP for NBMA• ARP is unusable because underlay does not support broadcastARP is unusable because underlay does not support broadcast


NHRP UsageNHRP Usage• Reduction of multihop routing over NBMA Reduction of multihop routing over NBMA

network that is not fully meshed (SVC mesh)network that is not fully meshed (SVC mesh)

• Starts with a partial mesh topologyStarts with a partial mesh topology• Most often hub-and-spokeMost often hub-and-spoke

• Helps to establish a “dynamic full mesh” (on-Helps to establish a “dynamic full mesh” (on-demand spoke-to-spoke tunnels)demand spoke-to-spoke tunnels)


Dynamic Full Mesh Advantages (1)Dynamic Full Mesh Advantages (1)• Avoids multi-hop routing and overutilizing of the hub Avoids multi-hop routing and overutilizing of the hub

routerrouter• Avoids double encryption/decryptionAvoids double encryption/decryption

• Decreases delayDecreases delay

• Utilizes the underlying network infrastructure more Utilizes the underlying network infrastructure more efficientlyefficiently

• (The same is valid for static full mesh)(The same is valid for static full mesh)

• Support for dynamic NBMA addressesSupport for dynamic NBMA addresses• Systems behind NAT or with dynamic addresses (DHCP)Systems behind NAT or with dynamic addresses (DHCP)

• For IP underlay clouds, mapping between tunnel „inner“ For IP underlay clouds, mapping between tunnel „inner“ addressess and tunnel endpoints is neededaddressess and tunnel endpoints is needed


Dynamic Full Mesh Advantages Dynamic Full Mesh Advantages (2)(2)

• Only spoke-to-spoke links that are needed for the Only spoke-to-spoke links that are needed for the traffic are (dynamically) establishedtraffic are (dynamically) established• No need to configure full mesh (manually)No need to configure full mesh (manually)

• No limitation of number of tunnel interfaces and number of No limitation of number of tunnel interfaces and number of routes supported on low-end routersroutes supported on low-end routers• Allows to mix high-end (hub) and low-end (spokes) routersAllows to mix high-end (hub) and low-end (spokes) routers

• static full-mesh configuration would require all routers to have resources for static full-mesh configuration would require all routers to have resources for full-mesh implementationfull-mesh implementation

• If a spoke-to-spoke tunnel cannot be established, the traffic may If a spoke-to-spoke tunnel cannot be established, the traffic may still be routed through the hubstill be routed through the hub


NHRP ComponentsNHRP Components

• Next-Hop Clients (NHC)Next-Hop Clients (NHC)• Dynamically register with NHSDynamically register with NHS

• May be added without changing NHS configurationMay be added without changing NHS configuration

• Next-Hop Servers (NHS)Next-Hop Servers (NHS)• Allows NHC to register and discover logical-to-Allows NHC to register and discover logical-to-

physical address mapping for other NHCphysical address mapping for other NHC

NHRP Cache (on NHC)NHRP Cache (on NHC)• Dynamic and static entriesDynamic and static entries


NHRP Messages (1)NHRP Messages (1)• Registration Request/ResponseRegistration Request/Response

• Registration of dynamic physical addresses with NHSRegistration of dynamic physical addresses with NHS

• Inner-outer (L3/L2 or L3/L3) address pairInner-outer (L3/L2 or L3/L3) address pair

• Resolution RequestResolution Request• May be routed through multiple systems along the May be routed through multiple systems along the

(suboptimal) already known path to the destination system(suboptimal) already known path to the destination system

• Resolution ResponseResolution Response• Send by the destination system directly to the requesting Send by the destination system directly to the requesting

systemsystem


NHRP Messages (2)NHRP Messages (2)

• Purge Request/ResponsePurge Request/Response• Makes the system (NHC) to invalidate the cached Makes the system (NHC) to invalidate the cached

information obtained by NHRPinformation obtained by NHRP


NHRP & multicastNHRP & multicast

• Hub has to be explicitly configured to send Hub has to be explicitly configured to send multicast data traffic to registered spokesmulticast data traffic to registered spokes• Multicasts are necessary for many routing protocolsMulticasts are necessary for many routing protocols


Dynamic Multipoint VPNsDynamic Multipoint VPNs(DM VPN)(DM VPN)


DMVPN Principle (1)DMVPN Principle (1)• Makes configuration of multipoint VPNs easier by Makes configuration of multipoint VPNs easier by

avoiding a need to configure VPN tunnels manuallyavoiding a need to configure VPN tunnels manually• Only hub-and-spoke topology has to be preconfigured Only hub-and-spoke topology has to be preconfigured

• Creates (encrypted) spoke-to-spoke tunnels on data-Creates (encrypted) spoke-to-spoke tunnels on data-driven basisdriven basis• Utilizes NHRP, GRE and IPSecUtilizes NHRP, GRE and IPSec

• The communication between spokes is routed via hub until the direct The communication between spokes is routed via hub until the direct tunnel is created (or if it could not be created)tunnel is created (or if it could not be created)

• On-demand IPSec tunnel negotiationOn-demand IPSec tunnel negotiation


DMVPN Principle (2)DMVPN Principle (2)• Spokes (NHC) dynamically registers with hub (NHS) Spokes (NHC) dynamically registers with hub (NHS)

using NHRPusing NHRP• Inner tunnel (logical) to (currently assigned) physical Inner tunnel (logical) to (currently assigned) physical

address mappingaddress mapping

• Allows spoke to look up an address of another spokeAllows spoke to look up an address of another spoke

• spokes may have dynamic (physical) addressesspokes may have dynamic (physical) addresses

• Each spoke may create spoke-to-spoke tunnels up to Each spoke may create spoke-to-spoke tunnels up to its available resourcesits available resources• does not limit any other spoke to use all its available does not limit any other spoke to use all its available

resourcesresources

• Dynamic tunnels are deleted after idle timeout expiresDynamic tunnels are deleted after idle timeout expires


DMVPN AdvantagesDMVPN Advantages

• Spokes can be added without any hub Spokes can be added without any hub configuration changeconfiguration change

• Uniform spoke configurationUniform spoke configuration

• Utilizes standard protocols and solutionsUtilizes standard protocols and solutions• Combination of GRE,NHRP and IPSecCombination of GRE,NHRP and IPSec


Developmental phases of Developmental phases of DMVPNDMVPN

• Phase 1 – hub-and-spoke capability onlyPhase 1 – hub-and-spoke capability only

• Phase 2 – dynamic spoke-to-spoke tunnelsPhase 2 – dynamic spoke-to-spoke tunnels

• Phase 3 – limits routing information advertised to Phase 3 – limits routing information advertised to spokesspokes• Better scalabilityBetter scalability

• Does not require all spoke routers to maintain all the Does not require all spoke routers to maintain all the routes of the VPN, just those needed for currently routes of the VPN, just those needed for currently used spoke-to-spoke communicationsused spoke-to-spoke communications


DMVPN Phase 2 (1)DMVPN Phase 2 (1)• Dynamic routing protocol on hub-to-spoke tunnel Dynamic routing protocol on hub-to-spoke tunnel

advertises all routes behind hub and other spokesadvertises all routes behind hub and other spokes• Uses hub's or respective spokes' tunnel (inner) address as Uses hub's or respective spokes' tunnel (inner) address as

next hops to networks behind particular spokesnext hops to networks behind particular spokes• routing protocol has to preserve next hop (spoke-to-spoke)routing protocol has to preserve next hop (spoke-to-spoke)

• Split horizon rule has to be turned off on hubSplit horizon rule has to be turned off on hub

• Each spoke has routes to all networks in its routing Each spoke has routes to all networks in its routing tabletable• with tunnel interface as the outgoing interfacewith tunnel interface as the outgoing interface


DMVPN Phase 2 (2)DMVPN Phase 2 (2)

• NHRP runs on the spoke's tunnel (multipoint) NHRP runs on the spoke's tunnel (multipoint) interface interface • NHRP cache is used to find the logical-to-NBMA NHRP cache is used to find the logical-to-NBMA

mapping for the next hop addressmapping for the next hop address

• If an entry is not found in the cache, NHRP request If an entry is not found in the cache, NHRP request has to be send to NHShas to be send to NHS

• A disadvantage is a significant load on the routing A disadvantage is a significant load on the routing protocol in VPNprotocol in VPN



• Reduces the amount of routes advertised to Reduces the amount of routes advertised to spokesspokes• Hub summarizes routing information advertised to Hub summarizes routing information advertised to

spokesspokes

• Hub sets itself as a next hopHub sets itself as a next hop

• Spoke sends the first data packet to hub over the Spoke sends the first data packet to hub over the tunnel interfacetunnel interface• The logical-to-NBMA mapping is preconfigured for The logical-to-NBMA mapping is preconfigured for

hubhub



• If a hub receives a packet from a spoke on the If a hub receives a packet from a spoke on the tunnel interface that has to be routed to other tunnel interface that has to be routed to other spoke by the same router interface, it initiates the spoke by the same router interface, it initiates the spoke-to-spoke tunnel creationspoke-to-spoke tunnel creation• Sends redirect to the source spokeSends redirect to the source spoke

• NHRP redirect messageNHRP redirect message• Contains the correct (logical) next hop address and the Contains the correct (logical) next hop address and the

original destination addressoriginal destination address


DMVPN Phase 3 (3)DMVPN Phase 3 (3)• Based on NHRP Redirect from hub, spoke sends Based on NHRP Redirect from hub, spoke sends

NHRP Request to determine a NBMA address for NHRP Request to determine a NBMA address for the logical next hop address from the redirect the logical next hop address from the redirect messagemessage

• NHRP Request is routed to the destination spokeNHRP Request is routed to the destination spoke• Destination spoke responds to the original requesting Destination spoke responds to the original requesting

spoke with its NBMA for the spoke with its NBMA for the whole subnetwhole subnet from its from its routing table that matches the required destination routing table that matches the required destination address from the NHRP Requestaddress from the NHRP Request



• Source spoke inserts the record for the particular Source spoke inserts the record for the particular destination network into its routing tabledestination network into its routing table• pointing to the newly created spoke-to-spoke tunnel pointing to the newly created spoke-to-spoke tunnel

interfaceinterface• most often protected by IPSec profilemost often protected by IPSec profile

• The following packets follow the direct spoke-to-The following packets follow the direct spoke-to-spoke pathspoke path


Problems of Hub FailureProblems of Hub Failure• Spoke will delete all routes pointing to the Spoke will delete all routes pointing to the

(multipoint) tunnel interface(multipoint) tunnel interface

• Even existing spoke-to-spoke tunnels become Even existing spoke-to-spoke tunnels become unusable as there is no entry in the routing table to unusable as there is no entry in the routing table to route traffic into them when route exchange with hub route traffic into them when route exchange with hub failsfails• Tunnels will remain available, but unused Tunnels will remain available, but unused

• At least until NHRP cache entries time outAt least until NHRP cache entries time out

• Routes advertised from redundant hubs may solve Routes advertised from redundant hubs may solve the problemthe problem• Normally they are ignored because of worse ADNormally they are ignored because of worse AD


DMVPN ConfigurationDMVPN Configuration

• Multipoint GRE interface on hubMultipoint GRE interface on hub• Because it connects to multiple spokesBecause it connects to multiple spokes

• Multipoint GRE interface on spokesMultipoint GRE interface on spokes• Because multiple spoke-to-spoke tunnels may be Because multiple spoke-to-spoke tunnels may be

initiated in parallelinitiated in parallel

• IPSec profile is typically applied on GRE tunnel IPSec profile is typically applied on GRE tunnel to protect the trafficto protect the traffic• Standard IPSec mechanisms are usedStandard IPSec mechanisms are used


Group-Encrypted Transport VPNs Group-Encrypted Transport VPNs (GET VPN)(GET VPN)


GET VPN (1)GET VPN (1)

• Tunnel-less any-to-any VPN service over IPTunnel-less any-to-any VPN service over IP• Better scalabilityBetter scalability

• No multiple tunnel interfaces needed for partial/full meshNo multiple tunnel interfaces needed for partial/full mesh

• No overlay routingNo overlay routing• Optimal traffic pathsOptimal traffic paths

• IPSec based - transport modeIPSec based - transport mode• Supports multicasts and QoS Supports multicasts and QoS

• Original IP header is visible (incl. QoS marking)Original IP header is visible (incl. QoS marking)



• Secure central key distribution to routers (group Secure central key distribution to routers (group members) in a domainmembers) in a domain• Key serverKey server

• Unicast & multicast key distribution to authorized routers Unicast & multicast key distribution to authorized routers (download/push)(download/push)

• Policy managementPolicy management

• Secondary key server implemented for redundancySecondary key server implemented for redundancy• automatic failover (COOP protocol)automatic failover (COOP protocol)



GDOI: Group Domain of GDOI: Group Domain of Interpretation (1)Interpretation (1)

• Key management protocol between group Key management protocol between group member(s) and key servermember(s) and key server• RFC 3457RFC 3457

• based on ISAKMP/IKEbased on ISAKMP/IKE

• provides a security association among two or more provides a security association among two or more group membersgroup members

• Uses IKE Phase 1 to authenticate group Uses IKE Phase 1 to authenticate group members to a key servermembers to a key server• according to defined group policyaccording to defined group policy


GDOI: Group Domain of GDOI: Group Domain of Interpretation (2)Interpretation (2)

• Group key (“key encryption key”, KEK) is pulled Group key (“key encryption key”, KEK) is pulled from key server during IKE phase 2 by group from key server during IKE phase 2 by group membersmembers

• Key server pushes traffic encryption keys (TEK) to Key server pushes traffic encryption keys (TEK) to all group members using unsolicitated multicast / all group members using unsolicitated multicast / broadcast / unicast messages - encrypted by KEKbroadcast / unicast messages - encrypted by KEK• periodic re-keysperiodic re-keys

• TEK may be used for both unicast or multicast TEK may be used for both unicast or multicast communication between GMscommunication between GMs


Multicast VPNs (mVPN)Multicast VPNs (mVPN)


Implementation RequirementsImplementation Requirements

• Potentially different PIM modes in the core and Potentially different PIM modes in the core and each mVPNeach mVPN• Support for all PIM modesSupport for all PIM modes

• Overlap of customers' multicast addressingOverlap of customers' multicast addressing


Overlay InfrastructureOverlay Infrastructure

• Full mesh of tunnels between VPN sitesFull mesh of tunnels between VPN sites

• Hides VPN multicast from the coreHides VPN multicast from the core• No multicast state in the coreNo multicast state in the core

• Customers' multicasts groups may overlapCustomers' multicasts groups may overlap

• Non-scalableNon-scalable

• Suboptimal multicast routing (replication)Suboptimal multicast routing (replication)


2-level Multicast Solution2-level Multicast Solution• Multicast Distribution Tree (MDT)Multicast Distribution Tree (MDT)

• Aggregates all multicast traffic between sites of the Aggregates all multicast traffic between sites of the same VPNsame VPN• GRE-encapsulatedGRE-encapsulated

• Including system-oriented traffic between PE routers (PIM Including system-oriented traffic between PE routers (PIM sessions between PEs)sessions between PEs)

• May be seen as multiaccess segmentMay be seen as multiaccess segment• Every PE router is connected with virtual tunnel interfaceEvery PE router is connected with virtual tunnel interface

• Suboptimal – delivers ALL multicast traffic to all PEs Suboptimal – delivers ALL multicast traffic to all PEs of the VPNof the VPN


An optimization: Data MDT (1)An optimization: Data MDT (1)• Configured optionallyConfigured optionally

• Carries traffic of a single (or multiple) customer's Carries traffic of a single (or multiple) customer's group(s)group(s)• Source PE switches to Data MDT from the Default MDT Source PE switches to Data MDT from the Default MDT

after preconfigured traffic threshold for given group(s)after preconfigured traffic threshold for given group(s)

• The tree spans only PEs with networks interested in The tree spans only PEs with networks interested in particular multicast groups behind themparticular multicast groups behind them

• Default MDT is used to inform other PEs about active Default MDT is used to inform other PEs about active sources sending to Data MDT sources sending to Data MDT

• PE may optionally join the Data MDTPE may optionally join the Data MDT


Data MDT: Pros and ConsData MDT: Pros and Cons

• Limits traffic over core networkLimits traffic over core network

• More states in core network (multiple trees)More states in core network (multiple trees)

virtual private networks advanced technologieswh.cs.vsb.cz/sps/images/9/9a/vpn-advanced.pdf ·...

Documents