Compare, design and deploy VPNs--A tutorial--Part II

ComssDesign

Compare, design and deploy VPNs--A tutorial--Part II

Mark Lewis
Jul 21, 2006 (10:09 AM)
URL: http://www.commsdesign.com/showArticle.jhtml?articleID=191000198

Part I is a practical guide for using IPsec, MPLS Layer 3, L2TPv3, L2TPv2, AToM and SSL VPNs, so start here and then enjoy this segment.

Service Provider Provisioned Site-to-Site VPNs
Service provider provisioned site-to-site VPNs (PPVPN) fall into one of three categories: Layer 1 VPNs, Layer 2 VPNs, and Layer 3 VPNs. Layer 2 and Layer 3 site-to-site VPN types are described in the sections that follow.

NOTE Layer 1 VPNs are used to transport Layer 1 services over an intervening shared network controlled and managed by Generalized Multiprotocol Label Switching (GMPLS).

Layer 2 VPNs
Layer 2 site-to-site VPNs (L2VPN) can be provisioned between switches, hosts, and routers and allow data link layer connectivity between separate sites. Communication between customer switches, hosts, and routers is based on Layer 2 addressing, and PE devices perform forwarding of customer data traffic based on incoming link and Layer 2 header information (such as MAC address, Frame Relay Data Link Connection Identifier (DLCI, and so on).

There are two categories of provider provisioned L2VPN:

Point-to-point (P2P) circuit-based VPNs--P2P-based VPNs are also known as Virtual Private Wire Service (VPWS) VPNs and are constructed using, for example, Draft Martini (MPLS) or L2TPv3 pseudowires (emulated circuits).

It is worth noting that VPWS was formerly known as Virtual Leased Line Service (VLL service or VLLS).

Multipoint-to-multipoint (M2M) VPNs--M2M VPNs come in two varieties:

--Virtual Private LAN Service (VPLS) VPNs --IP-Only LAN Service (IPLS) VPNs

Layer 3 VPNs
Layer 3 site-to-site VPNs (L3VPN) interconnect hosts and routers at separate customer sites. These customer hosts and routers communicate based on Layer 3 (network layer) addressing, and PE devices forward customer traffic based on incoming link, and on addresses contained in the (outer) IP header.

There are two overall types of L3VPN:

PE-based VPNs--In a PE-based L3VPN, PE devices participate in customer network routing and forward traffic based on customer network addressing. Customer traffic is (usually) forwarded between PE devices over VPN tunnels that may take the form of (MPLS) LSPs, IPsec tunnels, L2TPv3 tunnels, or GRE tunnels, for example. In this case, CE devices are not aware that they are participating in a VPN.

PE-based VPNs are also sometimes referred to as Network- based VPNs.

PE-based L3VPNs can be further classified as follows:

RFC4364/2547bis style--In this type of PE-based L3VPN, the PE devices maintain separate routing and forwarding tables for each VPN. Customer routes are advertised between PE devices using Multiprotocol Border Gateway Protocol (MP-BGP), and customer address space and routes are disambiguated using BGP attributes.

Virtual Router (VR) based--In this type of PE-based L3VPN, completely separate logical routers are maintained on the PE devices for each VPN. Each logical router maintains its own entirely separate routing protocol instances.

Figure 6 illustrates a typical PE-based VPN.

Figure 6. Typical PE-Based Site-to-Site VPN

CE-based VPNs--In a CE-based L3VPN, PE devices do not participate in (and are unaware of) customer network routing and forward customer traffic based on globally unique addressing. In this case, tunnels are configured between CE devices using protocols such as GRE and IPsec.
CE-based VPNs are also sometimes referred to as CPE-based VPNs.

Figure 7 illustrates a typical CE-based site-to-site VPN.

Figure 7. Typical CE-Based Site-to-Site VPN

Customer Provisioned Site-to-Site VPNs
Customer provisioned site-to-site VPNs are configured on CE devices such as routers and firewalls. In this case, tunnels are configured between CE devices in the VPN, and customer data traffic is sent over these tunnels. Protocols used to encapsulate user data traffic as it is sent over the tunnels between VPN sites include GRE and IPsec.

Service Provider and Customer Provisioned Remote Access VPNs
Remote access VPNs can be configured in either compulsory tunnel mode or voluntary tunnel mode. These two modes of operation are described as follows:

Compulsory tunnel mode—Compulsory tunnel mode remote access VPNs are service provider provisioned. In this mode of operation, the remote access client connects to a NAS that then tunnels client data traffic to and from a VPN gateway. Compulsory tunnel mode remote access VPNs are provider provisioned. Examples of protocols used to provision compulsory tunnel mode remote access are L2F, PPTP, and L2TP.

In Figure 5, mobile user 2 is connected via a compulsory mode tunnel to the VPN gateway/concentrator.

In Figure 5. Compulsory tunnel mode remote access VPNs are sometimes referred to as NAS-initiated remote access VPNs.

Voluntary tunnel mode--Voluntary tunnel mode remote access VPNs are either service provider or customer provisioned. In this mode of operation, data traffic is tunneled directly between the remote access client and a VPN gateway. Voluntary tunnel mode remote access VPNs can be either customer or provider provisioned. In Figure 5, the home-based user and mobile user 1 are both connected to the VPN gateway/concentrator via voluntary mode tunnels.

Note that voluntary tunnel mode remote access VPNs are sometimes referred to as client-initiated remote access VPNs.

One type of remote access VPN is a Virtual Private Dialup Network (VPDN). This term can be used to describe remote access VPNs (L2F, PPTP, and L2TP) in which remote users connect over a PSTN or Integrated Services Digital Network (ISDN) to a dial NAS. User data traffic is then tunneled to a VPN gateway. With so many remote users now connecting over cable, Digital Subscriber Line (DSL), and other high-speed connections, rather than via dial connections, this term is slightly outdated.

Other Methods of Categorizing VPNs
Yes, there are yet more methods of categorizing VPNs! VPNs can be further categorized depending on whether they are connection oriented or connectionless, whether they are overlay or peer to peer, and whether they are secure or trusted.

Overlay and Peer-to-Peer VPNs
A VPN can be categorized as either an overlay or peer VPN depending on whether PE devices are aware of customer network addressing, and route customer traffic based on customer network address space.

Overlay and peer VPNs are summarized as follows:

Overlay VPNs--In an overlay network, a VC or tunnel connects CE devices. No routing information is exchanged with the service provider, and PE devices are unaware of customer network address space and do not route customer traffic based on customer network addressing.

Examples of overlay VPNs include those built using Frame Relay or ATM virtual circuits, as well as those built using GRE or IPsec tunnels.

Peer VPNs--In a peer VPN, PE devices are aware of customer network addressing and route customer data traffic according to customer network addressing. In peer VPNs, routes are exchanged between CE devices and PE devices.

Older types of peer VPN often involve PE devices partitioning customer data traffic by simply using access control lists (ACL). A more modern example of peer VPNs is BGP/MPLS (RFC4364/2547bis) VPNs.

Connection-Oriented and Connectionless VPNs
VPNs can be either connection oriented or connectionless depending on whether VCs or tunnels are provisioned to carry VPN traffic.

Connection-oriented and connectionless VPNs are described as follows:

Connection-oriented VPNs--In connection-oriented VPNs, VCs or tunnels are set up to carry VPN traffic.

Examples of connection-oriented VPNs are those provisioned using Frame Relay or ATM VCs, as well as those provisioned using L2TP or IPsec tunnels.

Connectionless VPNs--In connectionless VPNs, neither VCs nor tunnels are set up to carry VPN traffic.

PE-based VPNs that rely on the partitioning of customer data traffic by using ACLs configured on PE devices are connectionless VPNs.

Trusted and Secure VPNs
VPNs can be described as being either trusted or secure. Whether a VPN is trusted or secure depends on whether customer data traffic is authenticated and encrypted as it passes between VPN peers (sites in an site-to-site VPN, or a remote access client and a VPN gateway/concentrator in a remote access VPN).

Trusted and secure VPNs are described as follows:

Trusted VPNs--Provisioned by a service provider, and although customer traffic is not encrypted over the service provider backbone, customers trust the service provider to ensure that data traffic is kept secure in transit between the customer's sites. Examples of trusted VPNs are Frame Relay, ATM, and BGP/ MPLS (RFC4364/2547bis) VPNs.

Secure VPNs--Customer data traffic data is authenticated and encrypted over the service provider backbone or Internet between VPN peers. Examples of secure VPNs are IPsec VPNs, SSL VPNs, PPTP VPNs secured with MPPE, and L2TP VPNs secured using IPsec.

And Finally. . .
And finally, here are two or three sundry VPN classifications:

Transport/Application Layer VPNs--SSL sits on top of TCP in the protocol stack, and SSL VPNs are therefore sometimes referred to as either Transport or Application Layer VPNs.

Internet VPNs--Designed to run over the public Internet.

Multiservice VPNs--Provide a framework for converged services, including voice, video, and data.

Deploying Site-to-Site and Remote Access VPNs: A Comparison
So now you know the VPN protocols and technologies, and how they are categorized, but how do they compare? Included in this section are comparisons of site-to-site as well as remote access VPN technologies.

Before comparing the various VPN technologies, however, it is worth noting that these VPN technologies are often complementary. For example, although it might seem that BGP/MPLS (RFC4364/2547bis) VPNs and IPsec VPNs are competing provider provisioned site-to-site VPN technologies, IPsec tunnels can, in fact, be used to tunnel VPN traffic between PE routers in an BGP/MPLS (RFC4364/2547bis) VPN backbone. IPsec and L2TP can additionally be used to provide off-net (remote access) for mobile or home-based users to a BGP/MPLS (RFC4364/2547bis) VPN.

Similarly, although it appears GRE and IPsec are competing customer provisioned site-to-site VPN technologies, in fact, hybrid GRE/IPsec VPNs are commonly deployed. Hybrid GRE/IPsec VPNs are often deployed because GRE has little or no inherent security, whereas IPsec can provide strong security. On the other hand, IPsec cannot transport multiprotocol, whereas GRE can. So, by deploying a GRE over IPsec site-to-site VPN, you combine multiprotocol with strong security—the best of both worlds!

Site-to-Site VPN Deployment
Figure 3 shows a number options for provider provisioned, as well as customer provisioned, site-to-site VPNs.

Provider provisioned site-to-site VPNs can be either L2VPNs or L3VPNs, as follows:

L2VPNs--VPWS, VPLS, and IPLS

L3VPNs--BGP/MPLS (RFC4364/2547bis), VR, IPsec, GRE, and IP- in-IP Customer provisioned site-to-site VPNs can be deployed using the following protocols:

-IPsec
-GRE
-IP-in-IP

When comparing both provider and customer provisioned site-to-site VPNs, it is important to consider a number of factors. Some of the most important technical considerations for service providers and customers when deploying site-to-site VPNs are as follows:

Point-to-point or multipoint--Is point-to-point or multipoint (any- to-any) connectivity inherent?

Provisioning topologies--How easy is it to deploy a full range of topologies such as full mesh, hub and spoke, partial mesh.

Scalability--How easy is it to deploy a VPN with a large number of sites?

Geographic reach--Is geographic reach limited to a service provider backbone, or can it be extended across the Internet?

Security--Is traffic authenticated and encrypted? Is traffic crossing the VPN vulnerable to replay attacks? Is traffic resistant to insertion attacks (where malicious data is inserted into the protocol stream)?

Inherent multicast support--Can multicast traffic be natively supported across the VPN?

Inherent multiprotocol support--Can multiprotocol traffic (including legacy protocols such as IPX) be transported?

Quality of service (QoS) support--How does this technology differentiate levels of service for voice, video, and data applications?

Remote Access VPN Deployment
When deploying remote access VPNs, it is also important to have an understanding of how the various technologies compare. For this reason, a technical comparison of the various remote access VPN technologies is included in this section.

Compulsory tunnel mode/NAS-initiated remote access VPNs can be deployed using the following protocols:

L2F

PPTP

L2TPv2/L2TPv3

Voluntary/client-initiated remote access VPNs can be deployed using the following protocols:

PPTP

L2TPv2/L2TPv3

IPsec

SSL/TLS

Some of the most important technical considerations for service providers and customers when deploying remote access VPNs are as follows:

Functionality--How much functionality is provided to remote users? Is it comparable to local users at the central site?

Security--Is traffic (origin/integrity) authenticated and encrypted? Is traffic crossing the VPN vulnerable to replay or insertion attacks? Are remote user devices secure/protected?

Scalability--How easy is it to support a large number of remote access VPN users?

Inherent multiprotocol support--Can multiprotocol traffic be transported?

Inherent multicast support--Can multicast traffic be natively supported across the VPN?

About the Author
Mark Lewis is the technial director of MJL Network Solutions, a provider of internetworking solutions that focuses on helping enterprise and service provider customers to implement leading-edge technologies. Mark specializes in next-generation network technologies and has extensive experience in designing, deploying, and migrating large-scale IP/MPLS networks.

To contact the author, please email: reviews@ciscopress.com and use Comparing, Designing, and Deploying VPNs/post question as the subject line.

Title: Comparing, Designing, and Deploying VPNs.ISBN: 1-58705-179-6 Author: Mark Lewis. Chapter 1: What is a Virtual Private Network.Published by Cisco Press Reproduced from the book Comparing, Designing, and Deploying VPNs. Copyright [2006], Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.

*Visit Cisco Press for a detailed description and to learn how to purchase this title.

Come back soon for other recently published book excerpts.