ITTK - Network Integration and Implementation - WS L03 - WAN Design

Transcription

1 Network Design WAN WAN Backbone, Floating Static Routes, Dial-On-Demand VPN, RAS, VPDN Techniques (L2TP, PPTP, L2F) Agenda WAN Area WAN Physical Layer Core WAN Access WAN Overview VPN Classical RAS Remote Access VPN (RAS based) WAN Design, v1.4 2 Page 03-1

2 WAN Alternatives Leased line service Usually based on PDH, SDH or ISDN Standleitung Circuit with defined bandwidth and constant delay Virtual circuit service X.25, Frame Relay, ATM PVC or SVC Virtual circuit with certain QoS (Quality of Service) guarantees (e.g. committed minimal throughput, bounded delay = worst case delay) Backup service Dial on Demand, Bandwidth on Demand ISDN (circuit), X.25-(Frame Relay)-ATM (virtual circuit in SVC operation mode WAN Design, v1.4 3 WAN Alternatives 1 Location A Central Location Modem DAG Leased Line Modem DAG RS232 (V.24) Circuit RS232 (V.24) RS449 RS449 X.21 X.21 V.35 I.430 (BRI) Modem DAG Modem DAG V.35 I.430 (BRI) I.431 (PRI) (PDH, SDH) SDH Ring I.431 (PRI) (PDH, SDH) SDH Switch (synchronous TDM Circuit Switching) WAN Design, v1.4 4 Page 03-2

3 WAN Alternatives 2 Location A Central Location PDH, SDH Switch Function included PDH/SDH Circuit Circuit PDH, SDH Switch Function included SDH Ring SDH Switch (synchronous TDM Circuit Dwitching) WAN Design, v1.4 5 WAN Alternatives 3 Location A Central Location LCN = 47 LCN = 66 X.25 PVC/SVC X.25 DTE Modem DAG Modem DAG X.25 DTE X.21 X.21 bis I.430 (BRI) X.25 Virtual Circuit X.21 X.21 bis I.430 (BRI) Modem DAG Modem DAG X.25 DCE X.25 X.25 DCE X.25 Switch (asynchronous TDM Packet Switching) WAN Design, v1.4 6 Page 03-3

4 WAN Alternatives (Frame Relay) 4 Location A Central Location DLCI = 533 DLCI = 768 FR PVC/SVC Modem DAG Modem DAG FR DTE FR DTE I.430 (BRI) I.431 (PRI)=G.703/G.704 (2.048 Mbps) V.35 G.703 (E3, Mbps) Modem DAG FR DCE FR Virtual Circuit Frame Relay FR DCE Modem DAG ANSI T1.403 (DS1, Mbps) ANSI/EIA/TI A 613 A 1993 High Speed Serial Interface (HSSI, 53 Mbps) X.21 FR Switch (asynchronous TDM Packet Switching) ANSI T1.107a (DS3, Mbps) WAN Design, v1.4 7 WAN Alternatives (Asynchronous Transfer Mode) 5 Location A Central Location VPI/VCI= 0/433 VPI/VCI= 0/68 ATM PVC/SVC ATM DTE ATM DCE ATM DCE ATM DTE STM Standards (155Mbit/s 622Mbit/s ) ATM Virtual Circuit STM Standards (155Mbit/s 622Mbit/s ) ATM DTE ATM DCE ATM ATM DCE ATM DTE ATM Switch (asynchronous TDM Cell Switching) WAN Design, v1.4 8 Page 03-4

5 ATM as WAN Technology based on SDH ATM DTE s ATM DTE s ATM DCE ATM DCE POTS LE STM-1 155Mb/s E3 34Mb/s ISDN LE. SDH R R R SDH E3 up to hundreds of km s STM Mb/s E3 STM-1 155Mb/s ISDN LE E3 34Mb/s POTS LE PABX PRI / E1 2Mb/s PRI / E1 PABX WAN Design, v1.4 9 SDH Circuits (Timeslots of S-TDM) ATM DTE s ATM DCE ATM DCE ATM DTE s SDH-Circuit 3 for 155Mb/s POTS LE STM-1 155Mb/s. SDH R R R SDH E3 STM--4 34Mb/s E3 622Mb/s E3 ISDN LE SDH-Circuit 2 for 34Mb/s SDH-Circuit 1 for 34Mb/s STM-1 155Mb/s ISDN LE E3 34Mb/s POTS LE PABX PRI / E1 2Mb/s PRI / E1 PABX WAN Design, v Page 03-5

6 ATM-VC s inside SDH-Circuit ATM as Intelligent Bandwidth Management System ATM DTE s ATM-VC2 ATM-VC3 ATM DTE s SDH-Circuit 3 for 155Mb/s POTS LE ATM-VC1 STM-1 155Mb/s. SDH R R R SDH E3 STM--4 34Mb/s E3 622Mb/s E3 ISDN LE SDH-Circuit 2 for 34Mb/s SDH-Circuit 1 for 34Mb/s STM-1 155Mb/s ISDN LE E3 34Mb/s POTS LE PABX PRI / E1 2Mb/s PRI / E1 PABX WAN Design, v ATM as LAN/ MAN Technology based on Dark Fiber is already gone ATM DTE s ATM DCE Dark Fiber ATM DCE ATM DTE s up to some 100m s up to some km s up to some 100m s WAN Design, v Page 03-6

7 WAN Service Considerations Who is responsible for providing the service? Service Provider or Department of own company Note: functions of configuration, implementation, management, operation, monitoring, maintenance need to be established Service Level Agreement (SLA) What about redundancy? Can a redundant line take a true different physical way end-to-end? Should different service providers be used? WAN Design, v Agenda WAN Area WAN Physical Layer Core WAN Access WAN Overview VPN Classical RAS Remote Access VPN (RAS based) WAN Design, v Page 03-7

8 WAN Backbone Scenarios Big Location A Central Location FW VPN Internet (ISPs) RAS VPN DMZ Dial-on-Demand Telecommuters Home Offices WAN Backbone WAN Access Big Location B Big Location C Small Location WAN Design, v Backbone Economical Big Location A Central Location Big Location B Big Location C WAN Design, v Page 03-8

9 Backbone Hub and Spoke Big Location A Central Location Big Location B Big Location C WAN Design, v Backbone Minimal Hops Big Location A Central Location Big Location B Big Location C WAN Design, v Page 03-9

10 Backbone WAN Considerations Classical IP Routing (RIPv2), OSPF, EIGRP, IS-IS Convergence time range: seconds to minutes Own infrastructure versus provider based infrastructure Leased lines behavior SDH circuit Virtual circuit behavior X.25 PVC, Frame Relay PVC, ATM PVC Tunneling techniques (MPLS-VPN) provided by SP-ISP (Dial on demand lines) ISDN, X.25 SVC, Frame Relay SVC, ATM SVC WAN Design, v Routing Protocol Convergence 1 Big Location A Central Location Leased Line Convergence time of the routing protocol depends mainly on recognition of inactivity of the physical line (few seconds) WAN Design, v Page 03-10

11 Routing Protocol Convergence 2 Big Location A Central Location PVC Frame Relay / ATM Network Convergence time of the routing protocol depends mainly on recognition of inactivity of the physical line (few seconds) WAN Design, v Routing Protocol Convergence 3 Big Location A Central Location PVC Frame Relay / ATM Network Convergence time of the routing protocol depends on recognition of inactivity of the logical IP peer (e.g. OSPF dead time 40 seconds with hello-time of 10 seconds) WAN Design, v Page 03-11

12 Routing Protocol Convergence 4 Big Location A Central Location direct LAN connection without any L2 switch or L1 repeater in between Convergence time of the routing protocol depends mainly on recognition of inactivity of the physical line (few seconds)!!! direct LAN connection!!! WAN Design, v Routing Protocol Convergence 5 Big Location A Central Location LAN with L2 switch or L1 repeater Convergence time of the routing protocol depends on recognition of inactivity of the logical IP peer (e.g. OSPF dead time 40 seconds with hello-time of 10 seconds) New Cisco feature for GE interfaces: BDF (Bidirectional Forwarding Detection) can signal loss of neighbor within milliseconds range see: -> issue 3Q > Routing: Detecting Network Failures WAN Design, v Page 03-12

13 Agenda WAN Area WAN Physical Layer Core WAN Access WAN Overview VPN Classical RAS Remote Access VPN (RAS based) WAN Design, v Access WAN Scenarios Big Location A Central Location FW VPN Internet (ISPs) RAS VPN DMZ Dial-on-Demand Telecommuters Home Offices WAN Backbone WAN Access Big Location B Big Location C Small Location WAN Design, v Page 03-13

14 Access WAN Connection to Backbone 1 Big Location A Central Location Small Locations Big Location B Big Location C WAN Design, v Access WAN Connection to Backbone 2 Big Location A Central Location Small Locations ISDN for Dial-Backup Big Location B Big Location C WAN Design, v Page 03-14

15 Access WAN Considerations Classical IP Routing (RIPv2), OSPF, EIGRP, IS-IS Convergence time range: seconds to minutes Floating static routes activated by trigger-traffic in case of primary line failure Primary Lines Leased lines (SDH circuit) PVC (X.25, Frame Relay, ATM) Tunneling techniques (GRE, MPLS-VPN) provided by SP-ISP or normal ISP Secondary Lines Dial on demand lines (ISDN, PPP) Tunneling techniques (PPTP, L2TP) Dial Backup or as Bandwidth-on-Demand to provide additional bandwidth during peak hours WAN Design, v Floating Static Routes (FSR) Cisco solution described FSR is a special static route Configured on a router Describing the next hop to reach a certain IP subnet With high administrative distance (200) As long as a dynamic routing protocol like OSPF (admin. distance 110) announce this IP subnet the FSR is ignored by the router 110 means better than 200 If information about that subnet is not any longer announced the FSR fires If there comes a packet destined for that subnet the packet is forwarded based on the FSR next hop information WAN Design, v Page 03-15

16 Floating Static Routes (FSR) FSR usage: Automatic failover to a backup line and back Often combined with Dial-On-Demand networks like ISDN Prerequisite for this technique: Traffic which triggers the Dial-On-Demand networks via FSR Triggering traffic: Could be periodically keep-alive message from the clients to the central servers in idle time Could be periodically keep-alive message from the central server to clients located behind such network parts Network management traffic from the central NMS which periodically tests the reachability of locations WAN Design, v FSR Normal Situation 1 Traffic from and to small location takes primary line OSPF advertise all networks with low costs HSRP/VRRP leads traffic to correct router RP On RS a floating static route for the central LAN is configured towards ISDN interface (IP address of RZ mapped to ISDN number in order to reach RZ via ISDN) RS also runs an OSPF process to know about all networks of the corporate network but do not allow OSPF message to trigger an ISDN call FSR is ignored because adm. distance is higher than OSPF adm. distance X The Corporate Network Central Location Big Location C RZ All packets to and from Y OSPF cost 50 ISDN Small Location HSRP/VRRP between routers RP and RS RP RS Y FSR to X WAN Design, v Page 03-16

17 FSR Failure of Primary Line 2 OSPF on RS will recognize that all networks including X are lost; RP will do HSRP tracking and RS becomes the HSRP active router for the IP hosts of the small location On RS the floating static route for the central LAN becomes active and will be installed in the routing table The first packet for X will follow the FSR and trigger a ISDN call to RZ a link will be established Finally all packets for X will now reach the central location via ISDN X The Corporate Network Central Location RZ OSPF cost 50 ISDN Small Location HSRP/VRRP between routers RP and RS RP RS Y FSR to X Packet to X Big Location C WAN Design, v FSR Learning Routes by OSPF via ISDN 3 Because ISDN is included to be used for OSPF routing, RS will learn all networks including X over the ISDN link and all routers of the corporate network will learn about network Y reachable over the ISDN link Note: OSPF costs of the ISDN link are higher hence all networks will be seen with higher costs in the RT of RP, RS, RZ then in the normal situation As the network X is learned again via OSPF the FSR will be deleted from the RT in RS (because of the higher admin. distance X The Corporate Network Central Location RZ OSPF cost 50 OSPF cost 1000 ISDN Small Location HSRP/VRRP between routers RP and RS RP RS Y FSR to X All packets to and from Y Big Location C WAN Design, v Page 03-17

18 FSR Repair of Primary Line 4 After repair of the primary line RS and RP will learn all networks including X over the primary link with lower OSPF costs All routers of the corporate network will learn again about network Y over the primary link with lower OSPF cost RP will take over the role of the active HSRP router because of preempt feature Hence all the traffic will again flow via the primary link and no traffic will reach RS from the local IP hosts of network Y X The Corporate Network Central Location RZ All packets to and from Y OSPF cost 50 OSPF cost 1000 ISDN Small Location HSRP/VRRP between routers RP and RS RP RS Y FSR to X Big Location C WAN Design, v FSR Timeout of ISDN Line 5 After timeout of the ISDN idletimer of RS the ISDN link will be shut down Note: idle-timer keeps ISDN link open for a certain period (default 30 seconds) even if no packet is to be transmitted over the open ISDN link; if there comes a new packet within the period the idle-timer will be reset (reason: to avoid to many ISDN call setups) FSR combined with dynamic routing allows an automatic failover to the backup line and back without any complicated static route definitions limited to the time of the failure Prerequisite for this technique: Traffic which triggers the ISDN link via FSR X The Corporate Network Central Location Big Location C RZ All packets to and from Y OSPF cost 50 ISDN Small Location HSRP/VRRP between routers RP and RS RP RS Y FSR to X WAN Design, v Page 03-18

19 Agenda WAN Area WAN Physical Layer Core WAN Access WAN Overview VPN Classical RAS Remote Access VPN (RAS based) WAN Design, v Virtual Private Networks (VPN) old idea private networks of different customers can share a single WAN infrastructure since 1980 s public switched data networks (PSDN) were offered by providers (e.g. PTTs) to give open access to subscribers of a PSDN to interconnect parts of a physically separated private network do you remember closed user group of X.25 closed user group of ISDN PVC-DLCI s of Frame relay PVC-VPI/VCI s of ATM private subnetwork (customer gateway) and public MAN service (edge gateway) of MAN -> closed user group of MAN (Metropolitan Area Network based on DQDB) WAN Design, v Page 03-19

20 Classical VPN s X.25, Frame Relay or ATM in the core dedicated physical switch ports for every customers CPE router, bridge, computer customer traffic separation in the core done by concept of virtual circuit PVC service management overhead SVC service with closed user group feature signaling overhead separation of customers inherent to virtual circuit technique privacy is aspect of customer in most cases overlooked VPN s based on Overlay Model WAN Design, v Physical Topology of Classical VPN Location A0 Location B0 WAN Switches Location B3 Location A1 Location A3 Location B1 Location A2 Location B2 WAN Design, v Page 03-20

21 Logical Topology Classic VPN (1) Location A0 Location B0 Hub and Spoke Partial Mesh Location B3 Location A1 Location A3 Location B1 Location A2 Location B2 WAN Design, v Logical Topology Classic VPN (2) Location A0 Location B0 Full Mesh Location B3 Location A1 Location A3 Location B1 Location A2 Location B2 WAN Design, v Page 03-21

22 Virtual Private Networks based on IP single technology end-to-end IP forwarding and IP routing no WAN switches in the core based on different technology (X.25, FR or ATM) administered by different management techniques but accounting and quality of service just coming in the IP world X.25, FR and ATM have it already often the term private in VPN means cases control over separation but not privacy data are seen in clear-text in the core encryption techniques can solve this problem but encryption means must be in the hand of the customer VPN s based on Peer Model WAN Design, v Physical Topology IP VPN Location A0 CE CE Location B0 PE PE Customer Edge CE Provider Edge PE CE Core Router P CE Location B3 Location A1 PE CE CE PE CE Location A3 Location B1 Location A2 Location B2 WAN Design, v Page 03-22

23 Possible Solutions for IP VPN s IP addresses of customers non overlapping filtering and policy routing techniques can be used in order to guarantee separation of IP traffic exact technique depends on who manages routes at the customer site IP addresses of customers overlapping tunneling techniques must be used in order to guarantee separation of IP traffic GRE L2F, PPTP, L2TP MPLS-VPN If privacy is a topic encryption techniques must be used SSL/TLS, IPsec WAN Design, v Tunneling Solutions for IP VPN s Tunneling techniques are used in order to guarantee separation of IP traffic IP in IP Tunneling or GRE (Generic Routing Encapsulations) Bad performance on PE router PPTP or L2TP for LAN to LAN interconnection Originally designed for PPP Dial-up connections LAN LAN is just a special case MPLS-VPN Best performance on PE router In all these cases Privacy still an aspect of the customer WAN Design, v Page 03-23

24 Tunneling IP VPNs without Encryption Company A Company A Intranet Internet Intranet Company A Company A Intranet Company A Virtual Private Network (VPN) (tunneling between customer edge routers e.g. GRE) Intranet Intranet Virtual Private Network (VPN) (tunneling between PE routers of ISP provider e.g. MPLS VPN) Intranet WAN Design, v IP Addressing non overlapping (1) one IP address space in the core and at the customer sites one routing domain dynamic routing protocols in the core transport network information about all customer networks and all core networks challenge for the provider to give every customer only network information about own networks to discard packets with wrong destination address coming from a given customer several ways to achieve depending on the control of the routers at the customer site WAN Design, v Page 03-24

25 IP Addressing non overlapping (2) CE CE PE PE PE CE CE PE PE CE CE CE CE WAN Design, v IP Addressing non overlapping (3) Routing Table Routing Table Routing Table Core WAN Design, v Page 03-25

26 Routers under different control (1) CE router controlled by customer: routing: static routing to the core or dynamic routing to the core (no default route) data packet filtering: (incoming packets concerning source and destination address) ( ) can be done because of security reasons static routes and data packet filtering means administrative overhead at the customer site default routing problem e.g. for Internet connectivity must be solved by tunneling WAN Design, v Routers under different control (2) PE router controlled by provider: routing: dynamic routing in the core static routing to the customer with route redistribution of static routes into the core or dynamic routing with route filtering to the customer data packet filtering: incoming packets concerning source and destination address static routes / dynamic routing with route filtering and data packet filtering means big administrative overhead at the provider site and have performance impacts on PE routers WAN Design, v Page 03-26

27 All routers under provider control (1) CE router at the customer site: routing: dynamic routing to the core no default route PE router routing: dynamic routing in the core dynamic routing with route filtering to the customer for the provider less administrative overhead than routers under different control WAN Design, v All routers under provider control (2) special case if two customers are merged at the customer edge and not at the distribution or core area this router needs full information about all networks in order to forward packets to all destinations therefore separation of customers based on different routing tables is not possible hence data packet filtering is necessary based on incoming packets concerning source and destination address WAN Design, v Page 03-27

28 IP Addressing overlapping (1) separated IP address spaces in the core and at the customer sites needs either NAT at CE solutions are the same as with non overlapping addresses or different routing domains dynamic routing protocols in the core are independent from dynamic routing protocols of the customer networks challenge for the provider to separate routing domains several ways to achieve depending on the control of the routers at the customer site WAN Design, v IP Addressing overlapping (2) CE CE PE PE PE CE CE PE PE CE CE CE CE WAN Design, v Page 03-28

29 IP Addressing overlapping Scenario Tunnel for Tunnel for WAN Design, v Routers under different control (1) CE routers controlled by customer: routing: static routing to the core or dynamic routing to the core data packet filtering can be done because of security reasons incoming packets concerning source and destination address default routing e.g. for Internet connectivity can be solved in accordance with the provider by a special tunnel to the Internet exit point WAN Design, v Page 03-29

30 Routers under different control (2) PE routers controlled by provider: dynamic routing in the core for knowing about tunnelendpoints ip policy routing traffic from a given interface can be forwarded only to certain tunnels depending on the destination address a next hop is set next hop points to a specific tunnel for unknown destinations next hop is set to null0 interface these packets are discarded tunneling and ip policy routing administrative overhead at the provider site performance and scalability impacts WAN Design, v IP Addressing overlapping Scenario Tunnel for Tunnel for WAN Design, v Page 03-30

31 All routers under provider control CE routers at the customer site: routing: dynamic routing to the core for knowing about tunnel-endpoints static routes to all customer destinations to find the right tunnel or dynamic routing to all customer destinations second dynamic routing process information is not given to the core PE routers dynamic routing in the core will not see customer networks WAN Design, v Result: Routing Domain for Routing Domain Core Routing Domain WAN Design, v Page 03-31

32 Result: Routing Domain for Routing Domain Core Routing Domain WAN Design, v MPLS VPN Best of Both Worlds Combines VPN Overlay model with VPN Peer model PE routers allow route isolation By using Virtual Routing and Forwarding Tables (VRF) for differentiating routes from the customers Allows overlapping address spaces PE routers participate in P-routing Hence optimum routing between sites Label Switches Paths are used within the core network Easy provisioning (sites only) Overlapping VPNs possible WAN Design, v Page 03-32

33 MPLS-VPN PE CE CE PE MPLS-Path (= Tunnel) for CE IP Network with MPLS-Switching plus MPLS- Application VPN PE CE CE PE CE CE PE CE MPLS-Path (= Tunnel) for WAN Design, v What does MPLS VPN mean for the Provider? Requires MPLS Transport within the core Using the label stack feature of MPLS Requires MP-BGP among PE routers Supports IPv4/v6, VPN-IPv4, multicast Default behavior: BGP-4 Requires VPN-IPv4 96 bit addresses 64 bit Route Distinguisher (RD) 32 bit IP address Every PE router uses one VRF for each VPN Virtual Routing and Forwarding Table (VRF) WAN Design, v Page 03-33

34 CE-Router Perspective CE-router MPLS VPN Backbone CE-router PE-router CE (Customer Edge) - routers run standard IP routing software and exchange routing updates with the PErouter EBGP, OSPF, RIPv2 or static routes are supported PE (Provider Edge) - router appears as just another router in the customer s network WAN Design, v P-Router Perspective MPLS VPN Backbone PE-router P-router PE-router P (Provider) - routers do not participate in MPLS VPN routing and do not carry VPN (customer) routes P - routers run backbone IGP like OSPF or IS-IS with the PE-routers WAN Design, v Page 03-34

35 PE-Router Perspective CE-router VPN routing CE-router MPLS VPN Backbone MP-BGP PE-router P-router PE-router Core IGP Core IGP CE-router VPN routing CE-router PE-routers contain a number of routing tables: Global routing table that contains core routes (filled with core IGP) Virtual Routing and Forwarding (VRF) tables for sets of sites with identical routing requirements VRF s are filled with information from CE-routers and MP-BGP information from other PE-routers WAN Design, v PE-Router Perspective CE-router VPN routing CE-router MPLS VPN Backbone MP-BGP PE-router P-router PE-router Core IGP Core IGP CE-router VPN routing CE-router PE-routers: Exchange VPN routes with CE-routers via per-vpn routing protocols Exchange core routes with P-routers and PE-routers via core IGP Exchange VPN-IPv4 routes with other PE-routers via Internal MP-BGP sessions WAN Design, v Page 03-35

36 MPLS VPN using MPLS Label Stack VPN_A CE1 2.) P routers switch the packets based on the IGP label (label on top of the stack) 4.) PE2 receives the packets with the VPN label corresponding to the outgoing RT of the given VPN One single lookup Label is popped and packet sent to IP neighbor IP packet PE1 (LER) 3.) Penultimate Hop Popping P2 is the penultimate hop for the BGP next-hop P2 remove the top label VPN_A CE2 IGP Label(PE2) VPN Label IP packet IP packet 1.) PE1 receives IP packet Lookup is done on RT for given VPN BGP route with Next-Hop and VPN Label is found BGP next-hop (PE2) is reachable through IGP route with associated label P1 (LSR) IGP Label(PE2) VPN Label IP packet P2 (LSR) VPN Label IP packet PE2 (LER) VPN_B CE3 WAN Design, v Encryption Solutions for IP VPN s If privacy is a topic tunneling techniques with encryption are used in order to hide IP traffic SSL (secure socket layer) Usually end-to-end Between TCP and Application Layer IPsec Could be end-to-end Could be between special network components (e.g. firewalls, VPN concentrators) only Between IP and TCP/UDP Layer PPTP and L2TP Tunnels With encryption turned on via PPP option WAN Design, v Page 03-36

37 Tunneling IP VPNs without Encryption Company A Company A Intranet Internet Intranet Company A Company A Intranet Virtual Private Network (VPN) (encryption between customer edge routers or border firewalls e.g. IPsec) Intranet Intranet Virtual Private Network (VPN) (encryption between IP hosts e.g. SSL/TLS, IPsec) Intranet WAN Design, v SSL/TLS versus IPsec Application must be aware of new application programming interface Application can use standard application programming interface Application Application new API SSL / TLS TCP IP Lower Layers Application OS TCP IPsec IP Lower Layers standard API WAN Design, v Page 03-37

38 Agenda WAN Area WAN Physical Layer Core WAN Access WAN Overview VPN Classical RAS Remote Access VPN (RAS based) WAN Design, v Classical RAS VPN Big Location A Central Location FW VPN Internet (ISPs) RAS VPN DMZ Dial-on-Demand Telecommuters Home Offices WAN Backbone WAN Access Big Location B Big Location C Small Location WAN Design, v Page 03-38

39 Remote Access (RAS) Techniques based on PPP Functionality Providing dial-in possibilities for IP systems using modems and Plain Old Telephone Network (POTS) using ISDN using ADSL (Asymmetric Digital Subscriber Line) PPPoE (PPP over Ethernet), PPPoA (PPP over ATM) Dial-in: Into a corporate network (Intranet) of a company Here the term RAS (remote access server) is commonly used to describe the point for accessing the dial-in service Into the Internet by having an dial-in account with an Internet Service Provider (ISP) Here the term POP (point-of-presence) is used to describe the point for accessing the service WAN Design, v PPP Connection PPP connection is established in four phases phase 1: link establishment and configuration negotiation Done by Link Control Protocol LCP (note: deals only with link operations, does not negotiate the implementation of network layer protocols) phase 2: optional procedures that were agreed during negotiation of phase 1 (e.g. authentication like CHAP, EAP or compression techniques) trend goes towards EAP (Extensible Authentication Protocol) which allows a unique method for Dial-In, LAN and WLAN) phase 3: network layer protocol configuration negotiation done by corresponding Network Control Protocols - NCPs E.g. IPCP, IPXCP, phase 4: link termination WAN Design, v Page 03-39

40 RAS Operation 1 Security ISP - POP or Intranet remote PC places ISDN call to access server, ISDN link is established (1) Access 1) ISDN WAN Design, v RAS Operation 2 2c) Security ISDN Access 2a), 2b) ISP - POP or Intranet PPP link (multiprotocol over serial line) is established LCP Link Control Protocol (2a) establishes PPP link plus negotiates parameters like authentication CHAP authentication CHAP Challenge Authentication Protocol to transport passwords (2b) verification maybe done by central security server (2c) -> Radius, TACACS, TACACS+ WAN Design, v Page 03-40

41 RAS Operation 3 Security ISDN Access ISP - POP or Intranet 3) virtual interface PPP NCP (Network Control Protocol) IPCP assigns IP address, Def. GW, DNS to remote PC remote PC appears as device reachable via virtual interface (3), IP host Route optionally filter could be established on that virtual interface authorization accounting can be performed actually done by security server (AAA server) TACACS, Radius WAN Design, v CHAP Operation three way handshake PPP link successfully installed by LCP local station sends a challenge message to remote station challenge contain random number and own user-id remote station replies with value using one way hash function based on crypto negotiated for this user-id response is compared with stations own calculation of random number with same crypto if equal success messages is sent to remote station if unequal failure message is sent WAN Design, v Page 03-41

42 CHAP Authentication Procedure LEFT common secret (user-id = RIGHT) choose random # compare rcv. crypto with calculated crypto based on common secret plus sent random # equal -> not equal -> Challenge (name = LEFT plus random #) Response (name = RIGHT plus crypto) Success Failure RIGHT common secret (user-id = LEFT) create crypto based on common secret plus rcv. random # WAN Design, v ADSL: Physical Topology ATM-DTE POP ADSL Provider IP Host 1 ADSL Mod. up to some km s ADSL Mod. DSLAM ATM-DCE (ATM Switch) IP Host 2 ADSL Mod. ADSL Mod. POP ISP Provider Security ATM-DTE BRAS ATM Backbone ATM-DCE up to hundreds of km Internet BRAS Broadband Access DSLAM Digital Subscriber Line Access Module (ADSL Modem Channel Bank) WAN Design, v Page 03-42

43 ADSL: ATM Virtual Circuits IP Host 1 ATM-DTE ADSL Mod. Minimal Signalling in ADSL Modem -> only PVC possible PVC = VPI/VCI 8/48 up to some km s ADSL Mod. POP ADSL Provider DSLAM ATM-DCE IP Host 2 ADSL Mod. PVC = VPI/VCI 8/48 ADSL Mod. SVC on Demand or PVC are possible POP ISP Provider Security ATM-DTE BRAS ATM Backbone ATM-DCE up to hundreds of km Internet WAN Design, v ADSL: PPP over ATM (PPPoA) ATM-DTE POP ADSL Provider IP Host 1 ADSL Mod. PPPoA Link 1 ADSL Mod. DSLAM IP Host 2 ADSL Mod. PPPoA Link 2 ADSL Mod. POP ISP Provider Security ATM-DTE BRAS ATM Backbone ATM-DCE Internet WAN Design, v Page 03-43

44 ADSL: PPP over ATM (PPPoA), IPCP ATM-DTE IP Host 1 ADSL Mod. PPPoA Link 1 IP Host 2 ADSL Mod. PPPoA Link 2 POP ISP Provider Security Internet ATM-DTE BRAS IP Host 1 gets global IP address via IPCP (PPP-NCP), appears as host route in BRAS IP Host 2 gets global IP address via IPCP (PPP-NCP), appears as host route in BRAS WAN Design, v ADSL: PPP over Ethernet (PPPoE) IP Host 1 PPPoE Link 1 Ethernet 1 ATM-DTE PPoE is defined in RFC 2516 ADSL PS PPPoA Link 1 IP Host 2 PPPoE Link 2 Ethernet 2 ADSL PS PPPoA Link 2 ADSL PS as packet switch performs mapping between PPPoE Link and PPPoA Link IP Host 1 has two IP addresses: local address on Ethernet 1 global address PPPoE Link 1 note: Relay_PPP process in ADSL PS (PS Packet Switch) Security Internet ATM-DTE BRAS WAN Design, v Page 03-44

45 ADSL: PPTP over Ethernet (Microsoft VPN) IP Host 1 PPTP Link 1 Ethernet 1 ATM-DTE PPTP is defined in RFC 2637 ADSL PS PPPoA Link 1 IP Host 2 PPTP Point-to-Point Tunnelling Protocol used as local VPN Tunnel between IP Host and ADSL PS ADSL PS as packet switch performs mapping between PPTP Link and PPPoA Link PPTP Link 2 Ethernet 2 Security ADSL PS PPPoA Link 2 ATM-DTE BRAS IP Host 1 has two IP addresses: local address on Ethernet 1 global address PPTP Link 1 note: Relay_PPP process in ADSL PS Internet WAN Design, v Agenda WAN Area WAN Physical Layer Core WAN Access WAN Overview VPN Classical RAS Remote Access VPN (RAS based) WAN Design, v Page 03-45

46 Dial-up VPN - VPDN Big Location A Central Location FW VPN Internet (ISPs) RAS VPN DMZ Dial-on-Demand Telecommuters Home Offices WAN Backbone WAN Access Big Location B Big Location C Small Location WAN Design, v Dial up Scenario Remote ISP Internet Firewall Addr. Transl. POP Access Intranet Intranet ISDN/PSTN Access Security short distance call official IP address long distance call private IP address ISDN/PSTN WAN Design, v Page 03-46

47 VPDN Challenge User Aspects ISP Internet Firewall Addr. Transl. POP Access Intranet Intranet short distance call with private IP address ISDN/PSTN VPDN between remote host and home-gateway Access ISDN/PSTN Security WAN Design, v VPDN Challenge Provider Aspects Internet Firewall Addr. Transl. POP Access packet switching (statistical multiplexing) Intranet Intranet ISDN/PSTN of Provider X Access Security short distance call to relieve ISDN of data circuits circuit switching (synchronous multiplexing) WAN Design, v Page 03-47

48 VPN and Dial Up basic idea of VPN in a dial up environment extension of local PPP sessions between remote client and ISP to the native entry point of the Intranet (access server) this is done by encapsulation of PPP packets into IP several methods developed and deployed L2F Layer Two Forwarding Protocol (Cisco; RFC 2341) PPTP Point-to-Point Tunneling Protocol (Microsoft; RFC 2637) finally efforts to combine these proposals lead in L2TP Layer Two Tunneling Protocol (RFC 2661) WAN Design, v Layer 2 Overlay VPN Technologies IP PPP Layer 2 Tunnel Protocol (L2TP) Layer 2 Forwarding Protocol (L2F Protocol) Point-to-Point Tunnelling Protocol (PPTP) IP Used to transport PPP frames across a shared infrastructure, to simulate virtual point to point connections WAN Design, v Page 03-48

49 PPP extension Security ISP Internet Firewall Addr. Transl. POP Access Intranet Intranet short distance call ISDN/PSTN PPP session between remote host and home-gateway Access ISDN/PSTN Security virtual interface WAN Design, v L2F Overview Protocol, created by Cisco Not a Standard Defined in RFC 2341, May 1998 Tunnelling of the Link Layer over Higher layer Protocols WAN Design, v Page 03-49

50 L2F Security 3) ISP Internet Firewall NAT POP Access 1), 2) Intranet Intranet ISDN L2F Tunnel 4) Access home-gateway Security remote-pc 1) short distance ISDN call 2) PPP session setup between remote-pc and access server of ISP 3) username of CHAP used for mapping user to its VPDN (IP address of home-gateway) 4) L2F Tunnel established between ISP access server and home-gateway WAN Design, v L2F Security ISP Internet Firewall NAT POP Access ISDN 5) L2F Tunnel Intranet Access Intranet home-gateway 6) Security remote-pc 7) 5) encapsulation of all traffic from remote-pc into L2F Tunnel an vice versa 6) CHAP (authentication) proceeded between remote-pc and of home-gateway (security server) 7) assignment of IP address out of the pool of private addresses WAN Design, v Page 03-50

51 L2F Security 3) ISP Internet Firewall NAT POP Access 8) Intranet Intranet ISDN Access home-gateway Security remote-pc 9) 8) PPP session end-to-end 9) remote-pc becomes part of private Intranet authentication CHAP between ISP and home-gateway and vice versa may be used optionally during tunnel establishment to handle spoofing attacks privacy (encryption) not handled by L2F!!!! WAN Design, v L2F Encapsulation remaining IP Header source address destination address private IP addr. remote-pc private IP addr. Intranet remote IP host Intranet IP Payload PPP Header PPP Payload remote IP host home-gateway L2F Header L2F Payload ISP access server home-gateway remaining IP Header official IP addr. ISP access server official IP addr. home-gateway UDP Header ISP access server NAT-gateway UDP Payload WAN Design, v Page 03-51

52 L2F Facts ISP provider must know the home-gateway of a certain user ISP provider must establish and maintain L2F tunnel different remote-clients are distinguished by Multiplex ID remote PC must know about ISDN number of local ISP POP remote PC becomes part of private Intranet WAN Design, v L2F Facts NAT and firewall must allow communication between ISP access server and home-gateway L2F supports incoming calls only end system transparency neither the remote end system nor its home-site servers requires any special software to use this service WAN Design, v Page 03-52

53 PPTP Overview Created by a Vendor Consortium US-Robotics, Microsoft, 3COM, Ascend and ECI Telematics Supports multiprotocol VPNs with 40 and 128-bit encryption using Microsoft Point-to-Point Encryption (MPPE) Not a Standard RFC 2637,July 1999 Tunnelling of PPP over IP network A Client-Sever Architecture WAN Design, v PPTP Security 3) ISP Internet Firewall NAT POP Access 1), 2) Intranet Intranet remote-pc ISDN 4), 5) Access home-gateway 1) short distance ISDN call 2) PPP session setup between remote-pc and access server of ISP 3) username and challenge of CHAP used for user authentication 4) official IP address assigned by ISP for remote-pc 5) PPP session fully established between remote-pc and ISP access server Security WAN Design, v Page 03-53

54 PPTP Security ISP Internet Firewall NAT POP Access Intranet Intranet ISDN PPTP Tunnel 6) Access PPTP network server (PNS) 7) Security PPTP access concentrator (PAC) 6) PPTP Tunnel established between PAC and PNS 7) authentication performed between PAC and PNS (security server) WAN Design, v PPTP Security ISP Internet Firewall NAT POP Access Intranet Intranet PPTP access concentrator (PAC) ISDN 10) PPTP Tunnel Access PPTP network server (PNS) Security WAN Design, v ) 9) 8) PPTP control messages are carried on top of a TCP session between PAC and PNS (responsible for call setup and tear down Call ID) 9) PPTP data messages contains PPP encapsulated in IP & enhanced GRE 10) private address must be assigned additionally by PNS to allow PAC to join the Intranet Page 03-54

55 PPTP and ISP Security ISP Internet Firewall NAT POP Access Intranet Intranet PPTP Tunnel ISDN PPTP access concentrator (PAC) (Microsoft calls this function FEP) Access home-gateway Security PPP Link remote-pc WAN Design, v PPTP Encapsulation Data remaining IP Header source address destination address private IP addr. PAC private IP addr. Intranet PAC Intranet IP Payload contains Call-ID PPP Header GRE Header PAC PNS PPP Payload GRE Payload PAC PNS remaining IP Header official IP addr. PAC official IP addr. PNS PAC NAT-gateway IP Payload WAN Design, v Page 03-55

56 PPTP Encapsulation Control PPTP Control Message TCP Header TCP Payload PAC PNS-gateway remaining IP Header official IP addr. PAC official IP addr. PNS IP Payload PAC NAT-gateway WAN Design, v PPTP Facts remote PC must know about ISDN number of local ISP POP and will be assigned a official IP address private addresses are used message-internal to reach Intranet server NAT and Firewall must allow communication between any PAC and PNS that means more overhead than L2F at NAT and Firewall PPTP may be used for incoming and outgoing calls WAN Design, v Page 03-56

57 PPTP Facts PPTP can be used for direct LAN-to-LAN connectivity without Dial on Demand Microsoft VPN encryption may be performed on PPTP data tunnel end-to-end (PAC to PNS) end system transparency is not given if remote-pc performs function of a PAC WAN Design, v L2TP Overview Protocol developed by the PPTP forum, Cisco and the IETF A Proposed Standard Defined in RFC 2661, August 1999 Transparent Tunnelling of PPP over Intervening Network Supports IPSec encryption WAN Design, v Page 03-57

58 L2TP follows the basic ideas of L2F end system transparency only private address at remote-pc assigned adapts PAC / PNS terminology and concept of Control / Data messages of PPTP LAC = L2TP Access Concentrator ISP access server LNS = L2TP Network home-gateway call establishment (assignment of CALL-ID), call management and call tear-down procedures sounds a little bit like ISDN Signaling Q.931 WAN Design, v L2TP control messages and payload messages operates over a given tunnel in parallel L2TF will be encapsulated in UDP or mapped to PVC or SVC control messages are carried reliable retransmission based on sequence numbers AVP (attribute value pairs) technique is used for control message format CALL-ID used for multiplexing of different calls over the same tunnel control messages can be sent in a secure way using MD5 hash as kind of digital signature tunnel peers must be authenticated by additional CHAP procedure between LNS and LAC before WAN Design, v Page 03-58

59 L2TP different tunnels may be used between a given LAC / LNS pair for implementing different QoS for different users optionally flow control techniques can be implemented to perform congestion control over the tunnel support of accounting at LNS and LAC site can be used for incoming and outgoing calls integrity of payload messages not covered by L2TP still an end-to-end issue WAN Design, v L2TP Security ISP Internet Firewall NAT POP Access L2TP access concentrator (LAC) 7) ISDN 5) L2TP Tunnel Intranet Access Intranet L2TP network outgoing and incoming server (LNS) calls allowed (more sophisticated call management) Security remote-pc PPP Traffic (remote-pc becomes part of private address space of Intranet) WAN Design, v Page 03-59

60 L2TP Terminology Home LAN LNS L2TP Tunnel Switch ISDN PSTN Remote System LAC ISP Cloud NAS LAC Client WAN Design, v L2TP devices L2TP Network (LNS) The LNS is the logical termination point of a PPP session that is tunnelled from a remote system using L2TP encapsulation L2TP Access Concentrator (LAC) Is a L2TP peer to the LNS A LAC process could be run on a NAS or on a client PC itself Network Access (NAS) Provides network access to users across a remote access network e.g. PSTN WAN Design, v Page 03-60

61 L2TP Tunnel Possibilities 1 Home Lan LNS L2TP Tunnel Remote@company.at ISDN PSTN Remote User LAC ISP Cloud NAS LAC Client WAN Design, v L2TP Tunnel Possibilities 2 Home Lan LNS L2TP Tunnel Remote@company.at L2TP Tunnel Account to a public ISP ISDN PSTN Remote User LAC ISP Cloud NAS LAC Client WAN Design, v Page 03-61

62 L2TP Messages Types L2TP utilizes two types of messages Control Messages Used for the establishment, maintenance and clearing of L2TP tunnels Are transported across a reliable control channel Data Messages In L2TP encapsulated PPP frames Are not retransmitted when a packet loss occurs WAN Design, v L2TP Structure PPP Frames L2TP Data Messages L2TP Data Channel (unreliable) L2TP Control Messages L2TP Control Channel (reliable) Packet Transport (UDP, FR, ATM, etc.) WAN Design, v Page 03-62

63 L2TP Header Format T L X X S X O P X X X Length (optional) Tunnel ID Session ID Ns (optional) Nr (optional) Offset Size (optional) X Ver Offset padding... (variable, optional) WAN Design, v L2TP Control Bits Type (T) bit Indicates type of message 0 = data message, 1 = control message Length (L) bit L = 1 means length field present, must be set to 1 in control messages X bits Are reserved for future use Sequence (S) bit S = 1 indicate the presence of the Nr and Ns counters, must be 1 in control messages Offset (O) bit O = 1 indicate the presence of the offset field, must be 0 in control messages Priority (P) bit P = 1 indicates preferential treatment, typically used in data messages WAN Design, v Page 03-63

64 L2TP Header Fields Length field Indicates the total length of the message in bytes Tunnel ID Identifier for Control Connection Only Locally Significant Session ID Identifier for Session in the Tunnel Only Locally Significant Nr Sequence Number Used to Acknowledge received control messages Ns Sequence Number Send Sequence number of actual control message Offset Field Indicates the start of the payload data WAN Design, v Types of Control Messages Control Connection Management 0 Reserved SCCRQ SCCRP SCCCN StopCCN Start-Control-Connection-Request Start-Control-Connection-Reply Start-Control-Connection-Connected Stop-Control-Connection-Notification 5 Reserved 6 HELLO Hello WAN Design, v Page 03-64

65 Types of Control Messages Call Management 7 OCRQ Outgoing-Call-Request OCRP OCCN ICRQ ICRP ICCN Outgoing-Call-Reply Outgoing-Call-Connected Incoming-Call-Request Incoming-Call-Reply Incoming-Call-Connected 13 Reserved 14 CDN Call-Disconnect-Notify WEN SLI Error Reporting WAN-Error-Notify PPP Session Control Set-Link-Info WAN Design, v L2TP Operation PSTN or ISDN ISP User LAC LNS Home LAN L2TP Tunnel Control Connection PPP PPP PPP L2TP Session Call IP WAN Design, v Page 03-65

66 Control Connection Setup User PSTN or ISDN LAC or LNS ISP LNS or LAC Home LAN SCCRQ SCCRP SCCN ZLB ACK WAN Design, v L2TP Incoming Call PSTN or ISDN ISP User LAC LNS Home LAN User Calls in ICRQ ICRP ICCN ZLB ACK WAN Design, v Page 03-66

67 Forwarding of PPP Frames ppp PSTN or ISDN ISP User LAC LNS Home LAN L2TP Tunnel Control Connection Virtual interface IP PPP Call PPP L2TP Session PPP WAN Design, v Disconnecting a Session User PSTN or ISDN LAC or LNS ISP LNS or LAC Home LAN CDN (Clean up) ZLB ACK (Clean up) WAN Design, v Page 03-67