You are on page 1of 6

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

DMVPN (Dynamic Multipoint VPN): A Solution


for Interconnection of Sites IPv6 over an IPv4
Transport Network
Abdou Karim FAROTA(1) and Mor DIOUM(1)
Abstract - The Dynamic Multipoint VPN (DMVPN) establishes at the request of the remote site VPN tunnels to remote sites.
This allows the reproduction of a full mesh of VPNs which helps reduce latency when traffic goes up to a concentration site,
saves bandwidth and greatly simplifies the deployment of VPN architectures. DMVPN service relies on the know-how of Cisco
Routing and IPSec protocol allowing dynamic configuration of GRE tunnels, IPSec encryption and NHRP (Next Hop Resolution
Protocol), OSPF and EIGRP protocols. This dynamic configuration of VPN tunnels associated with technologies such as quality
of service (QoS) and multicast optimizes the application deployment sensitive to latency as the voice and video. DMVPN also
reduces administrative tasks by eliminating the need to reconfigure a central VPN hub to add new peripheral routers or to
establish connections between two of these peripheral routers.
Index Terms - DMVPN, IPSec, IPv4/IPv6, tunneling.

1 Introduction

he IPv4 Internet Protocol was designed in the


early 1980s, a time where no one could
anticipate the exponential growth of the Internet.
Indeed the growth of the number of users and
servers of the Internet is accompanied by a
depletion of available public IPv4 addresses. This
exhaustion limits the growth of the Internet. His
successor, IPv6, has features and solutions
required by the modern Internet not available
IPv4: greater integrity of connection and a more
important security as well as the opportunity to
support a large number of devices adapted to the
Web.
In this context, certain multi-site businesses
are turning to IPv6 in order to simplify their
infrastructures, to anticipate the shortage of
addresses but also to anticipate the future
capabilities of the network. They will need to
evolve their networks, their systems and their
applications. However the migration of IPv4 to
IPv6 or the adoption of the IPv6 protocol requires
the implementation of interconnection solution
including the use of tunneling technology to
transport IPv6 via IPv4. Indeed the coexistence of
IPv4 systems with new IPv6 networks will
certainly last a few years. Among the issues on
which researchers have looked there are those
that comprise the problems of interconnection
Abdou Karim Farota, Universit Gaston Berger de
Saint-Louis
Mor Dioum, Universit Gaston Berger de Saint-Louis

between these systems. It is on this point that we


will focus.
The objective of this work is to make a
comparative study of tunneling solutions that
allow the continuity of the connectivity of the
sites of a company using the IPv6 protocol
regardless of the migration of the operators.
Indeed the use of the new Protocol will enable
companies to benefit and protect their
investments.

Comparative study of solutions of


tunneling

2.1 6to4 tunneling


An automatic 6to4 tunnel allows isolated IPv6
domains to be connected over an IPv4 network.
The main difference between the 6to4 automatic
and configured tunnels is manually that the
tunnel is not point-to-point (Fig.1); it is point-to-
multipoint (Fig2). In automatic 6to4 tunnels,
routers are not configured in pairs because they
deal with the IPv4 infrastructure as a virtual link
NBMA. The IPv4 address into IPv6 address is
used to find the other end of the automatic
tunnel.

2016 JOT
www.journaloftelecommunications.co.uk

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

2.2 6rd tunnel


Fig.1. Tunnel point to point

6to4 tunnels are not frozen, that is to say that


they are established at the request. From a point
of view of the operation, this implies that the
source of the tunnel does not change, but
conversely the destination, it is not set. The prefix
2002: / 16 was allocated by IANA to this type of
address. Any IPv6 address that begins with the
2002: / 16 is therefore recognized as a 6to4
address, as opposed to a native IPv6 address
which does not use that prefix.
6to4 technology has the following
disadvantages:
the IPv6 router must have a public IP
address and preferably fixed;
routing to the IPv6 Internet is
asymmetric: to go on follows the route of the
anycast 192.88.99.1, for the road return
address to 2002: / 16;
If the public IPv4 address ranges,
dependent on IPv6 network will have to be
renumbered;
the quality of access depends on the
proximity of the 6to4 relay and their State of
congestion.
If an Internet router advertises prefixes
192.88.99.0/24 or 2002: / 16 while the 6to4
gateway is not operational, this creates a loss of
connectivity to third parties (a black hole), this is
something corrected by 6 rd that gives control of
the gateway to the Internet access provider [1].

IPv6 Rapid Deployment (Fig.3) is a tunneling


mechanism. It allows a service provider to
quickly deploy IPv6 in a mild manner and secure
without requiring upgrades of existing IPv4
network infrastructure. Although there are a
number of methods to carry IPv6 over IPv4, 6rd
was particularly effective because of its mode of
operation which is lightweight and naturally
scalable and easy to dispose.
6rd is a system to pass IPv6 packets over an
IPv4 network. It is based on the mechanisms put
in place for the classic 6to4 but differs by the use
of a specific service provider IPv6 prefix (instead
of the global prefix 6to4 2002: / 16).
The main differences between 6rd and 6to4
tunneling are:
6rd does not require addresses to have a
prefix 2002: / 16; therefore, the prefix can
be the address of the provider block;
All the 32 bit of the IPv4 destination shall
not be transported in IPv6 payload
header. The IPv4 destination is obtained
from a combination of bits in the header
payload and information on the router. In
addition, the IPv4 address is not in a fixed
head IPv6 location as it is in 6to4.
A company can afford an IPv6 internetwork
by choosing a provider with such an
infrastructure. However the continuity of IPv6
connectivity can be a problem if the company's
sites are in the same domain 6rd (or sites are
managed by different providers)[2].


Fig.3. Deployment 6rd model Les tunnels MPLS

2.3 6PE tunnel


Fig.2. Tunnel multibridge 6to4

The 6PE technique for connecting IPv6


Islands between them through a heart of
IPv4 MPLS (Multi-Protocol Label Switching)
network. This mechanism takes advantage of
MPLS switching according to label inserted
into a package, to make a network capable to

2016 JOT
www.journaloftelecommunications.co.uk

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

transport IPv6 packets without having to


modify all equipment. The heart of the MPLS
network (P equipment: Provider) remains
unchanged. 6PE allows an operator,
including the core network is based on MPLS
technology to route IPv4 traffic, not evolve
the peripheral part of its network (periphery
equipment: PE: Provider Edge) to also carry
its users IPv6 traffic. IPv6 routing is
performed by periphery equipment (PE)
which assign a label to each IPv6 packet [3].
This technique creates a VPN (Virtual
Private Network) IPv6 using the Label
Switched Path (LSP) of a heart of MPLS IPv4
(Fig.4) network offering the advantage of
using the already existing MPLS network
heart. It offers the following advantages:
Security: this virtual private network
provides business the highest level of
security.
Quality of service: intersite links allows
the sharing of the resources of the users
needs. The MPLS VPN offering enables to
use quality of service (QoS) to prioritize
certain flows.

2.4 GRE tunnels


GRE (Generic Routing Encapsulation) was
developed by Cisco and can encapsulate a wide
range of types of packages of different protocols
in IP packets. A tunnel option (point-to-point) is
used when packets must be passed from one
network to another over the Internet or on a
network unsecured. With option a virtual tunnel
is created between the two ends (Cisco routers)
and packets are sent through the GRE tunnel. It is
important to note that packets traveling inside a
GRE tunnel are not encrypted because GRE no
crypt not the tunnel, but wraps with a GRE
header. If the data protection is required, IPSec
must be configured to ensure the confidentiality
of data. Which allows to transform a GRE tunnel
in a secure VPN GRE tunnel [4].
DMVPN (Dynamic Multipoint Virtual Private
Network) (Fig.4) is the Cisco response to the
growing demand for companies to be able to
connect their branches with headquarters and
among other things while keeping the low cost of
deployment, minimizing the complexity of
configuration and increase flexibility. DMVPN is
actually a set of technologies (IPSec, Mgr and
NHRP) which, combined, facilitates the
deployment of IPsec VPNs. It is a reliable, secure
and scalable solution, allowing flexible IPsec
tunnels an establishment and management [5]








Fig. 4. Dynamic Multipoint Virtual Private Network (blue
line static hub-to-spoke, black line dynamic hub-to-spoke,
yellow line dynamic spoke-to-spoke)

DMVPN is based on an architecture centralized


with a router playing the role of the hub (Hub)
located in the central site and one or several
routers branches (spokes) that connect each to the
central site via a static tunnel. There are other
architectures involving more than a central
router (Hub) but they will not be addressed in
this project.

2.5 DMVPN proposed solution

DMVPN technology is a solution that does


not have these disadvantages. It does not require
a complete mesh to communicate all of the
company's sites. The addition of a new site does
not require a reconfiguration of exist it and it is a
solution for the Internet infrastructure. What
gives the DMVPN an evolutionary character? It is
perfectly suited for the interconnection of remote
sites ensure the authentication, integrity, and
encryption of data independent of the providers
who serve them.
The implementation of the DMVPN requires a
central router, typically the central site (sige),
which is used as a server NHR (Next Hop
Router). This router has necessarily a fixed
public IPv4 address. Other sites routers are
configured with dynamic public IPV4 addresses
(table 1 and Fig.5).


Table 1 : plan dadressage

A permanent tunnel is configured between


each router and the central router with IPv6

2016 JOT
www.journaloftelecommunications.co.uk

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

addresses. These tunnels will allow the creation


of dynamic link point to point between all sites. It
is the dynamic routing protocol allowing routers
to Exchange routing information. The latter will
allow to route IPv6 packets through a tunnel in
the cloud IPv4. In addition dynamic tunnels are
established when necessary that is, they will
be destroyed after the expiry of a period of
customizable inactivity.
Fig.6 : mGRE using NHRP in static and dynamic mapping


Fig. 5. Exemple de tunneling

The other type of configuration option uses


mGRE (Fig.6) on the site of the hub and the
normal configuration of point-to-point GRE x-
ray. There are two main ways that this can be
configured, but the use of the NHRP Protocol is
necessary. NHRP is used similarly to the ARP on
Ethernet protocol, it offers the option to map an
IP address of the tunnel with a logical IP address
of a network of non-broadcast multi-access
(NBMA); what enables Mgr to dynamically
define tunnels without having to explicitly
configure a mapping entry between each
potential next hop destination.
There are two ways to configure mGRE on the
hub and let a normal GRE configuration on the
shelves (spokes). The first uses statements of
NHRP static mapping on the hub router, and the
second uses dynamic NHRP mapping on the hub
router.
Figure (Fig. 6 yellow line) shows an example
of the desired configuration by using the static
mapping NHRP States. The figure also shows
certain statements configuration additional
NHRP which would be necessary if you are
using EIGRP (or any routing protocol requiring
multicast).

This configuration is an option, but would


have certainly become quite long if there are
several branch routers. It requires however a
very simple branch configuration.

Configuration
below
is
generally
recommended by Cisco (when only using mGRE
on the site of the hub). It includes the dynamic
use of NHRP (Fig.6 green line) on the hub router.
This method is called Hub-to-spoke by Cisco,
because it does not provide the possibility for
routers to speak directly to the other. In practice
it is possible to establish a communication spoke-
to-spoke.

Results

After the configuration of routers, the


command 'show DMVPN' shows the existence of
three tunnels seat router. We see with the D of
the Attrib (Fig.7) parameter value that the
tunnels are dynamic to this router. This is due to
the fact that the other routers IPv4 public
addresses may change at any time and that the
router at Headquarters must be informed of any
change to allow it to update the information of
the NHS (Next Hop Server).
With the same command, other routers will
each see a static tunnel linking them to the seat
router (NHS).


Fig. 7 : Dynamic Tunnel attrib

2016 JOT
www.journaloftelecommunications.co.uk

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

The Fig.8 shows the continuity of the IPv6


connectivity. Each router has learned through
tunnels LANs from the Protocol EIGRP routing
information.

The Protocol IPsec encrypts the contents of the


package and one IPv4 header is visible in the
tunnel (Fig.10).
DMVPN essentially creates a topology of
mesh VPN with IPsec. This means that each site
can connect directly with all other sites, no matter
where they are located. DMVPN may include
with IPsec security mechanisms offering a very
high security thanks to the use of advanced
authentication and encryption protocols that
protect data from unauthorized access.

DMPVN phase 1 does not allow the creation


of a dynamic tunnel between branches. This
means that all packages between branches
necessarily go through the router of siege (first
part of the Fig.8).
Allow the process of the Protocol EIGRP to
use the IP address of the branch received as the
address of the next jump for the announcement
of this branch roads to allow the creation of
dynamic tunnel between branches. Thus a branch
will have the IP address of other branch with
which it wants to communicate. This will allow
to create a dynamic tunnel to send packets
directly to another branch. This is phase 2 of the
second DMVPN part of the Fig.8).


Fig.10. Protocol IPsec encrypts the contents of the
package and one IPv4 header

The Fig.11 shows the siege router see routers


of branches such as neighbors as if it was directly
connected to them. It's as well as IPv6
connectivity is provided securely between the
sites of the company.


Fig.8. Dynamic tunnel between branches

The screenshot below (Fig.9) shows that data


are visible in the tunnels. Indeed a tunnel
encapsulates the packet in a new package with an
IPv6 header IPv4 without encrypting data of the
IPv6 packet. It is important to apply IPsec to
secure traffic through the tunnel.


Fig.11.The siege router see routers of branches such as
neighbors


Fig.9 .Tunnel encapsulates the packet in a new package
with an IPv6 header IPv4 without encrypting data of the
IPv6 packet.

2016 JOT
www.journaloftelecommunications.co.uk

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

Rfrences:

4 Conclusion
We have shown that DMVPN technology enables
companies to migrate to IPv6 regardless of the
migration of the FAI. It is a solution that has
many advantages from the economic point of
view, the security and scalability of the business.
Over its deployment does not require to have
static public IP addresses at the level of the
Spokes (rays, branches or secondary sites). This
technology is capable of achieving a complete
mesh of sites without permanent tunnels. Its
major drawback is its belonging to Cisco, which
is that it requires the use of routers of this
manufacturer. This technology is suitable for
businesses regardless of the number of sites that
they have.
DMVPN solution reduces administrative tasks by
eliminating the need to reconfigure again the
central router and existing sites when adding
new remote sites.
The tunnel encapsulates the packet in a new
package with an IPv6 header IPv4 without
encrypting data of the IPv6 packet. It is important
to apply IPsec to secure traffic through the
tunnel. DMVPN essentially creates a topology of
mesh VPN with IPsec. This means that each site
can connect directly with all other sites, no matter
where they are located. DMVPN may include
with IPsec security mechanisms offering a very
high security thanks to the use of advanced
authentication and encryption protocols that
protect data from unauthorized access.

[1] RFC 3056


[2] RFC 5969
[3] RFC 4798
[4] RFC 2784
[5] http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-
multipoint-vpn-dmvpn/DMVPN_Overview.pdf ( last consultation at
09/08/2015)
[6] Sybex, CCNA Routing and Switching Study Guide, October 2013
[7] Pete Loshin, IPv6 Second Edition: Theory, Protocol, and Practice (The
Morgan Kaufmann Series in Networking) 2nd Edition, 2004

Abdou Karim FAROTA, PhD in applied physics


from the University Gaston Berger of Saint -
Louis
(2015),
engineer
specialist
of
microprocessors and the microprocessors systems at the
Faculty of electronics of Wroclaw (Poland) in 1992.
Teaches electronics, industrial computing and computer
systems design at the University Gaston Berger de Saint-
Louis (Senegal) since 2005. He studied dynamical systems,
artificial neurons, network security and the physics of the
atmosphere.

Mor DIOUM, Engineer in electronics and


Telecommunication (DIETEL 2015) at Gaston
Berger University of Saint-Louis has worked in
the company IDEAL Solution in Dakar (Senegal). He is
preparing a doctoral thesis in telecommunications:
security and reliability of networks VLAN

DMVPN solution reduces administrative tasks by


eliminating the need to reconfigure again the
central router and existing sites when adding
new remote sites.
The tunnel encapsulates the packet inside a new
packet with an IPv6 header IPv4 without encrypt
the IPv6 packet data. It is important to apply
IPsec to secure traffic through the tunnel. With
IPsec, DMVPN essentially created a mesh VPN
topology. This means that each site can connect
directly with all other sites, no matter where they
are located. DMVPN may include with IPsec
security mechanisms provide a level of safety
very high through the use of advanced
authentication and encryption protocols that
protect data from unauthorized access.

Acknowledgments
This work was supported in part by the CEA-MITIC /UFR
SAT/UGB

2016 JOT
www.journaloftelecommunications.co.uk