Virtual Private Networks

2E1623
Data Links and Local
Area Networks
Goal

• To build a network that, as much

as possible, acts like an extension
of the private corporate network
on a service provider's shared
network infrastructure

2
Private Network

• Interconnection of different sites of a corporation

• “Leased lines”
ƒ Physical connections provided by operator

3
Virtual Private Network

• Extensions of corporate network

• Uses service provider’s infrastructure
ƒ “Provider provisioned”

• Resembles a true, physical networks

ƒ Hence “virtual”

4
Why Provider Provisioned VPNs?

• Network operation, administration and

maintenance by service provider
ƒ Instead of by customer

• Security and privacy

ƒ Main purpose is internal communication
ƒ Protection against intrusions
o Attacks, information gathering

• Legacy technology
ƒ Potentially large investments
5
Traditional Virtual Private Network

service provider
network

• Same technology in service provider network as for offered service

ƒ ATM, Frame relay, …

• Issues with administration, management, cost, …

ƒ Multiple services
ƒ Isolation
o Between customer networks
o Between customer and provider networks

6
Separate Technologies

• Common switching infrastructure for all services

• Customer and service decoupling
• Different requirements on customer and core technologies
ƒ What is best for one may not be best for the other

7
Basic Idea
Customer Provider Tunnel
Edge Edge

Access

• Data arrives from CE (Customer • Questions

Edge) via access network
• Encapsulated by PE (Provider Edge)
and sent over tunnel
• Decapsulated by receiving PE and
sent over access network to CE
ƒ How tunnel packets?
ƒ Access method between PE and CE?
ƒ Service provided by PE to CE?

8
 Tunneling

customer packet Header Data

tunnel packet Tunnel header Data

• Encapsulate customer packet in a new packet

ƒ Add a header
o IP (GRE), MPLS, L2TP, IPSec, …

ƒ Inner packet carried transparently across provider’s network

o Any format possible!

• Source and destination addresses of tunnel header define tunnel endpoints

ƒ Configured for the tunnel

• Tunneling technique used for many different purposes

ƒ IP multicast over non-multicast networks
ƒ IPv6 over IPv4 networks
ƒ …

9
Provider Provisioned VPNs
Customer Provider
Edge Edge

Access

• Classified by OSI layer at which • Layer 2 VPN

access network operates ƒ Data link service
• Layer 3 VPN ƒ Ethernet LAN
ƒ IP service o Ethernet MAC

ƒ Routing relationship between

CE and PE

10
Why Layer 2 VPNs?

• It is a L3 backbone, after all?

• Legacy equipment
ƒ Frame relay, ATM, Ethernet, …

• “Never bet against Ethernet”

ƒ Plug and play
ƒ Cost
ƒ Scalability
ƒ LAN to MAN to WAN
11
Virtual Private Wire Service (VPWS)
CE PE PSN Tunnels CE Customer Edge
PE Provider Edge
PSN Packet Switched
Network

Native Pseudo wire

Service

• Traditional (tele)communications links over a

PSN
• Point-to-point circuits (“pseudo wires”)
• Pseudo Wire Emulation Edge-to-Edge (PWE3)
12
Link Emulation

• PPP/HDLC
• ATM, Frame Relay
• SDH/SONET
• “TDM”
ƒ TDM bit-streams (T1, E1, T3, E3)
ƒ “Structure agnostic”
o Does not consider TDM framing formats

• Ethernet
13
Ethernet VPWS

PSN
PSN

Bridge

• Bridged LAN service

ƒ Between two CEs on the "emulated LAN".

• Raw mode
ƒ Port to port service
ƒ VLAN tags, if any, pass transparently

• Tagged mode
ƒ VLAN to VLAN service
ƒ Multiple VLANs multiplexed over pseudo wire

14
Ethernet VPWS Encapsulation

LSP label(s) PW label Control word Ethernet frame (without preamble, FCS)

• Control Word
ƒ Contains 16-bit sequence number for frame ordering (if
necessary)
• PW label
ƒ Identifies psedo wire to which packet belongs
• LSP label(s)
ƒ Further MPLS tunnel encapsulation (if necessary)

15
Virtual Private LAN Services (VPLS)

LAN
switch
service

• Layer 2 MPLS virtual private networks, aka Transparent LAN Services (TLS)
• PEs perform additional LAN functions, compared to VPWS
ƒ Learning and forwarding based on MAC addresses
ƒ Flooding
o Broadcast, multicast and unknown addresses

• The VPN service appears as a (distributed) LAN switch

16
Pseudo Wire Provisioning

• A VPLS VPN is fully connected (mesh)

ƒ Each PE has a tunnel to every other PE in the VPN

• Configuration
ƒ Manual or by management tools

• LDP
ƒ Point-to-point tunnels
ƒ Extensions to identify pseudowires and signal
attributes of pseudowires
o New TLVs, FEC elements, parameters and codes

17
Layer 2 Tunneling Protocol (L2TP)

• Dynamic setup, maintenance, and

teardown of multiple layer 2 point-to-
point tunnels

• Also an encapsulation method for

tunneling PPP frames

• L2TPext
ƒ IETF working group

ƒ Extensions for tunneling of pseudo wires

18
Discovery

• A PE needs to know the identities of all

other PEs in the VPLS
ƒ Configured
ƒ Cumbersome for large VPNs

• Auto-discovery
ƒ A PE discovers which other PEs are in the
VPN
o Tunnels are set up

ƒ If topology changes, the PEs adapt

automatically
19
Border Gateway Protocol (BGP)

• Multi-protocol extensions
ƒ Associate information related to other
protocols with the next-hop
information

• Autodiscovery of VPLS members

• Setup and teardown of the pseudo

wires
20
Layer 3 VPN
Customer Provider Tunnel
Edge Edge

IP

• IP VPN • RFC2547bis
ƒ A VPN is a private IP network, with ƒ BGP for autodiscovery and
its own IP address space distribution of routes within VPN
ƒ So it is not part of the Internet ƒ MPLS tunnels between PEs

• Routing relationship between CE • Virtual router

and PE ƒ Virtual routers within PEs
ƒ OSPF, BGP, etc ƒ Routing protocols between VR/PEs
ƒ Tunnels between VR/PEs
21
Customer Edge Private Network

• Private network functions realized at customer site

• Based on regular IP connectivity service
ƒ No specific VPN support in provider network!

• IPSec VPN, SSL VPN, …

22
Reading Instructions

• ”Standards for Virtual Private

Networks.” IEEE Communications
Magazine, June 2004, Vol 42, No 6.

• IETF L2VPN and PWE3 working

groups

23