Академический Документы
Профессиональный Документы
Культура Документы
Nail Kavak
The phenomenal success of the Internet and the universal adoption of the Internet proto- ty and reliability as from any other private
col are driving profound changes in the telecommunications industry. The infrastructure network, and can be used to offer the fol-
of the Internet is being used as the foundation for a new public IP network. In addition to lowing services:
existing best-effort applications, the emerging IP networks will offer the functionality need- • intranet—connectivity between corpo-
ed to support a variety of carrier-class and business-quality services, with the advantage of rate sites;
being ubiquitous, easier to access, and of costing less than competing alternatives. • dial-in access—business employees can
Many service providers are expanding the capacity and geographical coverage of their net- access the corporate network remotely;
works to meet rising customer demand. With virtual private networks, they can improve • extranet—secure connectivity between a
asset utilization and return on investments by leasing available capacity and providing new community of users or business partners
services. IP-based virtual private networks provide a means of extending the reach and scal- whose access is restricted to the resources
ability of legacy frame-relay and ATM networks. End-users gain ubiquitous access to the defined for that community; and
corporate intranet or extranet for business-to-business applications, IP telephony, or multi- • Internet access.
cast videoconferencing service. Ultimately, Internet VPNs will be the global means of busi- VPNs can be built in various ways. Some
ness communication just as the voice network is today. consist of routers and firewalls that are inter-
The author describes various virtual private network models and the details of Ericsson’s connected to the physical or logical leased
MPLS-based IP-VPN offering. line of carriers and service providers. Others
might include a combination of application
proxy firewall, encryption, intrusion detec-
tion, tunneling, and key management. Some
VPNs are managed in-house, while others
VPN services and are outsourced to a service provider.
architectures Whether the VPN constitutes remote-
access service to an intranet or extranet, a
VPN services service provider must somehow integrate
A virtual private network (VPN) consists of the VPN services into a common infra-
a set of geographically disparate sites that structure.
can communicate securely over a public or
shared infrastructure. IP-based VPNs (IP- VPN architectures
VPN) enable business customers seamless-
ly to receive the same security, connectivi- Remote access
Remote-access VPNs give end-users access
to a corporate intranet or extranet over a
shared public infrastructure. Ordinarily, a
VPN subscriber or a server in a remote of-
fice dials into a network access server (NAS)
Figure 1
Remote access scenario.
at the service provider’s point of presence
(PoP). After authentication, which is based
Enterprise 2 on the pre-configured user profile, a tunnel
ISDN
is dynamically established to the tunnel
xDSL
PoP server on the customer premises (Figure 1).
A tunnel can be
Dial in LAC
• client-initiated (voluntary)—in which
Telecommuters (NAS) case the tunnel is opened by the client and
L2TP PE
PE CPE terminated by the corporation without
LNS
any active involvement by the service
P
provider; or
• compulsory—in which case the tunnel is
P
created by the service provider’s network
P
access server and terminated either by a
PE
PE
service provider tunnel server or by a cen-
Enterprise 1 tral customer site server.
Enterprise 3
The security policy database can reside on
LNS the company premises or it can be out-
Tunnel
ISP network LNS
end points sourced to the service provider.
A remote-access VPN allows users to take
CPE
advantage of low-cost Internet-access ser-
vices (as opposed to being assessed distance-
CPE sensitive bandwidth charges). Although
most remote-access services are currently
Router
SGSN
AXI 540
BSC
BSC
Router
Central site
Mobile network Telecommuters
PE PE
CPE CPE
Figure 4
Pipe model: Specified distribution of traf-
fic between each site.
not globally unique (for example, the local tunneling within the service provider net-
addresses defined in RFC 1918, or address- work. In this case—provided it is possible
es that rightfully belong to another organi- to limit the topology with which the data is
zation). Addresses are solely guaranteed exposed when under the administrative con-
unique within the scope of a given VPN. An trol of a single service provider—the ad-
address might, for example, be used in mul- vantages of operational simplicity outweigh
tiple VPNs, on the global Internet, or both. the security risks of breached confidentiali-
Thus, an address must always be interpret- ty. That is, topology control enhances data
ed within the scope of the VPN on which a confidentiality—the routing-decision pro-
packet is traveling. The Ericsson IP-VPN cesses that include VPN constraints are
solutions support multiple instances of leveraged as part of the packet-forwarding
overlapping address space without requir- decision process.
ing network address translation. The NAT
function is only required when two business QoS/SLA
customers with overlapping address space Customers who build private leased-line
communicate with each other or when a networks can be guaranteed specific band-
business customer who uses private ad- width on each link. Similarly, customers
dresses wants to access the global Internet. who share public networks, such as frame
relay or ATM, receive service provider guar-
Security antees of bandwidth through, for example,
IP-VPNs replace private backbones with committed information rates (CIR). Obvi-
the shared backbone of a public network ously, customers who migrate to a shared IP
provider. Consequently, VPN customers network must also be given the same kind
might be concerned about the confidential- of assurances.
ity of data passing between VPN sites, wor-
rying that traffic originating from an unau- QoS models
thorized source outside the VPN can enter Ericsson’s VPN solution can be based either
the VPN (possibly masquerading as a legit- on a pipe or hose QoS model. The pipe model
imate VPN host). Security violations could is analogous to conventional leased-line
result in the exposure or corruption of sen- VPNs in which the customer knows the traf-
sitive corporate data, unauthorized access to fic matrix or how traffic is distributed be-
computing resources, and denial of service tween VPN sites. The traffic matrix is trans-
or electronic vandalism. While the utmost lated into a set of pipes that meets the cus-
security is obtained by implementing IPsec tomer requirements.
or like technologies within the CPE, cus- The hose QoS model guarantees perfor-
tomers who use IP-VPNs in place of frame mance based on aggregate traffic specifica-
relay or ATM L2 VPN services obtain ade- tions. In this model, the customer does not
quate security via L2 (MPLS or ATM) or L3 necessarily know the traffic matrix. Instead,
to simplify the customer’s task of specifying Serv connectivity model, the virtual cir-
the performance requirements of the VPN, cuit connectivity model supports only a
performance characteristics are defined sole- few forwarding classes in the network.
ly for traffic entering into a hose stub link Different LSPs that belong to the same
or exiting a hose to any other hose forwarding class are mapped to the same
(Figure 5). Apart from being very straight- buffer or queue. Distinct admission con-
forward, this model allows customers to trol policies and traffic conditioning
vary, without changing their contract, the apply to each forwarding class.
volume of traffic that is sent to any other To properly enforce service differentiation,
hose endpoint, provided that the aggregate Ericsson products employ technologies that
traffic entering and exiting each of the end- identify, regulate, and isolate traffic.
points does not exceed the capacity of each • Identification is accomplished by means
hose. of packet classification—that is, by
The two VPN models put different re- matching the components of a packet
quirements on header against a list of filters. In some cir-
• the engineering and provisioning of re- cumstances, such as when a customer has
sources in the backbone; and stringent security requirements or wants
• the description and monitoring of the ser- to differentiate service to the stub link,
vice level agreement. the classification must be performed at the
customer site.
Connectivity models • Regulation is accomplished by traffic con-
However, regardless of the QoS model used, ditioning—that is, by shaping, dropping,
Ericsson offers two different connectivity or re-marking packets based on the tem-
models for controlling QoS in IP-VPNs: poral characteristics of the associated
• Differentiated services—either the Diff- packet stream (identified by a classifier)
Serv code point (DSCP) in the packet (for relative to the traffic profile of the SLA.
pre-encapsulated packets, the router uses • Isolation is achieved by using several
the DSCP value in the clear-text header) queuing or policy-based routing mecha-
or the MPLS label+CoS is used to map the nisms that provide dedicated router for-
packet to the behavior aggregate (and cor- warding resources (buffers, output link
responding per-hop behavior) with strict- bandwidth) or special network paths that
ly configured scheduling parameters. isolate enhanced-service traffic from con-
• Virtual circuit (VC)—traffic parameters gestion that has been induced by tradi-
and a QoS service class (delay and tional best-effort traffic.
throughput sensitivity) are assigned to a
label-switched path or ATM VC with dy- Scalability
namic per-hop admission control, pre- Obviously, service providers want to know
emption priority, and so on. Like the Diff- what impact VPN services will have on
VPN B1 VPN B2
Figure 6
MPLS-BGP/VPN architecture and compo-
nents.
MPLS backbone
PE P P
CPE CPE
VR
VR PE
VPN A2 VR
VR
Global P P
VR
VR VPN A3
PE Global
VR
CPE VR
VR
VPN A1 CPE
Global
Internet
CPE
Figure 8
• Translate IPv4 to VPN-unique address
VPN control plane in action.
• Send MP-iBGP update to all
Internet
EBGP, IGP
VR
(Static) VR
iBGP/MP
VR
VR VR
• Import from BGP
• Translate VPN-unique
address to IPv4
• Import from BGP
• Distribute to CE
• Translate VPN-unique address to
IPv4
• Distribute to CE