Date post: | 09-Apr-2018 |
Category: |
Documents |
Upload: | pyla-naveen-kumar |
View: | 225 times |
Download: | 0 times |
of 29
8/7/2019 Advanced VPNs
1/29
Advanced VPNs
By,
Pyla Naveen Kumar (M00326029)
Arun Kumar Y (M00325442)
Chirag Rajendran (M00323819)
Tejaswi Jetty(M00332283)
Kodi Venkatesh (M00333216)
MSc Computers and Network Security
8/7/2019 Advanced VPNs
2/29
Contents
Introduction
What is a VPN
Components of VPN
Types of VPNs
Multicast VPN topics
Conclusion
References
8/7/2019 Advanced VPNs
3/29
What is a Virtual Private Network (VPN)?
A VPN is :
Network connectivity across a shared infrastructure (such as an ISP).
A VPN is private network constructed within a public network infrastructure,
such as the global Internet.
It aims to provide the same policies and "performance" as a private network. Creating many opportunities for cost savings through operations and
infrastructure.
(Source: CISCO White Paper on Multicast VPNs)
8/7/2019 Advanced VPNs
4/29
VPN Topology: How it works
Operates at layer 2 or 3 of OSI model
Layer 2 frame Ethernet
Layer 3 packet IP
Tunneling
allows senders to encapsulate their data in IP packets that hide therouting and switching infrastructure of the Internet
to ensure data security against unwanted viewers, or hackers.
8/7/2019 Advanced VPNs
5/29
VPN Components
Protocols
Security
Encryption
Keys
authentication
Appliances
8/7/2019 Advanced VPNs
6/29
VPN Components: Protocols
IP Security (IPSec)
Transport mode
Tunnel mode
Point-to-Point Tunneling Protocol (PPTP)
Voluntary tunneling method
Uses PPP (Point-to-Point Protocol)
Layer 2 Tunneling Protocol (L2TP)
Exists at the data link layer of OSI
Composed from PPTP and L2F (Layer 2 Forwarding)
Compulsory tunneling method
8/7/2019 Advanced VPNs
7/29
Example of encapsulating packets:
8/7/2019 Advanced VPNs
8/29
VPN Components: Security
Encryption
Technique for scrambling and unscrambling information
Unscramble called clear-text
Scrambled information cipher-text
Keys
Secret code that the encryption algorithm uses to create a unique
version of cipher-text(8,16,56,168 bits..)
Authentication
Determine if the sender is the authorized person and if the data hasbeen redirect or corrupted (system and data authentication)
8/7/2019 Advanced VPNs
9/29
VPN Components: Appliances
Intrusion detection firewalls
Monitors traffic crossing network parameters and protects
enterprises from unauthorized access
Packet-level firewall checks source and destination Application-level firewall acts as a host computer between
the organizations network and the Internet
8/7/2019 Advanced VPNs
10/29
Advantages of VPN
Extends geographic connectivity
Boosts employee productivity
Improves Internet security
8/7/2019 Advanced VPNs
11/29
VPN - Types
A simple method for VPN is PPTP.
It is a software based VPN system that uses your existing Internet connection.
By using your existing Internet connection, a secure "tunnel" is created between
two points allowing a remote user to connect to a remote network.
One can setup this type of connection with various types of software or hardware.
Windows Server has a PPTP build-it and you can connect to it via a native VPN
client within Windows.
Juniper and Cisco also have this ability, but require a 3rd party software to be
loaded on remote workstations.
It is sometimes referred to as "dial-up VPN" because when the client software
connects it looks like it's dialing up.
PPTP VPN (Dial-up VPN)
8/7/2019 Advanced VPNs
12/29
PPTP VPN (Dial-up VPN) Topology
8/7/2019 Advanced VPNs
13/29
Site-to-site is the same much the same thing as point-to-point except there is no "dedicated" line inuse.
Each site has it's own internet connection which may not be from the same ISP or even the same
type.
One may have a T1 while the other only has DSL.
Unlike point-to-point, the routers at both ends do all the work. They do all the routing and
encryption.
Site-to-site VPNs can work with hardware or software-based firewall devices.
Continued
Site-to-Site VPN
8/7/2019 Advanced VPNs
14/29
Site-to-Site VPN Topology
8/7/2019 Advanced VPNs
15/29
A traditional VPN can also come as a point-to-point. These are also referred to as "leased-line VPNs."
Simply put, two or more networks are connected using a dedicated line from an ISP.
These lines can be packet or circuit switched.
For example, T1's, Metro Ethernet, DS3, ATM or something else.
The main strength of using a leased line is the direct point-to-point connection.
It does not go out over the public Internet.
So there performance is not degraded by routing problems, latency, and external congestion.
Continued
Point to Point VPNs
8/7/2019 Advanced VPNs
16/29
Point to Point VPNs Topology
8/7/2019 Advanced VPNs
17/29
MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISP or an "on-net" connection*.
There is a way to configure this using different ISP's or "off-net" but you never get the same
performance.
While it does use your existing Internet connection, tweaks are made by your ISP for performance
and security.
Continued
MPLS VPNs
8/7/2019 Advanced VPNs
18/29
IP Multicast is part of the TCP/IP suite of protocols. While IP Unicast uses Class A, B, and Caddress, IP Multicast uses Class D addresses.
Multicast is an efficient paradigm for transmitting the same data to multiple receivers, because of its
concert of a Group address. This allows a group of receivers to listen to the single address.
IP Multicast packets are replicated by routers within the network when there is more than one sub-
network requiring a copy of the data. IP Unicast makes the source responsible for creating an
individual IP stream for each receiver. Multicast is a robust and scalable solution for group
communication because of this distributed replication of data and because only 1 copy of the packetneeds to traverse a link
For example, suppose a company president sends a presentation to all employees.
IP Multicast: bandwidth for one viewer equates bandwidth for all viewers
Continued
IPMulti-Cast
8/7/2019 Advanced VPNs
19/29
Continued
MPLS VPNs Topology
8/7/2019 Advanced VPNs
20/29
Several routing protocols were designed to work with IP Multicast. These were a "ships in the night"approach, which required a separate Routing table forIP Multicast traffic.
Distance Vector Multicast Routing Protocol (DVMRP)
DVMRP was the first Multicast routing Protocol, and is an example of a source tree routing
protocol.
Multicast Open Shortest Path First (MOSPF)
MOSPF attempted to use OSPF with multicast routing. It is also an example of a Source tree routing
protocol.
Core Base Trees (CBT)
CBTs were designed to use a shared tree to deliver multicast data, but they were never implemented
beyond the experimental networks.
Multicast Routing Protocols
8/7/2019 Advanced VPNs
21/29
Protocol Independent Multicast (PIM)
PIM does not use a "ships in the night" approach; rather, it is designed to forward IP Multicasttraffic using the standard Unicast routing table.
There are two types of PIM protocols: Dense Mode (DM) and Sparse Mode (SM).
PIM Dense Mode (DM)
PIM DM is no longer a widely deployed protocol because PIM SM has proven to be the moreefficient multicast
PIMSparse Mode (SM)
PIM sparse mode has been enhanced over the years, evolving from an experimental standard to adraft standard.
It is now the most widely deployed multicast protocol. It initially uses a shared tree, but thenallows the last hop router to join a Source tree if it so chooses.
This is an efficient methodology, as it prevents the flooding of data and associated waste ofresources, while forwarding data along the optimal path.
Multicast Modes
8/7/2019 Advanced VPNs
22/29
Multicast Domains
This solution requires the provider to enable IP Multicast within its network.
On each Provider Edge (PE) router, the provider creates a Multicast Tunnel Interface (MTI) andMulticast VPN routing / forwarding (VRF) for each customer.
The MTI encapsulates customers' Multicast data within its own Multicast packet with a destination
group that is unique for a particular customer and to which all PE for that customer belong.
MTI Encapsulation:
Proposed Multi-Cast VPN Solutions
8/7/2019 Advanced VPNs
23/29
This solution uses a tunnel interface on the PE. Unlike GRE tunnelling, this is not a point-to-point tunnel.
This tunnel interface tracks the remote PE and Unicasts the multicast packets to the remote PEs.
This solution is initially attractive, because it keeps multicast state out of the core; however, itrequires a large amount of replication by the PE router and creates a great deal of additional Unicasttraffic.Unicast Forwarding of Multicast using NBMA Technique:
Multicast Domain (MD) Using PIM Non-Broadcast Multi-Access
(NBMA) Techniques
8/7/2019 Advanced VPNs
24/29
This method originally had less than optimal performance, because it requires that all PE routersconnected to a customer receive all of that customer's Multicast data regardless of the presence of an
interested receiver in that location.
When enhancements resolved this characteristic with a new methodology, it became a truly attractive
solution
Default MDT Concept:
Multicast Domain Solution
8/7/2019 Advanced VPNs
25/29
It is important to remember that the customer's
IP Multicast network has no relationship to theprovider's multicast network. From the perspective of the provider, the customer's IP Multicast
packets are merely data to the provider's distinctive IP Multicast network.
It is important to understand that PIM, and in particular PIM-SM, are the only supported multicastprotocols for MVPN. Bi-Dir PIM may be supported in the future, when it is deemed stable enoughfor the core of a provider network.
Customer PIM Adjacencies:
Interaction of Customer and Providers Multicast Network
8/7/2019 Advanced VPNs
26/29
The RPF check on the PE is satisfied when the followingconditions are met:
1.The next hop for the source of the CE data is the BGP neighbor,which is the source of the MDT
2.The Source of the MDT is a PIM neighbor
(M)VPN-IPv4 address (12 bytes)
Route Distinguisher - 8 bytes
type-field: 2 bytes
value-field: 6 bytes
New type for Multicast-VPN: 2
Its value field (AS format must be used):
2 bytes ASN4 bytes assigned number
IPv4 address - 4 bytes
BGP Requirements
Extended community attribute - 8 bytes
Type Field: 2 bytes
Value Field: 6 bytes
New type: 0x06 (AS format)
Its Value Field:
2 bytes ASN
4 bytes assigned number (MDT Group address)
OR (currently not supported)
New type: 0x0106 (Address format)
Its Value Field:
4 bytes IPv4 address (MDT Group address)
2 bytes assigned number
8/7/2019 Advanced VPNs
27/29
After a VPN client is installed in a client PC, the Client simply needs to login using his username
and password and he can then immediately gain access to the remote network.
Transparency in IT world means nothing but an action that is taking place without the
knowledge of the user.
For instance in VPNs the user is not bothered about the P IM modes or the tunneling modes, he
just needs to know the username and password.
Transparency enjoyed in VPNs
8/7/2019 Advanced VPNs
28/29
8/7/2019 Advanced VPNs
29/29
Any Questions?...