How To Build A Virtual Rivate Network

Transcription

1 rovider based Virtual rivate Networks An introduction and an MLS case Lecture slides for S Mika Ilvesmäki The idea is to create a private network via tunneling and/or encryption over the public Internet. Sure, it s a lot cheaper than using your own frame-relay connections, but it works about as well as sticking cotton in your ears in Times Square and pretending nobody else is around. - Wired Magzine on VNs in February Lecturer s note: If, in the final exam, asked about VNs, do not use the above definition. lease! Networking laboratory Contents VN terminology VNs on I layer addressing, routing, security Engineering VNs with Controlled route leaking Tunnels MLS What is a VN? Virtual network resources used are part of a common shared resource rivate privacy of addressing and routing topological isolation security (authentication, encryption, integrity) of the data (seemingly) dedicated use of network resources temporal isolation Network devices that communicate through some arbitrary method 1

2 Virtual rivate Networks A VN is a private network constructed within a public network infrastructure, such as the global internet Equipment and facilities used to build the VN are also in other s use->virtual and addressing is separate from all other networks and data is secured -> private VNs require that the flow of routing data is constrained to constrain the flow of user data Connect geographically dispersed sites -> network VN rivate network where privacy is introduced with some method of virtualization Between two organizations, end-systems within single organization or multiple organizations or applications Across the global Internet Intersite connectivity types Ranging from full-mesh (n(n-1)/2 connections) to hub and spoke type of connectivity reliability problems! Hub Spoke Spoke Why VNs? Omnipresent coverage Cost reduction no separate private networks Security E-Commerce especially B2B Corporate Intranet Intranet ublic Internet Dial-up Access rivate lines Extranet Access 2

3 VN technologies Data Integrity and Confidentiality Controlled route leaking manually or with BG communities (RFC 2858) Tunneling GRE, IinI or MinI VDNs Tunneling -traffic with L2T or T thru dial-up connections Layer 2 VNs with dedicated ATM or FR connections VNs with MLS (and BG in RFC 2547) VNs and routing Virtual private networks require special actions from standard I routing Controlled route leaking (route filtering), NAT manual management, scalability problems, address space mgmnt VNs can also be constructed on layer 2 restricted use of ATM or FR virtual connections x x management problems transferred to layer x x Route Filter to x deny all permit /3/4/5.x x x x x x Addressing rivate address space defined in RFC 1918 (BC) Addresses may be used freely within enterprise networks (10/8 prefix) (172.16/12 prefix) ( /16 prefix) ISs will reject packets with above addresses Need for NAT or application layer gateways for Internet communications Notes on route filtering Route filtering is the most basic way of constructing VNs not recommendable rivacy through obscurity Security means ISs managing customer edges or inserting address filters Requires common routing core VN addresses may not overlap within the routing core 3

4 BG issues RFC 2858 Multiprotocol extensions for BG-4 Network Layer Reachability Identifier RFC 1997 BG communities attribute Mark the NLRI with a community attribute routes within VN can be marked with a single community instead of keeping up with individual routes Tunneling Configure tunnels across the network Customer edge routers will act as tunnel exit points Allows for multiple use of VN/I addresses in different VNs Manual configuration without use of routing protocols Requires connectivity to all customer premises (VN members) n(n-1)/2 connections -> no management scalability x x x x x x x x x Notes on tunneling Allows for overlapping in VN addresses Multiprotocol capable Manual configuration of tunnels Low tolerance on network topology changes Concerns on QoS issues CE routers (tunnel exit points) have to managed by the IS VN management issues Management of traditional VNs is manual Tunnels are setup manually information is manually configured Complexity of VN management results from the integration of I route lookup and forwarding decisions 4

5 MLS for VNs with BG Meeting the (MLS) objective for flexibility in new service introduction MLS separates the route lookup and forwarding somewhere in between layers 2 and 3. MLS basics covered in S Virtual rivate Network Tunnel via core network virtual backbones Separate VN address spaces Advertising of VN networks either by a routing protocol (RFC 2547 BG/MLS VNs) or label distribution protocol Requirements for MLS/VNs Use of VN/I addresses Constrained distribution of routing information BG, LD Multiple forwarding tables Naturally for traffic inside the VN outside the VN At IS edge VN addresses may conflict for traffic between VNs This is where MLS kicks in! Note on BG mechanisms Globally non-unique addresses dealt with VN-I addresses and Route Distinguisher no constraint on connectivity Constrain the distribution of routing info dealt with BG (extended) community - field Constrained distribution of routing information 1. info from customer site (CE) to provider edge (OSF) 2. Export routing info to provider BG (CE->E) Attach BG (extended) community attribute constrained distribution of BG info 3. Distribute with other VN/Es using BG 4. Extract routing info on other Es (opposite to 2.) Route filtering based on BG community attribute 5. info from E to CE (OSF) C 1 E 1 C 2 E 1 E1 E 2 C 1 E 2 C 2 E 3 C 1 E 3 C 2 E 2 C 2 E 4 5

6 Constrained distribution of routing information - notes Distribution of BG info is handled by the IS no involvement from the customer CE maintains routing peering with only the nearest E To add a new site to an existing VN only the connecting E needs to be configured E only maintains routes for the directly connected VNs Multiple Forwarding s To allow per-vn segregation otherwise packets could be traveling from one VN to another OR alternatively careful management of address would be needed C 1 E 1 C 2 E 1 VN C 1 FT -forwarding table VN C 2 FT -another forwarding table E1 E 2 C 1 E 2 C 2 E 3 C 1 E 3 C 2 E 2 C 2 E 4 VN-I addresses BG assumes that I addresses are unique not valid when using private address space (RFC 1918) I address + Route Distinguisher RD=Type+AS number+assigned number AS number = IS AS number Assigned number = VN identifier given byis VN-I addresses are unique Use of VN-I addresses is done only in IS network no customer involvement, conversion done at E VN-I addresses are carried only in routing protocol messages, not in I headers not used for packet forwarding MLS as a forwarding mechanism Bind MLS labels to VN-I addresses at E IS with 200 routers (E and ) with VNs with 100 routes per VN = 10000*100 routes in each router Use two levels of labels (label stacks) 1st level label is from E to E (labels distributed with LD etc.) 2nd level label is from egress E forward (distributed with BG/VN-I routes) IS -routers maintain only200 routes C 1 E 1 C 2 E 1 C 2 E 2 VN label X E1 IG label to E 2 MLS cloud E 2 C 2 E 4 C 1 E 2 C 2 E 3 C 1 E 3 6

7 2-level MLS label stack Bottom label E receives a packet from CE If the packet should be forwarded to the backbone, a label is attached to reach the egress E Top label E starts to send the packet to the backbone E looks into the IG routing table to find the next hop () towards E and assigns a label to this information acket is the carried through the backbone ( routers) and routers are unaware of the VNs Isec, I Security Architecture IETF I Security Working Group Several commercial implementations Authentication header (AH) provides for access control, message integrity, authentication and anti-replay Encapsulated Security ayload (ES) provides for AH services + confidentiality Key Exchange rotocol ISAKM + Oakley/SKEME ISEC tunneling methods Encrypting of the I Datagram (IinI) I gateway address ES Original, but encrypted TC/I preventing traffic analysis Encryption of transport layer data Original I address AH ES Original, but encrypted TC securing the contents of a connection QoS in VNs Manual link provisioning dedicated connection oriented layer 2 links guarantee performance Internet is not connection oriented layer 2 CE or E routers set the DSC-byte traffic classification? Alternative routes Quality of Service in the Internet dealt with in S

8 VNs with or without ISs VNs realized with IS Strategic partnership with IS IS may manage the CE devices Centralized management, outsourced VN mgmnt VNs realized on your own Restricted knowledge on network outside the company Need for VN specialists Flexibility E-1 alveluntarjoajan runkoverkko E-2 Interface Serial0: VN A VN A Target Next Hop Label - VN A VN B Global BG / OSF / RI Update, NH= E-1 E-2 BG / OSF / RI Update, NH= E-1 E-2 alveluntarjoajan runkoverkko alveluntarjoajan runkoverkko 8

9 Global RT: VN-A In-label Next Hop Label 69 VN A O VN A VN C Global E-1 E-2 E-1 E-2 alveluntarjoajan runkoverkko VN-v4 update: RD:1:27:, Next-hop=E-1 SOO=J:kylä, RT=VN-A, Label=(69) VN A Target Next Hop Label E-1 69 E-1 E-2 E-1 E-2 BG / OSF / RI Update, NH=E-2 VN-v4 update: RD:1:27:, Next-hop=E-1 SOO=J:kylä, RT=VN-A, Label=(69) VN-v4 update: RD:1:27:, Next-hop=E-1 SOO=J:kylä, RT=VN-A, Label=(69) 9

10 Interface Serial0.1: VN A VN A Target Next Hop Label E-1 69 VN A VN C Global E-1 E-2 E-1 E-2 69 Global Dest Out-int Label E-1 Serial2 27 In-int/label Out-int Label Serial0/27 Serial1 O E-1 E-2 E-1 E

11 Global In-int/label Next Hop Label In-int/label Out-int Label Serial2/69 VN A O Serial0/27 Serial1 O E-1 E-2 E-1 E VN A Target Next Hop Label - E-1 E-2 E-1 E-2 Ville Helenius,

12 Final words VNs are an existing solution due to the need of Intranets VNs may connect anything from two end devices to two networks with tunnels, routing, MLS and naturally with leased lines Use of VNs adds network management load either in the company or within the IS 12