CPEbased VPNs Hans De Neve Alcatel Network Strategy
CPE-based VPNs Hans De Neve Alcatel Network Strategy Group All rights reserved © 2000, Alcatel — 1
Customer Premises Equipment based Virtual Private Networks t Global VPN requirements t Deployment View t t What sort of connectivity does it provide ? Technology View t t What does a typical CPE VPN look like ? Network View t t Contents What are the underlying technologies ? Differentiation and Success Factors t Where are the factors today, what will they be in future ? All rights reserved © 2000, Alcatel — 2
Customer Premises Equipment based Virtual Private Networks t Connectivity t t Global VPN requirements IP connectivity between geographically dislocated sites using private addressing t transparent to underlying shared infrastructure t => tunnelling mechanism Security t data privacy (e. g. encryption) t authentication and integrity t Scalability t Management t . . . All rights reserved © 2000, Alcatel — 3
Customer Premises Equipment based Virtual Private Networks t IP security offers t t Proposed Technology : IPsec tunnelling (forwarding in shared internet is normal IP forwarding) t authentication and integrity t cryptographic encryption IPsec can be used with IKE t IKE = Security Association negotiation and Key Exchange Protocol All rights reserved © 2000, Alcatel — 4
Customer Premises Equipment based Virtual Private Networks Corp. server CPE VPN Deployment View Branch Office Headquarters Finance server Policy manager VPN gateway Policy manager LAN-based VPN client VPN gateway Dial-up VPN clients ASP Data center Internet Uplink PVC 256 k 256 K 128 K Domestic Sales International Dial-up Sales VPN clients 512 K Web Surfers VPN gateway VPN Site-Site LAN-based VPN client Customer Business Partner All rights reserved © 2000, Alcatel — 5
Customer Premises Equipment based Virtual Private Networks CPE VPN Network View new IP header IPsec header IP data possibly encrypted IPSEC Connectivity IP routing / MPLS Traffic Engineering CPE L 2 Access Network L 3 Access + Distribution + L 3 Edge Service Provider Network L 3 Access + Distribution + L 3 Edge L 2 Access Network CPE All rights reserved © 2000, Alcatel — 6
CPE VPN Network Topologies Customer Premises Equipment based Virtual Private Networks HUB and SPOKE topology Site 2 Site 1 Internet Site 3 Site 4 IPsec tunnel All rights reserved © 2000, Alcatel — 7
CPE VPN Network Topologies Customer Premises Equipment based Virtual Private Networks Full Mesh topology Site 2 Site 1 Internet Site 3 Site 4 IPsec tunnel All rights reserved © 2000, Alcatel — 8
Customer Premises Equipment based Virtual Private Networks CPE VPN - Dial up VPN Client IP over PPP Option 1 L 2 TP CPE L 2 Access Network L 3 Access + Distribution + L 3 Edge Service Provider Network L 3 Access + Distribution + L 3 Edge L 2 Access Network Dial Up Client IP over PPP IP Option 2 IPSEC All rights reserved © 2000, Alcatel — 9
Customer Premises Equipment based Virtual Private Networks t IKE Daemons t t CPE VPN Gateway Technologies Phase I, Phase II negotiations to generate/update IPSEC keys and setting up of Security Associations (IPsec tunnels) t Use of certificates v/s shared secret for authentication t Proposal exchange and agreement, exchange of proxy ids IPSEC Drivers t Handling of IP packets based on IP header and proxy ids t Encryption using IKE negotiated keys and encryption algorithm t Encapsulation of IP packets using IPSEC headers All rights reserved © 2000, Alcatel — 10
Customer Premises Equipment based Virtual Private Networks Differentiation t t t CPE VPN Gateway & Success Factors - Today Number of concurrent IPSEC tunnels supported t Maps to memory and CPU required to maintain state for tunnels t Critical for dial up scenarios and large number of branch offices t Critical for multi tenant MAN service networks Throughput over the IPSEC tunnels t Maps to encryption/decryption speeds of the CPU/ASIC t Critical for the HUB site or in case of gigabit campus networks t Critical for gigabit IP access service networks Restoration of tunnels in case of VPN gateway failure All rights reserved © 2000, Alcatel — 11
Customer Premises Equipment based Virtual Private Networks Differentiation t t CPE VPN Gateway & Success Factors - Future Enterprise market as a pure IP overlay VPN solution t Number of IPSEC tunnels, throughput over IPSEC tunnels, recovery t Dynamic membership of sites to a VPN for Site-Site VPNs t Integration with PKI infrastructure, AAA for VPN Clients Carrier/Service Provider market as a vehicle for IPVPN services t Integration of configuration with service provisioning solutions t Integration with IPVPN service functionality such as Firewall, Qo. S t Integration with data collection for services (assurance + billing) All rights reserved © 2000, Alcatel — 12
Customer Premises Equipment based Virtual Private Networks CPE IPVPN Vehicle for IPVPN Services Service provider management Billing data SLA info. Installation team Network team Policy server Security team Policy router Internet Web serve r Corp. server Policy router New York Headquarters HR: n n n WW users adds/changes IS Dept: US security policy mgmt. IS enterprise management Geneva office Policy router n IS Dept: Europe security policy mgmt. Policy router Tokyo office n IS Dept: Asia security policy mgmt. All rights reserved © 2000, Alcatel — 13
- Slides: 13