MPLS / VPN Connectivity between VPNs JET 2004/03/15
Outline Security of the MPLS Architecture Case Study : SuperNet Connectivity between VPNs Overlapping Virtual Private Networks Multiprotocol BGP in the SuperNet Network Conclusions
Security of the MPLS Architecture Address Space and Routing Separation Hiding of the MPLS Core Structure Resistance to Attacks Impossibility of Label Spoofing
Address Space and Routing Separation Any VPN must be able to use the same address space as any other VPN Any VPN must be able to use the same address space as the MPLS core Routing between any two VPNs must be independent Routing between any VPN and the core must be independent ----Format of a VPN IPv4 Address ----
Hiding of the MPLS Core Structure Attacks become more difficult As a comparable Layer 2 (such as Frame Relay or ATM) infrastructure MPLS Core VRF CE1 VRF CE2 IP(PE;L0) PE CE 1 CE 2 IP(CE1) IP(CE2) IP(PE;fa0) IP(PE;fa1) Visible Address Space
Resistance to Attacks The MPLS core can be attacked in two basic ways: By attacking the PE routers directly By attacking the signaling mechanisms of MPLS (mostly routing) Has AccessHas No Access Authorized UserNormalDenial of service Unauthorized UserIntrusionNormal
Impossibility of Label Spoofing In Cisco routers, the implementation is such that packets that arrive on a CE interface with a label will be dropped There is strict addressing separation within the PE router, and each VPN has its own VRF The VPN that the spoofed packet originated from
Case Study : SuperNet EuroBank 高雄 總部 財務資訊台北 總部 忠孝仁愛高雄 台北台南嘉義 SuperNet 台北 POP 台中 POP 高雄 POP Eurobank Fastfood CE PE P CE C C POP : Point of Presenc e
Address Space of EuroBank and FastFood Company SiteSubnet EuroBank 台北總部 /24 忠孝 /24 仁愛 /24 財務 /24 資訊 /24 台南 /24 FastFood 高雄總部 /24 台南 /24 嘉義 /24 台北 /24
SuperCom can traditionally solve the overlapping addresses issue in three ways It can persuade the customers to renumber their networks. Most customers would not be willing to do that and would rat her find another service provider. It can implement the VPN service with IP-over-IP tunnels, where the customer IP addresses are hidden from the service provider routers. It can implement a complex network address translation (NAT) scheme
VPN Routing and Forwarding Tables Major obstacles of the peer-to-peer VPN implementations -- The overlapping addresses MPLS/VPN technology provides an elegant solution Each VPN has its own routing and forwarding table in the router Any customer is provided access only to the set of routes contained within that table PE router in an MPLS/VPN network thus contains a number of per-VPN routing tables A global routing table that is used to reach other routers in the provider ne twork A number of virtual routers are created in a single physical router
Virtual Routers Created in a PE Router SuperNet 台北 POP 台北 總部 忠孝仁愛 台北 Eurobank Virtual Router Fastfood Virtual Router A global Routing 台中
More structures are associated with each virtual router A forwarding table that is derived from the routing table and is based on CEF (Cisco Express Forwarding) technology. A set of interfaces that use the derived forwarding table. Rules that control the import and export of routes from and in to the VPN routing table. These rules were introduced to supp ort overlapping VPNs A set of routing protocols/peers, which inject information into the VPN routing table. This includes static routing. Router variables associated with the routing protocol that is used to populate the VPN routing table
VRF—VPN routing/forwarding instance A VRF consists of an IP routing table a derived forwarding table a set of interfaces that use the forwarding table a set of rules and routing protocols that determine what goes into the forwarding table In general, a VRF includes the routing information that define s a customer VPN site that is attached to a PE router
Connectivity between VPNs Routing Context 1 PE CE 1 CE 2 Routing Context 2 VRF Forwarding Table Routing Table ACL IP PACKET Routing Protocol Control Plane (Binding Layer) Data Plane (Forwarding Layer)
Overlapping Virtual Private Networks Imagine that SuperCom wants to extend its service offering w ith a Voice over IP (VoIP) service with gateways to the public voice network IP Addresses of VoIP Gateways in SuperCom Network VoIP Gateway Location VoIP Gateway IP Address 台北 高雄
VoIP Service EuroBank 財務資訊台北 總部 忠孝仁愛高雄 台北高雄 總部 台南嘉義 SuperNet 台北 POP 台中 POP 高雄 POP Eurobank Fastfood VoIP Gateway Both EuroBank and FastFood decided to use the service, but only from their central sites the branch offices have no need for international voice connectivity.
VPN Connectivity Requirements in SuperNet Network 台北 總部 忠孝仁愛高雄 台北台南嘉義 VoIP Gateway 高雄 總部
VRFs in the PE Routers in the SuperNet Network PE-routerVRFSites in the VRFVRF Belongs to VPNs 台北 EuroBank 總部 EuroBank 台北 EuroBank, VoIP EuroBankEuroBank 忠孝 EuroBank 仁愛 EuroBank FastFoodFastFood 台北 FastFood VoIP 台北 VoIP gatewayVoIP 高雄 EuroBankEuroBank 高雄 EuroBank FastFood 總部 FastFood 高雄 FastFood, VoIP FastFoodFastFood 台南 FastFood 嘉義 FastFood VoIP 高雄 VoIP gatewayVoIP
Propagation of VPN Routing Information in the Provider Network Two fundamentally different ways exist for approaching the VPN route exchange between PE routers 1.The PE routers could run a different routing algorithm for each VPN. Scalability problems in service provider networks with a large number of Face interesting design challenges when asked to provide support for ov erlapping VPNs. 2.The PE routers run a single routing protocol to exchange all VPN routes. To support overlapping address spaces of VPN customers, the IP addresses used by the VPN customers must be augmented with additional information to make the m unique
IP subnets advertised by the CE routers to the PE routers are augmented with a 64-bit prefix called a route distinguisher to make them unique. Why MP-BGP ? The number of VPN routes in a network can become very large. This BGP feature supports keeping VPN routing information out of the provider core routers (P routers). BGP can carry any information attached to a route as an optional BGP att ribute
VoIP Service 台北 總部 忠孝仁愛高雄 台北高雄 總部 台南嘉義 SuperNet 台北 台中 高雄 VoIP Gateway IGP for VoIP IGP for Eurobank IGP for Fastfood IGP for VoIP IGP for Eurobank IGP for Fastfood
Multiprotocol BGP in the SuperNet Network MP-BGP 台北 總部 忠孝仁愛高雄 OSPF RIP static route RIP Step 1 run each routing protocol for per VRF Step 2 Advertise the VRF rout by MP-BGP cross the P Step 3 Receive the route informa tion and save with VRF Step 4 advertise the route information for CE
Conclusion How to connect two sites in a VPN that the two sites with the same address space ?