Using LISP for Secure Hybrid Cloud Extension draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 Santiago Freitas Patrice Bellagamba Yves Hertoghs IETF.

Slides:

Advertisements

Similar presentations

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal

Advertisements

A Unified LISP Mapping Database for L2 and L3 Network Virtualization Overlays Draft-hertoghs-nvo3-lisp-unfied- control-plane Yves Hertoghs.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

IPv6-The Next Generation Protocol RAMYA MEKALA UIN:

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Understanding Internet Protocol

Kako uklopiti oblak u svoju postojeću infrastrukturu? Tomica Kaniški CITUS d.o.o.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Module 1: Demystifying Software Defined Networking Module 2: Realizing SDN - Microsoft’s Software Defined Networking Solutions with Windows Server 2012.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Internet Protocol Security (IPSec)

Presenter: Vikash Nath MCP, CCNA, MCTS. On-Premise Private Cloud Public Cloud Hybrid Cloud.

Lecture Week 7 Implementing IP Addressing Services.

Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.

Copyright Kenneth M. Chipps Ph.D. 1 VPN Last Update

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Azure Virtual Networks. Networking Compute Storage Virtual Machine Operating System Applications Data & Access Runtime Provision.

Network+ Guide to Networks 6 th Edition Chapter 10 Virtual Networks and Remote Access.

NetComm Wireless VPN Functionality Feature Spotlight.

LB VIP:Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Network+ Guide to Networks 6 th Edition Chapter 10 Virtual Networks and Remote Access.

Module 3: Planning and Troubleshooting Routing and Switching.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Cisco Certified Network Associate CCNA Access the WAN Asst.Prof. It-arun.

Implementing IP Addressing Services Accessing the WAN – Chapter 7.

IPv6 and IPv4 Coexistence Wednesday, October 07, 2015 IPv6 and IPv4 Coexistence Motorola’s Views for Migration and Co-existence of 3GPP2 Networks to Support.

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

Cisco Live /23/2017 Enabling a Hybrid Cloud Extension between Enterprises and AWS with Cisco CSR 1000V and LISP

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

Private Network Interconnection Chapter 20. Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet.

C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.

Cloud Scale Performance & Diagnosability Comprehensive SDN Core Infrastructure Enhancements vRSS Remote Live Monitoring NIC Teaming Hyper-V Network.

VPN4DC Discussion VPN4DC Team Taipei, Taiwan.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.

Universal, Ubiquitous, Unfettered Internet © ui.com Pte Ltd Mobile Internet Protocol under IPv6 Amlan Saha 3UI.COM Global IPv6 Summit,

Hierarchical Network Design – a Review 1 RD-CSY3021.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

End Host Mobility Use Cases for LISP draft-hertoghs-lisp-mobility-use-cases Yves Hertoghs Marc Binderberger.

Network protocles (TCP), (UDP), (DHCP), (DNS) DR:abd alrauoof alshtawi

Marin Franković MVP: SCCDM Algebra visoko učilište What’s new in Azure for IT Pro.

Alfresco Enterprise on Azure Shah Rahman Founder and CEO, CloudlyIO.

Alfresco on Azure Shah Rahman Founder and CEO, CloudlyIO.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Virtual Private Network Technology Nikki London COSC 352 March 2, 2010.

Virtual Private Network Access for Remote Networks

Virtual Private Networks

IPv6 Deployment: Business Cases and Development Options

Virtual Subnet : A L3VPN-based Subnet Extension Solution

Planning and Troubleshooting Routing and Switching

Logo here Module 8 Implementing and managing Azure networking 1.

Cisco Live /2/2018 Enabling a Hybrid Cloud Extension between Enterprises and AWS with Cisco CSR 1000V and LISP

Designing Routing and Switching Architectures. Howard C. Berkowitz

2018 Real CompTIA N Exam Questions Killtest

Network+ Guide to Networks 6th Edition

Implementing IP Addressing Services

Network Virtualization

The Business Value of MPLS VPNs

LISP usage for DC migration

NTHU CS5421 Cloud Computing

Implementing IP Addressing Services

Productive + Hybrid + Intelligent + Trusted

Internet Protocol version 6 (IPv6)

Presentation transcript:

Using LISP for Secure Hybrid Cloud Extension draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 Santiago Freitas Patrice Bellagamba Yves Hertoghs IETF 89, London, UK

A New Use Case for LISP It’s a use a use case draft. Covers the use of LISP to enable a secure layer 3-based Hybrid Cloud Extension. –Relevant for Cloud bursting, Workload migration, Rapid provision of new applications in the cloud and disaster recovery use cases. 67% of Enterprises expected to be pursuing a hybrid cloud computing strategy by 2015 (47% the year before) –Source: Gartner DC Summit /March/2014draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 2

A New Use Case for LISP LISP, in combination with IPsec or any other encryption mechanism, to be implemented on a virtualized router deployed on a public cloud and on the enterprise DC. –Allows virtual machines (VMs) to be moved to the cloud without changing the VMs IP Address / Mask / Default Gateway; Same subnet on both sites. Running code available and tested on large cloud providers. 3/March/2014draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 3

Advantages over other proposals Does not extend the failure domain –Total isolation of broadcast (Layer 2) domains between Enterprise and Cloud. –It allows a routed (Layer 3) connection between sites. Natively provides Gateway in the Cloud for optimal routing between servers moved to the Cloud. –No hair pining save “InterCloud” bandwidth / latency. Works with any standard VM in the Cloud, no need to modify the VM for migration. Ingress Path-Optimization from remote sites to the Cloud easily achievable. 3/March/2014draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 4

WAN Internet Enterprise Data Center Hypervisor Public Cloud Provider Hypervisor Branch Office with Internet connection Branch Office WAN Acceleration (optional) WAN Acceleration (optional) Using LISP for Secure Hybrid Cloud Extension = Virtualized Router with LISP draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00

WAN Internet Enterprise Data Center Hypervisor Public Cloud Provider Hypervisor Branch Office with Internet connection Branch Office WAN Acceleration (optional) WAN Acceleration (optional) Using LISP for Secure Hybrid Cloud Extension = Virtualized Router with LISP PxTR Not the Default Gateway = Non-intrusive RLOC in the Enterprise address space MS/MR can be located on Enterprise or Cloud PxTR Not the Default Gateway = Non-intrusive RLOC in the Enterprise address space MS/MR can be located on Enterprise or Cloud - No change on server’s IP address/mask/gateway - Enterprise owned / managed IP address in the Cloud. Subnet (not VLAN) extended into the cloud. - No change on server’s IP address/mask/gateway - Enterprise owned / managed IP address in the Cloud. Subnet (not VLAN) extended into the cloud. Traffic between Enterprise and Cloud should be encrypted. IPSec or any other mechanism. xTR Default Gateway for Servers (VMs) RLOC in the Enterprise address space xTR Default Gateway for Servers (VMs) RLOC in the Enterprise address space draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 RLOC RLOC

WAN Internet Enterprise Data Center Public Cloud Provider Branch Office with Internet connection Branch Office WAN Acceleration (optional) WAN Acceleration (optional) Hypervisor Using LISP for Secure Hybrid Cloud Extension = Virtualized Router with LISP xTR draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 PxTR Not the Default Gateway = Non-intrusive RLOC in the Enterprise address space MS/MR can be located on Enterprise or Cloud PxTR Not the Default Gateway = Non-intrusive RLOC in the Enterprise address space MS/MR can be located on Enterprise or Cloud xTR Default Gateway for Servers (VMs) RLOC in the Enterprise address space xTR Default Gateway for Servers (VMs) RLOC in the Enterprise address space RLOC RLOC

Feedback received on Mailing List Concern with the use of pre-established IPsec tunnels –Secure connection (encryption) between enterprise and cloud is needed, IPSec used as a transport to encrypt the LISP flow. It’s one option, other options will be incorporated into future versions of the draft. –How to extend the RLOC space into the cloud should also be considered; IPsec allows NAT, native LISP data plane and control plane address translation to be further investigated. Document should be more explicit about what the resulting message stack looks like. –Will be covered on version 01. 3/March/2014draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 8

Areas to be included on version 01 More explicitly stating where the IPsec tunnel is and incorporating other options for encryption where IPSec tunnel becomes optional. Discuss how private IPv4 addresses will be handled and where NAT devices will be deployed. Performance and Scalability Considerations Management and Automation Considerations Document the resulting encapsulation stack. 3/March/2014draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 9

Ask to the Working Group Adopt this draft as one of the use cases for LISP. Consider the Secure Hybrid Cloud Extension Use Case to aid in future evolution of the protocol. 3/March/2014draft-freitasbellagamba-lisp-hybrid-cloud-use-case-00 10