Virtual Private Networks

VPNs
• Definition: A VPN is an emulation of a private
wide area network (WAN) facility using IP
facilities (including the public Internet, or private
IP backbones).
• VPNs can be implemented in many ways:
– CPE based solutions
– Network based solutions
 Motivations
• Need private communication networks for
multiple sites => “private WANs”
• Two types of existing private networks:
– dedicated WANs (permanently connected)
– dial network (on-demand connected).
• Running VPNs across Internet offers a cost-
effective solution.
 Internet Support VPNs
• Customer requirements for VPNs

– Support for data security

– Support for Quality of Service Guarantees

• Need some form of IP tunneling

 CPE Vs. Network Based VPNs
• Most current VPN implementations are based on
CPE devices:
– Firewalls
– WAN edge routers
• Network based solution: VPN is implemented on
network by Internet service provider (ISP)
– Some mechanisms leverage tools that are applicable
only to ISPs rather than individual customers running
special CPE devices.
 Different VPN types
• Virtual Leased Lines (VLLs)
• Virtual Private Routed Networks (VPRNs)
• Virtual Private LAN Segment (VPLSs)
• Virtual Private Dial Networks (VPDNs)
 Virtual Leased Lines (VLLs)
• VLL = IP tunnel forming a point-to-point link to
emulate a physical leased line or dedicated
connection.
 VPRNs
• Benefit: Configuration of the CPE router is
simplified. ISP edge router appears to be a
“neighbor” router.
• Forwarding is done at the network layer (Layer 3).
• Each customer side CPE router is connected to an
ISP edge router through one or more stub links
(leased lines, ATM or Frame Relay)
• Each VPRN supports only a single network layer
protocol.
 VPRN Generic Requirements
• Unique VPN identifier to refer to a particular VPN
• VPRN membership
– configuration
– dissemination (directory lookup, explicit management
configuration, piggybacking in routing protocols).
• Stub link reachability information
– edge router must learn set of addresses/address prefixes
reachable via each stub link.
– Each CPE router needs to learn the destinations
reachable by each stub link.
VPLS: Requirements & Recommendations
• Very similar to VPRNs
• Unlike VPRNs, CPE nodes can either be bridges
or routers
– nature of CPE (bridge Vs router) impacts nature of
encapsulation, addressing, forwarding and reachability
protocols within the VPLS.
• Advantage: protocol transparency.
• Commonality btw VPRNs and VPLSs can be
exploited to reduce complexity.
 VPDNs
• Support compulsory tunneling
– a dial or network access server (LAC), extends a PPP
session across a backbone using L2TP to a remote
LNS.
• Other issues:
– Call Routing
– Security mechanism
– Traffic management
– Call multiplexing
– Address management
– Support for large MTUs
 Summary
• Further standardization efforts needed in defining
– a generic VPN tunneling protocol
– a globally unique VPN identifier
– a VPN membership information configuration and
dissemination mechanism
• Further study is needed to address
– security issues
– scalability of membership configuration and
dissemination mechanism