You are on page 1of 6

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

1

DMVPN (Dynamic Multipoint VPN): A Solution
for Interconnection of Sites IPv6 over an IPv4
Transport Network
Abdou Karim FAROTA(1) and Mor DIOUM(1)
Abstract - The Dynamic Multipoint VPN (DMVPN) establishes at the request of the remote site VPN tunnels to remote sites.
This allows the reproduction of a full mesh of VPNs which helps reduce latency when traffic goes up to a concentration site,
saves bandwidth and greatly simplifies the deployment of VPN architectures. DMVPN service relies on the know-how of Cisco
Routing and IPSec protocol allowing dynamic configuration of GRE tunnels, IPSec encryption and NHRP (Next Hop Resolution
Protocol), OSPF and EIGRP protocols. This dynamic configuration of VPN tunnels associated with technologies such as quality
of service (QoS) and multicast optimizes the application deployment sensitive to latency as the voice and video. DMVPN also
reduces administrative tasks by eliminating the need to reconfigure a central VPN hub to add new peripheral routers or to
establish connections between two of these peripheral routers.
Index Terms - DMVPN, IPSec, IPv4/IPv6, tunneling.

1 Introduction

T  

he  IPv4  Internet  Protocol  was  designed  in  the  
early   1980s,   a   time   where   no   one   could  
anticipate  the  exponential  growth  of  the  Internet.  
Indeed   the   growth   of   the   number   of   users   and  
servers   of   the   Internet   is   accompanied   by   a  
depletion  of  available  public  IPv4  addresses.  This  
exhaustion   limits   the   growth   of   the   Internet.   His  
successor,   IPv6,   has   features   and   solutions  
required   by   the   modern   Internet   not   available  
IPv4:   greater   integrity   of   connection   and   a   more  
important   security   as   well   as   the   opportunity   to  
support  a  large  number  of  devices  adapted  to  the  
Web.  
In   this   context,   certain   multi-­‐‑site   businesses  
are   turning   to   IPv6   in   order   to   simplify   their  
infrastructures,   to   anticipate   the   shortage   of  
addresses   but   also   to   anticipate   the   future  
capabilities   of   the   network.   They   will   need   to  
evolve   their   networks,   their   systems   and   their  
applications.   However   the   migration   of   IPv4   to  
IPv6  or  the  adoption  of  the  IPv6  protocol  requires  
the   implementation   of   interconnection   solution  
including   the   use   of   tunneling   technology   to  
transport  IPv6  via  IPv4.  Indeed  the  coexistence  of  
IPv4   systems   with   new   IPv6   networks   will  
certainly   last   a   few   years.   Among   the   issues   on  
which   researchers   have   looked   there   are   those  
that   comprise   the   problems   of   interconnection  
• Abdou   Karim   Farota,   Université   Gaston   Berger   de  
Saint-­‐‑Louis  
• Mor  Dioum,  Université  Gaston  Berger  de  Saint-­‐‑Louis  

between  these  systems.  It  is  on  this  point  that  we  
will  focus.  
The   objective   of   this   work   is   to   make   a  
comparative   study   of   tunneling   solutions   that  
allow   the   continuity   of   the   connectivity   of   the  
sites   of   a   company   using   the   IPv6   protocol  
regardless   of   the   migration   of   the   operators.  
Indeed   the   use   of   the   new   Protocol   will   enable  
companies   to   benefit   and   protect   their  
investments.  

2

Comparative study of solutions of
tunneling

2.1 6to4 tunneling
An  automatic  6to4  tunnel  allows  isolated  IPv6  
domains   to   be   connected   over   an   IPv4   network.  
The   main   difference   between   the   6to4   automatic  
and   configured   tunnels   is   manually   that   the  
tunnel   is   not   point-­‐‑to-­‐‑point   (Fig.1);   it   is   point-­‐‑to-­‐‑
multipoint   (Fig2).   In   automatic   6to4   tunnels,  
routers   are   not   configured   in   pairs   because   they  
deal  with  the  IPv4  infrastructure  as  a  virtual  link  
NBMA.   The   IPv4   address   into   IPv6   address   is  
used   to   find   the   other   end   of   the   automatic  
tunnel.  

© 2016 JOT
www.journaloftelecommunications.co.uk

 

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

2

2.2 6rd tunnel

 
Fig.1. Tunnel point to point

6to4   tunnels   are   not   frozen,   that   is   to   say   that  
they   are   established   at   the   request.   From   a   point  
of   view   of   the   operation,   this   implies   that   the  
source   of   the   tunnel   does   not   change,   but  
conversely  the  destination,  it  is  not  set.  The  prefix  
2002:   /   16   was   allocated   by   IANA   to   this   type   of  
address.   Any   IPv6   address   that   begins   with   the  
2002:   /   16   is   therefore   recognized   as   a   6to4  
address,   as   opposed   to   a   native   IPv6   address  
which  does  not  use  that  prefix.  
6to4   technology   has   the   following  
disadvantages:    
• the   IPv6   router   must   have   a   public   IP  
address  and  preferably  fixed;  
• routing   to   the   IPv6   Internet   is  
asymmetric:   to   go   on   follows   the   route   of   the  
anycast   192.88.99.1,   for   the   road   return  
address  to  2002:  /  16;  
• If   the   public   IPv4   address   ranges,  
dependent   on   IPv6   network   will   have   to   be  
renumbered;  
•  the   quality   of   access   depends   on   the  
proximity   of   the   6to4   relay   and   their   State   of  
congestion.  
If   an   Internet   router   advertises   prefixes  
192.88.99.0/24   or   2002:   /   16   while   the   6to4  
gateway   is   not   operational,   this   creates   a   loss   of  
connectivity  to  third  parties  (a  black  hole),  this  is  
something  corrected  by  6  rd  that  gives  control  of  
the  gateway  to  the  Internet  access  provider  [1].  

IPv6   Rapid   Deployment   (Fig.3)   is   a   tunneling  
mechanism.   It   allows   a   service   provider   to  
quickly  deploy  IPv6  in  a  mild  manner  and  secure  
without   requiring   upgrades   of   existing   IPv4  
network   infrastructure.   Although   there   are   a  
number   of   methods   to   carry   IPv6   over   IPv4,   6rd  
was   particularly   effective   because   of   its   mode   of  
operation   which   is   lightweight   and   naturally  
scalable  and  easy  to  dispose.  
6rd   is   a   system   to   pass   IPv6   packets   over   an  
IPv4  network.  It  is  based  on  the  mechanisms  put  
in  place  for  the  classic  6to4  but  differs  by  the  use  
of  a  specific  service  provider  IPv6  prefix  (instead  
of  the  global  prefix  6to4  2002:  /  16).    
The   main   differences   between   6rd   and   6to4  
tunneling  are:    
• 6rd   does   not   require   addresses   to   have   a  
prefix   2002:   /   16;   therefore,   the   prefix   can  
be  the  address  of  the  provider  block;      
• All  the  32  bit  of  the  IPv4  destination  shall  
not   be   transported   in   IPv6   payload  
header.   The   IPv4   destination   is   obtained  
from   a   combination   of   bits   in   the   header  
payload  and  information  on  the  router.  In  
addition,  the  IPv4  address  is  not  in  a  fixed  
head  IPv6  location  as  it  is  in  6to4.  
A   company   can   afford   an   IPv6   internetwork  
by   choosing   a   provider   with   such   an  
infrastructure.   However   the   continuity   of   IPv6  
connectivity   can   be   a   problem   if   the   company'ʹs  
sites   are   in   the   same   domain   6rd   (or   sites   are  
managed  by  different  providers)[2].  

 
Fig.3. Deployment 6rd model Les tunnels MPLS

2.3 6PE tunnel

 
Fig.2. Tunnel multibridge 6to4

The   6PE   technique   for   connecting   IPv6  
Islands   between   them   through   a   heart   of  
IPv4   MPLS   (Multi-­‐‑Protocol   Label   Switching)  
network.  This  mechanism  takes  advantage  of  
MPLS   switching   according   to   label   inserted  
into  a  package,  to  make  a  network  capable  to  

© 2016 JOT
www.journaloftelecommunications.co.uk

 

3

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

transport   IPv6   packets   without   having   to  
modify  all  equipment.  The  heart  of  the  MPLS  
network   (P   equipment:   Provider)   remains  
unchanged.   6PE   allows   an   operator,  
including  the  core  network  is  based  on  MPLS  
technology   to   route   IPv4   traffic,   not   evolve  
the  peripheral  part  of  its  network  (periphery  
equipment:   PE:   Provider   Edge)   to   also   carry  
its   users   IPv6   traffic.   IPv6   routing   is  
performed   by   periphery   equipment   (PE)  
which  assign  a  label  to  each  IPv6  packet  [3].  
This   technique   creates   a   VPN   (Virtual  
Private   Network)   IPv6   using   the   Label  
Switched  Path  (LSP)  of  a  heart  of  MPLS  IPv4  
(Fig.4)   network   offering   the   advantage   of  
using   the   already   existing   MPLS   network  
heart.  It  offers  the  following  advantages:  
• Security:   this   virtual   private   network  
provides   business   the   highest   level   of  
security.  
• Quality   of   service:   intersite   links   allows  
the   sharing   of   the   resources   of   the   user’s  
needs.   The   MPLS   VPN   offering   enables   to  
use   quality   of   service   (QoS)   to   prioritize  
certain  flows.  

2.4 GRE tunnels
GRE   (Generic   Routing   Encapsulation)   was  
developed   by   Cisco   and   can   encapsulate   a   wide  
range   of   types   of   packages   of   different   protocols  
in   IP   packets.   A   tunnel   option   (point-­‐‑to-­‐‑point)   is  
used   when   packets   must   be   passed   from   one  
network   to   another   over   the   Internet   or   on   a  
network  unsecured.  With  option  a  virtual  tunnel  
is   created   between   the   two   ends   (Cisco   routers)  
and  packets  are  sent  through  the  GRE  tunnel.  It  is  
important   to   note   that   packets   traveling   inside   a  
GRE   tunnel   are   not   encrypted   because   GRE   no  
crypt   not   the   tunnel,   but   wraps   with   a   GRE  
header.   If   the   data   protection   is   required,   IPSec  
must   be   configured   to   ensure   the   confidentiality  
of  data.  Which  allows  to  transform  a  GRE  tunnel  
in  a  secure  VPN  GRE  tunnel  [4].  
DMVPN   (Dynamic   Multipoint   Virtual   Private  
Network)   (Fig.4)   is   the   Cisco   response   to   the  
growing   demand   for   companies   to   be   able   to  
connect   their   branches   with   headquarters   and  
among  other  things  while  keeping  the  low  cost  of  
deployment,   minimizing   the   complexity   of  
configuration  and  increase  flexibility.  DMVPN  is  
actually   a   set   of   technologies   (IPSec,   Mgr   and  
NHRP)   which,   combined,   facilitates   the  
deployment  of  IPsec  VPNs.    It  is  a  reliable,  secure  
and   scalable   solution,   allowing   flexible   IPsec  
tunnels  an  establishment  and  management  [5]  

 
 
 
 
 
 
 
Fig. 4. Dynamic Multipoint Virtual Private Network (blue
line static hub-to-spoke, black line dynamic hub-to-spoke,
yellow line dynamic spoke-to-spoke)

DMVPN  is  based  on  an  architecture  centralized  
with   a   router   playing   the   role   of   the   hub   (Hub)  
located   in   the   central   site   and   one   or   several  
routers  branches  (spokes)  that  connect  each  to  the  
central   site   via   a   static   tunnel.   There   are   other  
architectures   involving   more   than   a   central  
router   (Hub)   but   they   will   not   be   addressed   in  
this  project.  

2.5 DMVPN proposed solution

 DMVPN   technology   is   a   solution   that   does  
not  have  these  disadvantages.  It  does  not  require  
a   complete   mesh   to   communicate   all   of   the  
company'ʹs   sites.   The   addition   of   a   new   site   does  
not  require  a  reconfiguration  of  exist  it  and  it  is  a  
solution   for   the   Internet   infrastructure.   What  
gives  the  DMVPN  an  evolutionary  character?  It  is  
perfectly  suited  for  the  interconnection  of  remote  
sites   ensure   the   authentication,   integrity,   and  
encryption   of   data   independent   of   the   providers  
who  serve  them.  
The  implementation  of  the  DMVPN  requires    a  
central   router,   typically   the   central   site   (siège),  
which   is   used   as   a   server   NHR   (Next   Hop  
Router).   This   router   has   necessarily     a   fixed  
public   IPv4   address.   Other   sites   routers   are  
configured   with   dynamic   public   IPV4   addresses  
(table  1  and  Fig.5).  

 
Table 1 : plan d’adressage

A   permanent   tunnel   is   configured   between  
each   router   and   the   central   router   with   IPv6  

© 2016 JOT
www.journaloftelecommunications.co.uk

 

4

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

addresses.   These   tunnels   will   allow   the   creation  
of  dynamic  link  point  to  point  between  all  sites.  It  
is  the  dynamic  routing  protocol  allowing  routers  
to   Exchange   routing   information.   The   latter   will  
allow   to   route   IPv6   packets   through   a   tunnel   in  
the   cloud   IPv4.   In   addition   dynamic   tunnels   are  
established   when   necessary   —   that   is,   they   will  
be   destroyed   after   the   expiry   of   a   period   of  
customizable  inactivity.  
Fig.6 : mGRE using NHRP in static and dynamic mapping  

 
Fig. 5. Exemple de tunneling

The   other   type   of   configuration   option   uses  
mGRE   (Fig.6)   on   the   site   of   the   hub   and   the  
normal   configuration   of   point-­‐‑to-­‐‑point   GRE   x-­‐‑
ray.   There   are   two   main   ways   that   this   can   be  
configured,   but   the   use   of   the   NHRP   Protocol   is  
necessary.  NHRP  is  used  similarly  to  the  ARP  on  
Ethernet   protocol,   it   offers   the   option   to   map   an  
IP  address  of  the  tunnel  with  a  logical  IP  address  
of   a   network   of   non-­‐‑broadcast   multi-­‐‑access  
(NBMA);   what   enables   Mgr   to   dynamically  
define   tunnels   without   having   to   explicitly  
configure   a   mapping   entry   between   each  
potential  next  hop  destination.  
There  are  two  ways  to  configure  mGRE  on  the  
hub   and   let   a   normal   GRE   configuration   on   the  
shelves   (spokes).   The   first   uses   statements   of  
NHRP  static  mapping  on  the  hub  router,  and  the  
second  uses  dynamic  NHRP  mapping  on  the  hub  
router.  
Figure   (Fig.   6   yellow   line)   shows   an   example  
of   the   desired   configuration   by   using   the   static  
mapping   NHRP   States.   The   figure   also   shows  
certain   statements   configuration   additional  
NHRP   which   would   be   necessary   if   you   are  
using   EIGRP   (or   any   routing   protocol   requiring  
multicast).  

This   configuration   is   an   option,   but   would  
have   certainly   become   quite   long   if   there   are  
several   branch   routers.   It   requires   however   a  
very  simple  branch  configuration.  
   
Configuration  
below  
is  
generally  
recommended  by  Cisco  (when  only  using  mGRE  
on   the   site   of   the   hub).   It   includes   the   dynamic  
use  of  NHRP  (Fig.6  green  line)  on  the  hub  router.  
This   method   is   called   Hub-­‐‑to-­‐‑spoke   by   Cisco,  
because   it   does   not   provide   the   possibility   for  
routers   to   speak   directly   to   the   other.   In   practice  
it  is  possible  to  establish  a  communication  spoke-­‐‑
to-­‐‑spoke.  

3

Results

 After   the   configuration   of   routers,   the  
command  'ʹshow  DMVPN'ʹ  shows  the  existence  of  
three   tunnels   seat   router.   We   see   with   the   D   of  
the   Attrib   (Fig.7)   parameter   value   that   the  
tunnels  are  dynamic  to  this  router.  This  is  due  to  
the   fact   that   the   other   routers   IPv4   public  
addresses   may   change   at   any   time   and   that   the  
router   at   Headquarters   must   be   informed   of   any  
change   to   allow   it   to   update   the   information   of  
the  NHS  (Next  Hop  Server).  
 With   the   same   command,   other   routers   will  
each   see   a   static   tunnel   linking   them   to   the   seat  
router  (NHS).  

 

 
Fig. 7 : Dynamic Tunnel attrib

© 2016 JOT
www.journaloftelecommunications.co.uk

 

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

The   Fig.8   shows   the   continuity   of   the   IPv6  
connectivity.   Each   router   has   learned   through  
tunnels   LANs   from   the   Protocol   EIGRP   routing  
information.  

5

The  Protocol  IPsec  encrypts  the  contents  of  the  
package   and   one   IPv4   header   is   visible   in   the  
tunnel  (Fig.10).  
DMVPN   essentially   creates   a   topology   of  
mesh   VPN   with   IPsec.   This   means   that   each   site  
can  connect  directly  with  all  other  sites,  no  matter  
where   they   are   located.   DMVPN   may   include  
with   IPsec   security   mechanisms   offering   a   very  
high   security   thanks   to   the   use   of   advanced  
authentication   and   encryption   protocols   that  
protect  data  from  unauthorized  access.  

DMPVN   phase   1   does   not   allow   the   creation  
of   a   dynamic   tunnel   between   branches.   This  
means   that   all   packages   between   branches  
necessarily   go   through   the   router   of   siege   (first  
part  of  the  Fig.8).  
Allow   the   process   of   the   Protocol   EIGRP   to  
use   the   IP   address   of   the   branch   received   as   the  
address   of   the   next   jump   for   the   announcement  
of   this   branch   roads   to   allow   the   creation   of  
dynamic  tunnel  between  branches.  Thus  a  branch  
will   have   the   IP   address   of   other   branch   with  
which   it   wants   to   communicate.   This   will   allow  
to   create   a   dynamic   tunnel   to   send   packets  
directly  to  another  branch.  This  is  phase  2  of  the  
second  DMVPN  part  of  the  Fig.8).  

 
Fig.10. Protocol IPsec encrypts the contents of the
package and one IPv4 header

The   Fig.11   shows   the   siege   router   see   routers  
of  branches  such  as  neighbors  as  if  it  was  directly  
connected   to   them.   It'ʹs   as   well   as   IPv6  
connectivity   is   provided   securely   between   the  
sites  of  the  company.  

 
Fig.8.  Dynamic tunnel between branches

The   screenshot   below   (Fig.9)   shows   that   data  
are   visible   in   the   tunnels.   Indeed   a   tunnel  
encapsulates  the  packet  in  a  new  package  with  an  
IPv6   header   IPv4   without   encrypting   data   of   the  
IPv6   packet.   It   is   important   to   apply   IPsec   to  
secure  traffic  through  the  tunnel.  

 
Fig.11.The siege router see routers of branches such as
neighbors

 
Fig.9 .Tunnel encapsulates the packet in a new package
with an IPv6 header IPv4 without encrypting data of the
IPv6 packet.

© 2016 JOT
www.journaloftelecommunications.co.uk

 

6

JOURNAL OF TELECOMMUNICATIONS, VOLUME 33, ISSUE 2, SEPTEMBER 2016

Références:  

4 Conclusion
We  have  shown  that  DMVPN  technology  enables  
companies   to   migrate   to   IPv6   regardless   of   the  
migration   of   the   FAI.   It   is   a   solution   that   has  
many   advantages   from   the   economic   point   of  
view,  the  security  and  scalability  of  the  business.  
Over   its   deployment   does   not   require   to   have  
static   public   IP   addresses   at   the   level   of   the  
Spokes   (rays,   branches   or   secondary   sites).   This  
technology   is   capable   of   achieving   a   complete  
mesh   of   sites   without   permanent   tunnels.   Its  
major   drawback   is   its   belonging   to   Cisco,   which  
is   that   it   requires   the   use   of   routers   of   this  
manufacturer.   This   technology   is   suitable   for  
businesses   regardless   of   the   number   of   sites   that  
they  have.  
DMVPN  solution  reduces  administrative  tasks  by  
eliminating   the   need   to   reconfigure   again   the  
central   router   and   existing   sites   when   adding  
new  remote  sites.  
The   tunnel   encapsulates   the   packet   in   a   new  
package   with   an   IPv6   header   IPv4   without  
encrypting  data  of  the  IPv6  packet.  It  is  important  
to   apply   IPsec   to   secure   traffic   through   the  
tunnel.  DMVPN  essentially  creates  a  topology  of  
mesh   VPN   with   IPsec.   This   means   that   each   site  
can  connect  directly  with  all  other  sites,  no  matter  
where   they   are   located.   DMVPN   may   include  
with   IPsec   security   mechanisms   offering   a   very  
high   security   thanks   to   the   use   of   advanced  
authentication   and   encryption   protocols   that  
protect  data  from  unauthorized  access.  

[1]  RFC  3056      
[2]  RFC  5969  
[3]  RFC  4798    
[4]  RFC  2784  
 [5]  http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-­‐‑
multipoint-­‐‑vpn-­‐‑dmvpn/DMVPN_Overview.pdf    (  last  consultation  at  
09/08/2015)    
[6]  Sybex,  CCNA  Routing  and  Switching  Study  Guide,  October  2013    
[7]   Pete   Loshin,     “IPv6   Second   Edition:   Theory,   Protocol,   and   Practice”   (The  
Morgan  Kaufmann  Series  in  Networking)  2nd  Edition,  2004  
 

 

Abdou  Karim  FAROTA,  PhD  in  applied  physics  
from   the   University   Gaston   Berger   of   Saint   -­‐‑  
Louis  
(2015),  
engineer  
specialist  
of  
microprocessors   and   the   microprocessors   systems   at   the  
Faculty   of   electronics   of   Wroclaw   (Poland)   in   1992.  
Teaches   electronics,   industrial   computing   and   computer  
systems   design   at   the   University   Gaston   Berger   de   Saint-­‐‑
Louis  (Senegal)  since  2005.  He  studied  dynamical  systems,  
artificial  neurons,  network  security  and  the  physics  of  the  
atmosphere.  

 

Mor   DIOUM,   Engineer   in   electronics   and  
Telecommunication   (DIETEL   2015)   at   Gaston  
Berger  University  of  Saint-­‐‑Louis  has  worked  in  
the   company   IDEAL   Solution   in   Dakar   (Senegal).   He   is  
preparing   a   doctoral   thesis   in   telecommunications:  
security  and  reliability  of  networks  VLAN  

DMVPN  solution  reduces  administrative  tasks  by  
eliminating   the   need   to   reconfigure   again   the  
central   router   and   existing   sites   when   adding  
new  remote  sites.    
The   tunnel   encapsulates   the   packet   inside   a   new  
packet  with  an  IPv6  header  IPv4  without  encrypt  
the   IPv6   packet   data.   It   is   important   to   apply  
IPsec   to   secure   traffic   through   the   tunnel.   With  
IPsec,   DMVPN   essentially   created   a   mesh   VPN  
topology.   This   means   that   each   site   can   connect  
directly  with  all  other  sites,  no  matter  where  they  
are   located.   DMVPN   may   include   with   IPsec  
security   mechanisms   provide   a   level   of   safety  
very   high   through   the   use   of   advanced  
authentication   and   encryption   protocols   that  
protect  data  from  unauthorized  access.  

Acknowledgments
This  work  was  supported  in  part  by  the  CEA-­‐‑MITIC  /UFR  
SAT/UGB  

© 2016 JOT
www.journaloftelecommunications.co.uk