You are on page 1of 34

Security Level

:

IP VPN Overview
ISSUE 1.0
www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Foreword

VPN this technology has widely used in today
network. Along with the increasingly wide
application of the Internet, Virtual Private Network
(VPN) emerged to construct private networks on
public networks. “Virtual” here mainly indicates
that VPN is a kind of logical networks.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 2

Objectives
Describe the concept of VPN and the types
of VPN
Describe the protocols realized the IP VPN

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Confidential

Page 3

Huawei Confidential Page 4 .Chapter 1 VPN System Overview Chapter 2 VPN Working Mechanism HUAWEI TECHNOLOGIES CO.. LTD.

VPN Definition  VPN—Virtual Private Network  Private network can be established on public network. "Virtual" here mainly indicates: this network is a kind of logical network.. Huawei Confidential Page 5 .     HUAWEI TECHNOLOGIES CO. LTD.

Huawei Confidential Page 6 Branch . LTD..VPN Definition Partner Headquarter Remote office Tunnel Internet Leased line Employees in business trips Office HUAWEI TECHNOLOGIES CO.

VPN Features  Private : VPN is only be used by VPN users  Virtual : this network is a kind of logical network..  Specific: VPN is especially for specific enterprises or users. LTD. Huawei Confidential Page 7 . HUAWEI TECHNOLOGIES CO.

VPN Advantages  Reliable and safe connection  Flexible application of VPN  Creating VPN with service quality guarantee  Supporting the mobile access of foreign VPN users  Greatly improve utility of network resources. increase profit of the Internet Service Provider (ISP) accordingly.. HUAWEI TECHNOLOGIES CO. LTD. Huawei Confidential Page 8 .

Networking Mode.Service Application..Connection Orientation  Classified According to Operation Mod  VPNCPE-based VPN (Customer Premises Equipment based VPN)  Network-based VPN (NBIP-VPN) HUAWEI TECHNOLOGIES CO. Realization Layer . Huawei Confidential Page 9 . LTD.Classification of VPN  IP VPN can be classified according to Operation Mode .

Classification of VPN  Based on the Service applications :  Access VPN  Intranet VPN  Extranet VPN HUAWEI TECHNOLOGIES CO. LTD. Huawei Confidential Page 10 ..

LTD.. Huawei Confidential Page 11 .Access VPN Tunnel Originated by ISP POP POP POP HQ Originated by user  Dial network expansion:  Employees on errands  Remote small office HUAWEI TECHNOLOGIES CO.

. LTD.Intranet VPN HQ Research Institute Internet/ ISP IP ATM/FR Branch Tunnel Office HUAWEI TECHNOLOGIES CO. Huawei Confidential Page 12 .

. LTD.Extranet VPN HQ Remote Office Internet/ ISP IP ATM/FR Branch Partner HUAWEI TECHNOLOGIES CO. Huawei Confidential Page 13 .

. LTD. Huawei Confidential Page 14 .Classification of VPN  Based on networking Mode :  Virtual Leased Line (VLL)  Virtual Private Dial Network (VPDN)  Virtual Private LAN Segment (VPLS)  Virtual Private Routing Network (VPRN) HUAWEI TECHNOLOGIES CO.

Huawei Confidential Page 15 ..Classification of VPN  Based on Connection Orientation :  Connection-oriented L2VPN  Connection-oriented L3VPN HUAWEI TECHNOLOGIES CO. LTD.

Huawei Confidential Page 16 . LTD.Classification Based on Realization Layer   Layer 2 VPN  L2TP: Layer 2 Tunnel Protocol (RFC 2661)  PPTP: Point To Point Tunnel Protocol  L2F: Layer 2 Forwarding Layer 3 VPN  GRE : General Routing Encapsulation  IPSEC : IP Security Protocol HUAWEI TECHNOLOGIES CO..

SET. TLS. S-MIME. Proxy. L2F.Classification Based on Realization Layer Application layer Transport layer Network layer Data-link layer HUAWEI TECHNOLOGIES CO. SSH IPSec. MPLS/VPN PPTP. GRE.. LTD. L2TP Huawei Confidential Page 17 . SOCKS SSL. Secure-PRC.

Chapter 1 VPN System Overview Chapter 2 VPN Working Mechanism HUAWEI TECHNOLOGIES CO. LTD. Huawei Confidential Page 18 ..

LTD. Huawei Confidential Page 19 . HUAWEI TECHNOLOGIES CO. the user accesses the ISP NAS (Network Access Server) server..  NAS will encapsulate the user data into IP packet and transmit it to the VPN server through this tunnel.VPN Fundaments  Through PSTN/ISDN network. it establishes a connection to the user’s destination VPN server.  VPN server will remove the encapsulation to get the original data after receiving this IP packet. and vice versa. After NAS server recognizes that this is a VPN user by checking user name or access number. which is called tunnel.

Layer 3 tunneling protocol. Huawei Confidential Page 20 .Tunnel  A tunnel is a logical extension for their PSTN/ISDN links and the operation is the same as the physical links.  Tunneling can be implemented based on a tunneling protocol. LTD. Layer 2 tunneling protocol b. HUAWEI TECHNOLOGIES CO..  Tunneling protocols can be divided into : a.

Layer 2 Tunneling Protocol  Point-to-Point Tunneling Protocol (PPTP)  Layer 2 Forwarding (L2F)  Layer 2 Tunneling Protocol (L2TP) HUAWEI TECHNOLOGIES CO. LTD.. Huawei Confidential Page 21 .

LTD.. Huawei Confidential Page 22 .Layer 3 Tunneling Protocol  Generic Routing Encapsulation RE (GRE )  IP Security (IPSec)  ESP (Encapsulating Security Payload)  IKE (Internet Key Exchange) HUAWEI TECHNOLOGIES CO.

Huawei Confidential Page 23 .PPTP  Point-to-Point Tunneling Protocol  Supported by Microsoft.. 3COM and other companies and supported by Windows NT 4. Ascend.0 and upper versions  This protocol supports tunneling encapsulation of point-topoint PPP in IP network  PPTP uses an enhanced Generic Routing Encapsulation (GRE) technology to provide encapsulation service of flow control and congestion control for transmitted PPP packet. LTD. HUAWEI TECHNOLOGIES CO.

Huawei Confidential Page 24 . HUAWEI TECHNOLOGIES CO.. LTD. physically separating the dial-up server and dial-up protocol connection.L2F  Layer 2 Forwarding  Supported by many other companies  Supports the tunneling encapsulation for the higher-level link layer.

.L2TP  Layer 2 Tunneling Protocol  Drafted by IETF. Huawei Confidential Page 25 . LTD. Microsoft and other companies and absorbing the advantages of above two protocols. it is accepted by most companies and has become the standard RFC  Provides both dial-up VPN service and special line VPN service HUAWEI TECHNOLOGIES CO.

IP and IPX)  The tunnel is a virtual point-to-point connection and can be regarded as virtual interface only supporting point-to-point connection in actual situation HUAWEI TECHNOLOGIES CO. LTD.g. Huawei Confidential Page 26 .GRE  Generic Routing Encapsulation  Can encapsulate the datagram of some network layer protocols (e..

LTD.. RouterB Huawei Confidential Page 27 .Packet Encapsulation and Decapsulation through GRE Internet Novell IPX Group1 Novell IPX Group2 Tunnel RouterA HUAWEI TECHNOLOGIES CO.

.GRE’S Application Multi-Protocol Local Network Being Transmitted through Single-Protocol Backbone Network Novell IPX Group 1 Novell IPX Group 2 Internet Tunnel IP Term 1 RouterA HUAWEI TECHNOLOGIES CO. LTD. RouterB IP Term 2 Huawei Confidential Page 28 .

GRE’S Application Enlarge Operation Range of the Network with Hop-Limited Protocol Tunnel IP Network PC HUAWEI TECHNOLOGIES CO.. IP Network IP Network Huawei Confidential PC Page 29 . LTD.

GRE’S Application Connecting Some Discontinuous Sub-Networks to Establish VPN IP Network novell novell group2 group 1 Tunnel HUAWEI TECHNOLOGIES CO. LTD. Huawei Confidential Page 30 ..

 Layer 2 MPLS/VPN modes  Martini  Kompella  CCC  VPLS HUAWEI TECHNOLOGIES CO. MPLS is a layer 2 switching network. From the perspective of users.MPLS/VPN Overview  Layer 2 MPLS/VPN The MPLS network is used to transfer layer 2 data for users transparently. LTD.. through which the layer 2 connection can be established among different stations. Huawei Confidential Page 31 .

 The external-layer label is used for the forwarding of packets on public networks.MPLS/VPN Overview  Layer 3 MPLS/VPN In the layer 3 MPLS/VPN network.  The internal-layer label is used to indicate the destination station of packets. LTD.. Huawei Confidential Page 32 .  VPN packet forwarding  Two layers of labels are encapsulated. Users are using an independent network resource. users are provided with VPN services by service providers in such a way that they are not aware of public networks. HUAWEI TECHNOLOGIES CO.

LTD.. HUAWEI TECHNOLOGIES CO. Huawei Confidential Page 33 .  MPLS segregates the communication signals of irrelevant users and enhances the security.  MPLS-based network differentiates data flows from each other to enhance the security without setting tunnels or encrypting the data.  MPLS VPN meets the requirements of VPN users and reduces the workloads of both the network and users. MPLS VPN can be used to establish any connection with high scalability.MPLS/VPN Security Advantages  MPLS can identify the data packets of different applications. This capability of MPLS ensures the implementation of QoS with simpler methods than that of IP tunnels and VC-based networks.

Summery Summery HUAWEI TECHNOLOGIES CO.  VPN working mechanism  The VPN technique Huawei Confidential Page 34 .. LTD.