IP VPN Overview


VPN this technology has widely used in today
network. Along with the increasingly wide
application of the Internet, Virtual Private Network
(VPN) emerged to construct private networks on
public networks. “Virtual” here mainly indicates
that VPN is a kind of logical networks.


Describe the concept of VPN and the types
of VPN
Describe the protocols realized the IP VPN


Chapter 1 VPN System Overview Chapter 2 VPN Working Mechanism

VPN Definition  VPN—Virtual Private Network  Private network can be established on public network. "Virtual" here mainly indicates: this network is a kind of logical network.

VPN Definition Partner Headquarter Remote office Tunnel Internet Leased line Employees in business trips Office Branch

VPN Features  Private : VPN is only be used by VPN users  Virtual : this network is a kind of logical network.  Specific: VPN is especially for specific enterprises or users.

VPN Advantages  Reliable and safe connection  Flexible application of VPN  Creating VPN with service quality guarantee  Supporting the mobile access of foreign VPN users  Greatly improve utility of network resources. increase profit of the Internet Service Provider (ISP) accordingly.

Classification of VPN  IP VPN can be classified according to Operation Mode . Networking Mode.Service Application..Connection Orientation  Classified According to Operation Mod  VPNCPE-based VPN (Customer Premises Equipment based VPN)  Network-based VPN (NBIP-VPN) Realization Layer

Classification of VPN  Based on the Service applications :  Access VPN  Intranet VPN  Extranet VPN

Access VPN Tunnel Originated by ISP POP POP POP HQ Originated by user  Dial network expansion:  Employees on errands  Remote small office

Intranet VPN HQ Research Institute Internet/ ISP IP ATM/FR Branch Tunnel Office

Extranet VPN HQ Remote Office Internet/ ISP IP ATM/FR Branch Partner

Classification of VPN  Based on networking Mode :  Virtual Leased Line (VLL)  Virtual Private Dial Network (VPDN)  Virtual Private LAN Segment (VPLS)  Virtual Private Routing Network (VPRN)

Classification of VPN  Based on Connection Orientation :  Connection-oriented L2VPN  Connection-oriented L3VPN

Classification Based on Realization Layer   Layer 2 VPN  L2TP: Layer 2 Tunnel Protocol (RFC 2661)  PPTP: Point To Point Tunnel Protocol  L2F: Layer 2 Forwarding Layer 3 VPN  GRE : General Routing Encapsulation  IPSEC : IP Security Protocol

Classification Based on Realization Layer Application layer Transport layer Network layer Data-link layer SET. TLS. S-MIME. Proxy. L2F. SSH IPSec. MPLS/VPN PPTP. GRE. L2TP Secure-PRC. SOCKS SSL.

Chapter 1 VPN System Overview Chapter 2 VPN Working Mechanism

VPN Fundaments  Through PSTN/ISDN network. the user accesses the ISP NAS (Network Access Server) server.  NAS will encapsulate the user data into IP packet and transmit it to the VPN server through this tunnel. it establishes a connection to the user's destination VPN server.  VPN server will remove the encapsulation to get the original data after receiving this IP packet. and vice versa. After NAS server recognizes that this is a VPN user by checking user name or access number. which is called tunnel.

Tunnel  A tunnel is a logical extension for their PSTN/ISDN links and the operation is the same as the physical links.  Tunneling can be implemented based on a tunneling protocol.  Tunneling protocols can be divided into : a. Layer 2 tunneling protocol b. Layer 3 tunneling protocol.

Layer 2 Tunneling Protocol  Point-to-Point Tunneling Protocol (PPTP)  Layer 2 Forwarding (L2F)  Layer 2 Tunneling Protocol (L2TP)

Layer 3 Tunneling Protocol  Generic Routing Encapsulation RE (GRE )  IP Security (IPSec)  ESP (Encapsulating Security Payload)  IKE (Internet Key Exchange)

PPTP  Point-to-Point Tunneling Protocol  Supported by Microsoft.. 3COM and other companies and supported by Windows NT 4. Ascend.0 and upper versions  This protocol supports tunneling encapsulation of point-topoint PPP in IP network  PPTP uses an enhanced Generic Routing Encapsulation (GRE) technology to provide encapsulation service of flow control and congestion control for transmitted PPP packet.

L2F  Layer 2 Forwarding  Supported by many other companies  Supports the tunneling encapsulation for the higher-level link layer. physically separating the dial-up server and dial-up protocol connection.

L2TP  Layer 2 Tunneling Protocol  Drafted by IETF. Microsoft and other companies and absorbing the advantages of above two protocols. it is accepted by most companies and has become the standard RFC  Provides both dial-up VPN service and special line VPN service

GRE  Generic Routing Encapsulation  Can encapsulate the datagram of some network layer protocols (e.g. IP and IPX)  The tunnel is a virtual point-to-point connection and can be regarded as virtual interface only supporting point-to-point connection in actual situation

Packet Encapsulation and Decapsulation through GRE Internet Novell IPX Group1 Novell IPX Group2 Tunnel RouterA RouterB

GRE'S Application Multi-Protocol Local Network Being Transmitted through Single-Protocol Backbone Network Novell IPX Group 1 Novell IPX Group 2 Internet Tunnel IP Term 1 RouterA RouterB IP Term 2

GRE'S Application Enlarge Operation Range of the Network with Hop-Limited Protocol Tunnel IP Network PC IP Network IP Network PC

GRE'S Application Connecting Some Discontinuous Sub-Networks to Establish VPN IP Network novell novell group2 group 1 Tunnel

MPLS/VPN Overview  Layer 2 MPLS/VPN The MPLS network is used to transfer layer 2 data for users transparently. From the perspective of users. MPLS is a layer 2 switching network. through which the layer 2 connection can be established among different stations.  Layer 2 MPLS/VPN modes  Martini  Kompella  CCC  VPLS

MPLS/VPN Overview  Layer 3 MPLS/VPN In the layer 3 MPLS/VPN network. Users are using an independent network resource. users are provided with VPN services by service providers in such a way that they are not aware of public networks.  VPN packet forwarding  Two layers of labels are encapsulated.  The external-layer label is used for the forwarding of packets on public networks.  The internal-layer label is used to indicate the destination station of packets.

MPLS/VPN Security Advantages  MPLS can identify the data packets of different applications.  MPLS segregates the communication signals of irrelevant users and enhances the security.  MPLS-based network differentiates data flows from each other to enhance the security without setting tunnels or encrypting the data.  MPLS VPN meets the requirements of VPN users and reduces the workloads of both the network and users. MPLS VPN can be used to establish any connection with high scalability. This capability of MPLS ensures the implementation of QoS with simpler methods than that of IP tunnels and VC-based networks.

Summery  VPN working mechanism  The VPN technique