Course Number IPsec to MPLS VPN Integration Vijay Bollapragada... I Psec Terminology PIPSec = Internet Protocol Security RFC 2401: An IETF standardized architecture that defines a set
Trang 1Course Number
IPsec to MPLS VPN
Integration
Vijay Bollapragada
Trang 2• IPsec VPN Overview
• IPsec and MPLS VPN Integration
• Architecture
• Conclusions
Trang 3secure private communications over any IP network
Negotiation, protocols, and formats
and authentication
encryption, digital certification, and device authentication
Trang 4I Psec Terminology P
IPSec = Internet Protocol Security (RFC 2401): An IETF standardized
architecture that defines a set of standards that can be used to secure the
Internet Protocol (IPv4 and IPv6)
IKE = Internet Key Exchange (RFC 2409): A hybrid protocol (uses parts of Oakley and SKEME key exchanges in conjunction with ISAKMP) whose purpose is to
provide authenticated keying material for, and secure negotiation of, Security
Associations.
SA = Security Associations: A set of policies and keys between two parties used
to protect information exchange between them IKE uses ISAKMP SAs which
must include negotiations of the following attributes: encryption algorithm, hash algorithm, authentication method, and info re: Diffie-Hellmen group.
ISAKMP = Internet Security Association and Key Management Protocol (RFC
2407): Defines a framework for security association management and
cryptographic key establishment for the Internet
Trang 5Technology Primer
IPSec Tunnel
Original IP Layer Original IP Layer
Data
IP HDR
encrypted
ESP Tunnel Mode (RFC 2406)
IPSec Encrypted session
Original IP Layer Original IP Layer
encrypted
Data ESP Transport Mode (RFC 2406)
IPSec Authenticated session
Original IP Layer Original IP Layer
IP HDR AH HDR Data
AH Protocol (RFC 2402)
Initiated by IPSec
(CPE)
Terminated by customer’s corporate gateway/Firewall or destination system
IP HDR ESP HDR
ESP HDR
IP HDR Data
IP HDR Data
IP HDR Data
IP HDR Data New IP HDR
Terminated by a corporate end-system
or resource
Terminated by customer’s corporate gateway/Firewall or destination system
Trang 6IPSec VPNs
Advantages Limitations
•Quickly provision VPN services
without SP infrastructure changes
(transparent to SP network)
•Very high security for entire data
path (including client-to-SP
connection)
•Very mobile and can span multiple
SP networks
•Hardware encryption accelerators
now available to help address
performance and scalability issues
•Not scalable
•No tunnel sharing (like Layer 2
tunneling) so each concurrent user terminates a separate tunnel on gateway
•Encryption can severely limit
performance of tunnel termination platform
•IPSec (and all related protocols) expertise needed for provisioning
•Client software must be installed and supported (support desk costs)
•Limited added value and revenue stream potential
•Export restrictions of encryption technology
•Only supports tunneling of IP packets
Trang 7= Frame PVC or 802.1Q
= IPsec session
Corporate Intranet
Branch
Remote Users/
Telecommuters
FR PVC, MPLS LSP IPsec Session
Local or Direct
Dial ISP
Cable/DSL/
ISDN ISP Cisco VPN 5000 Client
Software Is Tunnel Source:
Windows 95/98/2000/NT Mac
Linux Solaris
Cisco VPN 5002/5008 Terminates IPsec Tunnels and Maps sessions into
FR PVCs
IPSEC TO MPLS SERVICE ARCHITECTURE
MPLS
PE
PE
Trang 8IPsec to MPLS
• IOS IPsec site to site and client sessions mapped directly into
MPLS VPN by co-locating Cisco VPN 5002 or 5008 concentrators with Cisco IOS MPLS PE routers
• Authenticate off-net sites via pre-shared keys and digital
certificates
protected GRE tunnels
traffic (ingress and egress) traveling through IPsec tunnels
Trang 9VPN 5000 CUSTOMER VIRUTAL CONTEXTS (CVC) &
VIRTUAL ROUTER (VR) ARCHITECTURE
10/100 Ether.
DS3
FR PVC
Cust 1 VR
HSSI FR
CISCO VPN 5000
10/100 Ether.
or
FR PVC
Cust 3 VR
Cust 4 VR
its Network.
• CVC Identifies Routing Features and VPN for
Specified Customer
• Main CVC Defines Basic Functions of the
System
• Permits Overlapping IP Address Ranges
•Features Configured Per CVC
- IGP Routing
- Static Routes, RIP, RIP 2, OSPF
- L3/L2 Tunnel Mapping
- IPsec, L2TP, GRE, FR PVC,
802.1Q VLAN
- RADIUS Authentication/Accounting
- Filter Sets
Cust 2 VR
Main VR
Trang 10IPSEC to MPLS VPN Architecture
DS3 FR PVCs
CISCO VPN5000
10/100 Ether.
or DS3 FR
Customer Virtual Contexts (CVC):
Logical Interfaces Physical Ports VPN Tunnel Mapping VPN Termination
Cust 1 VR
Cust 2 VR
Cust 3 VR
Main VR
FR PVCs within a single DS3 port.
Each CVC, or FR PVC, is viewed as
a CE from PE’s perspective.
Can run Static, RIPv2 or OSPF.
Cust 2 IPsec Tunnels
Cust 1 IPsec Tunnels
Cust 3 IPsec Tunnels
INTERNET
CISCO IOS PE ROUTER
Cust 1 VRF Cust 2 VRF Cust 3 VRF
MPLS
Backbone