Telecom:NGN:VPN

Contents 1 Navigation 2 Related categories 3 About this page 4 VPN resources 5 General VPN information 6 PPTP/L2TP VPNs 7 SSL VPN resources 7.1 Commercial SSL-VPN solutions 7.2 SSL-VPN security aspects 7.3 VoIP over VPN tunnels 8 IPSec VPN resources 9 MPLS-VPN 10 Multicast over MPLS-VPN 11 Other VPN technologies 11.1 Hamachi VPN

Navigation

Related categories

About this page

We apologize for the little information we provide, this page is still under construction. Please stay tuned.

VPN resources

The term Virtual Private Network (VPN) encompasses a range of technologies destined to permit the secure transport of information across an insecure network infrastructure (e.g. the Internet). The VPN technologies being seen as an excellent opportunity for enterprises and telecom operators alike to cut network infrastructure cost by resource pooling and centralized management. Indeed, with VPN the enterprises can pase-out their expensive private networks and telecom operators may use more efficiently their infrastructure. The VPN technologies rely all on secure tuneling mechanisms and fall in several categories:

• Point to Point dial-up VPNs, based on Layer-2 tunneling protocols like PPTP or L2TP
• IPSec-tunneling VPNs (based on IPSec ESP encapsulation)
• MPLS VPNs, either BGP-based - based on Virtual Routing and Forwarding (VRF)
• "Martini"-type Layer-2 MPLS-VPNs based on the pseudowire mechanisms
• Virtual Private LAN Service (VPLS) emulating Ethernet LAN multicast/broadcast capability pseodowire-meshing
• SSL VPNs, based on TLS tunneling, particularly attractive for remote-access

General VPN information

• Introduction to VPN Technologies [1]
• Virtual Private Networks: An Overview with Performance Evaluation [2]
• Tom Dunnigan's VPN Page [3]
• IEC VPN Tutorial [4]
• VPN Consortium [5]
• VPN Decision Guide - IPSec or SSL VPN Decision Criteria [6]
• Cisco Introduction to VPN Technologies [7]
• Virtual Private Networking resources [8]
• Nortel's VPN Technology Overview [9]
• VPN resources courtesy of VPNTools

PPTP/L2TP VPNs

• Microsoft Windows PPTP/L2TP VPN [10] and tutorial
• Administrator's Guide to Microsoft L2TP/IPSec VPN Client [11]

SSL VPN resources

• SSL VPN FAQ [12]
• Magic Quadrant for SSL VPN, North America, 3Q05 [13]
• Securing Network Communication with Stunnel, OpenSSH, and OpenVPN [14]
• OpenVPN - Open Source SSL VPN solution (download)
• How to configure OpenVPN [15]
• HOWTO: Setting up a virtual private network with OpenVPN 2 [16]
• Installation sécurisée d’OpenVPN [17] (presentation)
• HOWTO: IPCop-OpenVPN [18]
• OpenVPN primer [19]
• OpenVPN 101: introduction to OpenVPN [20]
• Workshop: A quick and simple private tunnel with OpenVPN [21]
• SSL Explorer - a Browser-Based, Open Source SSL VPN [22]
• SSH tunnel for Windows [23]
• Stunnel -- Universal SSL Wrapper [24]
• Pass-Through Proxying as a Solution to the Off-Campus Web-Access Problem [25]

Commercial SSL-VPN solutions

• Aventail (now SonicWall) SSL-VPN Technical Primer [26]
• SSL VPN Decision Guide for Small to Medium Sized Enterprises [27]
• SonicWALL SSL-VPN Series [28]
• AEP Networks SSL VPN Application Access Technologies [29]
• NetGear SSL VPN Technical Primer [30]
• F5 FirePass SSL-VPN Whitepaper [31] (adopted by SAP)
• Juniper Networks SSL VPN - Secure Access [32]
• Cisco IOS SSL VPN solution [33] and whitepaper
• Nortel IPSEC/SSL VPN Gateway 3050 [34]

SSL-VPN security aspects

The SSL VPN, however convenient it is, represents potentially a security liability ("inside-out attack" threat), by its ability to "pierce" holes in Firewalls. This is especially dangerous for the "client-less" SSL VPN solutions, where a browser loads a simple JNLP (java web-start) applet over the SSL connection.

• Compass Security - Inside-Out (tunneling) Attacks [35]
• E&Y - Inside-Out Attacks - an old concept with new threats [36]
• Bypassing Firewall - Firewall Piercing (Inside-Out Attacks) [37]

VoIP over VPN tunnels

In fact, some SSL-VPN solutions (e.g. Stunnel, OpenVPN and SSL Explorer) have the capability to tunnel not only TCP but UDP as well. Of course, the UDP datagrams would be encapsulated in TCP ans subjected to delays and jitter induced by firewalls and HTTP proxyes. The SSL-VPN tunneling of VoIP works well for such fixed-port protocols like Asterisk's IAX.

• Running VoIP over SSL VPNs [38]
• Test shows VoIP call quality can improve with SSL VPN links [39]
• UDPTunnel - Tunnelling UDP packets over a TCP connection [40]

IPSec VPN resources

• An Illustrated Guide to IPsec [41]
• IPSec VPN Fundamentals [42]
• NIST Guide to IPsec VPNs [43]
• IPSec VPN Advanced Troubleshooting Guide [http://www.icsalabs.com/icsa/docs/html/communities/ipsec/IPsec_Advanced_Toubleshooting_GuideFinal.pdf ]
• Deploying a VPN with PKI part 1 and part 2
• VPN over IPsec primer (from the FreeBSD Handbook) [44]
• Nortel Contivity VPN Switches & IPSec Gateways [45]

MPLS-VPN

• MPLS VPN Architecture Overview [46]
• Pseudo Wire Emulation Edge-to-Edge (PWE3) - [47]
• Layer 2 Virtual Private Networks (L2VPN) - [48]
• Layer 3 Virtual Private Networks (L3VPN) - [49]
• Sprint MPLS VPN Service Level Agreements [50]
• RFC 2547bis: BGP/MPLS VPN Fundamentals (by Chuck Semeria, Juniper's Marketing Engineer)[51]
• MPLS/BGP Virtual Private Networks Overview [52]
• Implementing MPLS VPN in a Provider's (AT&T) IP Backbone [53]
• Troubleshooting MPLS VPN’s - by Netcraftmen's Peter Welcher [54]
• Cisco - MPLS VPN Security in Service Provider Networks [55]
• MFA - MPLS & Frame Relay Alliance Forum - Convergence vision and specifications
• MPLS Ready to Serve the Enterprise - the MFA "Superdemo" Interoperability Architecture [56]
• Multi-Vendor Layer-2 MPLS VPN Interoperability Testing Results [57]
• BGP and MPLS-Based VPNs - a Peter Welcher primer [58]
• MPLS VPNs - Cisco Presentation [59]
• Introduction to Cisco MPLS VPN Technology [60]
• Cisco Advanced MPLS VPNs Primer [61]
• Cisco - Layer 3 MPLS VPN Enterprise Consumer Guide [62]
• Cisco - The Move to MPLS-Based VPNs: Exploring Service Options [63]
• Cisco - GRE Tunnel with VRF Configuration Example : http://www.cisco.com/warp/public/105/grewithvrf.pdf
• Cisco - Configuring a Basic MPLS VPN : http://www.cisco.com/warp/public/105/mpls_vpn_basic.html

Multicast over MPLS-VPN

Multicast is not natively supported by MPLS. However, multicast-enabled applications are being increasingly deployed in enterprise networks and the lack of multicast support in the service-provider MPLS-VPN solutions becomes problematic. Different methods of introducing the multicast support in BGP MPLS-VPN networks have been proposed, all of them based on existing multicast-routing protocols (PIM-SM, PIM-BiDir and SSM):

• Native multicast support, based on PIM-SM Reverse Path Forwarding (RPF), which has a few issues:
  • the service provider has no visibility into how its end customers manage multicast within their enterprises
  • the amount of multicast distribution information (that is [S, G] or [*, G] states) that needs to be maintained in the provider's core
  • the P routers required to support an unbounded amount of state information based on the enterprise customer’s application of multicast.
  • the multicast groups that different customers define may conflict with each-other due to overlapping multicast groups or RFC1918 IP addressing (because the PIM routing tables are global)
• GRE "overlay" encapsulation tunnels, which also have disadvantages:
  • need for full GRE-tunnel mesh among CE routers belonging to each customer
  • unmaintainable and non-scalable due to amount of GRE tunnels to configure
  • waste of bandwidth due to PIM-SM backtracking over the GRE tunnels
• based on the "Multicast in MPLS/BGP VPNs" IETF draft and concept of "Multicast Domains" both patented by Cisco

The above IETF draft lays the principles of scalable multicast support over BGP MPLS-VPN, as implemented in Cisco and Juniper routers:

• A multicast domain is defined as a set of multicast-enabled VRF (mVRF) instances that can send multicast traffic to each other.
• A single multicast domain maps all of a customer’s multicast groups in a particular VPN to a single unique global multicast group in the provider's P-core.
• Core P routers maintain multicast state entries information and labels for the global routing table only and not for the customer-defined groups in each VPN.
• This is how this mechanism is achieved:
  • The PE encapsulates the original customer multicast packets within a provider packet by using GRE:
    • The destination address of the GRE packet is the unique multicast group that the service provider has allocated for that multicast domain.
    • The source address of the GRE packet is the BGP peering address of the originating PE router.
  • The GRE tunnels used are established between PE routers in a multicast configuration and are inherently more efficient than the full-mesh required for GRE overlay.
  • Multiple end customers can attach to a particular PE router, which is then member of many multicast domains, one for each customer mVPN
  • Only native multicast is required in the core network to support multicast domains over GRE tunnels.
  • The CE routers only maintain multicast PIM-SM adjacencies with their PE router neighbors.
  • The P routers no not need to hold state information for individual customer source trees - instead, they can hold as little as a single state entry for each VPN regardless of the number of multicast groups within a customer's VPN. This way the largest amount of state information in a P router is (number of PE routers in the backbone) times (number of VPNs).
  • On PE routers, each VRF has configured an associated multicast VRF (mVRF), containing all the multicast routing information for that VPN.
  • Use specific Ethertypes: 8847 for unicast MPLS and 8848 multicast MPLS packets

Multicast MPLS-VPN references

• Cisco MPLS-VPN multicast support
  • Multicast-VPN —IP Multicast Support for MPLS VPNs - Cisco IOS guide
  • Multicast-VPN IP Multicast Support for MPLS VPNs - another Cisco guide
  • Multicast VPN - a Cisco Press material
  • Deploying MPLS Traffic Engineering - a Networkers 2004 presentation
  • MPLS VPN's - a presentation by Netcraftsmen's Peter Welcher
  • Multicast Support for MPLS VPNs - Configuration Example
• MPLS Multicast Traffic Engineering - an article
• "Overview of IP Multicast in a Multi-Protocol Label Switching (MPLS) Environment" - - RFC 3353
• Support for multicast MPLS on Linux - a primer
• Juniper multicast-MPLS overview

Other VPN technologies

Hamachi VPN

LogMeIn Hamachi is a subscription-base solution for building VPN's over behind-NAT Internet connections. Hamachi is a centrally-managed VPN system, consisting of the server cluster managed by the vendor of the system and the client software, which is installed on end-user computers. Hamachi is using UDP tunneling using a server-assisted NAT-traversal technique, similar to UDP hole punching. More information is available on the Hamachi forums