Download Virtual Private Netorks: An Overview

Luminiţa SCRIPCARIU, Ion BOGDAN
Virtual Private Netorks: An Overview
Luminiţa SCRIPCARIU, Ion BOGDAN
Rezumat. Reţelele virtuale private (VPN) reprezintă o
Abstract. VPN (Virtual Private Network) is a favorite
soluţie de securitate de real succes pentru reţelele de
security solution for communication networks. There-
comunicaţii moderne. Sunt prezentate tipurile de reţele
fore, we present the more used VPN types and
VPN şi tehnicile de definire a acestora cu analiza
techniques. A comparison between them we made.
comparativă a diverselor soluţii. Sunt reliefate, de
We also present some tendencies for network security
aesemenea, tendinţele actuale de cercetare privind
based on VPNs.
soluţiile de securitate bazate pe VPN.
Keywords: network security, VPN, tunneling, real-time
Cuvinte cheie: securitatea reţelelor, VPN, tunelare,
services, QoS.
servicii în timp real, calitatea serviciilor (QoS).
1. Introduction
Nowadays,∗communication networks need more
security. Virtual Private Network (VPN) seems to be
the best solution for distributed network services
offered on a public infrastructure. A VPN is cheaper
and more flexible than a network with dedicated
connections such as permanent circuits over leased
Tunneling creates a dynamic virtual topology. For
example, Layer-2 Tunneling Protocol (L2TP) defines
tunnels over PPP sessions.
2. VPN categories
A. First, we can classify the VPN services
according to the OSI model, on different layers.
lines. This was the first step on private networks.
On the physical layer, Layer 1 Virtual Private
Initially VPNs offered low-cost secure and private
Networks (L1 VPNs) provides services at the edge
connections for two or more sites through an IP-
of the network, at the interfaces between customer
based network. It was an alternative to dedicated
edge (CE) and the provider edge (PE) devices from
fixed-bandwidth leased line on dial-up or ATM
the provider network. This interface works between
networks.
the client site and the provider network in a point-to-
VPNs maintain in the Internet cyberspace logical
point manner and therefore we can talk about point-
tunnels through which the packets travel opaquely,
to-point VPN (PPVPN). L1 VPN forwards packets
independent of their payload or IP-headers. In fact,
based on a port list. L1 services may be described in
the tunneling protocols impose different headers on
the VPN packet at the source site. Only the
destination node discards the tunnel header and
read the content of the datagram.
∗ Department of Telecommunications, Technical University
“Gheorghe Asachi” of Iasi, Romania.
32
terms of connectivity, capacity, availability, quality
and transparency (RFC 4847). Figure 1 presents the
reference model for L1 VPN.
Large capacity backbone networks designed as
L1 VPNs create the opportunity for customers to
offer transparently its own services with different
TELECOMUNICAŢII ● Anul LII, nr. 2/2009
Virtual Private Netorks: An Overview
payloads (e.g. IP, ATM, or TDM). L1 VPN has
services and Virtual Private LAN Service (VPLS) which
many benefits. Customers may be concentrated
emulates LAN services over a Wide Area Network
on higher-layer services while using the resources
(WAN).
provisioned by the L1 virtual private network of the
provider.
VPWS are offered to the customer edge through
provider edge circuits and a packet switched net-
On the data link layer, Layer 2 Virtual Private
work (PSN) tunnel (Fig. 2).
Networks (L2 VPNs) work with physical addresses
VPLS has the reference model given in Figure 3.
(defined on the Media Access Control sub-layer MAC)
For example, customers from different LANs are
(RFC 4664). There are two kinds of L2 VPN: Virtual
included in the same virtual emulated LAN over a
Private Wire Service (VPWS), which offer point-to-point
routed backbone.
Fig. 1. L1 VPN Reference Model.
Fig. 2. VPWS Reference Model.
Fig. 3. VPLS Reference Model.
TELECOMUNICAŢII ● Anul LII, nr. 2/2009
33
Luminiţa SCRIPCARIU, Ion BOGDAN
Another customer edge device may be attached
to the emulated LAN through a bridge module that
Different categories of VPNs may overlap each
other but they all have similar meanings.
learns and ages out MAC addresses in the standard
VPNs created by customers use encrypted traffic.
manner. This is the minimum functionality of the
Initially, customers defined their VPNs and used en-
VPLS PE. Depending on the service, the VPLS PE
cryption to secure communication. These are secure
should support single or multiple connections as full
VPNs or Site-to-Site VPNs.
IEEE bridges or should recognize IEEE 802.1Q
Later, Internet expands and VPNs become a
VLANs tagging. Besides, it can also work with virtual
service. NSP creates and manages Trusted VPNs
connection (VC) identifiers or port information.
and the customer always “trusts” the provider.
Customers can access securely the private network
On the network layer, Layer 3 Virtual Private
Networks (L3 VPN) offer IP-connectivity through a
public backbone. It forwards packets based on the
customer’s internal routing information. Communications between the CE and the PE devices need an
intra-network routing protocol. On the backbone, PE
routers transfer routing information using an external
gateway protocol (EGP).
Two customer sites included in the same L3 VPN
have IP-connectivity over the transport network even
if they are in different physical LANs. CE and PE
devices are routers in a L3 VPN.
If a customer defines many virtual sites on the
same physical site using VLANs, then the PE router
should distinguish between them. In fact, it has
resources from any public location using the remoteaccess VPN.
If a secure VPN runs as part of a trusted VPN,
then a hybrid VPN results [1].
C. A very useful classification of VPNs results
from its nature, soft or hard.
Usually a firewall is used to create and to manage a
VPN. This is a hard VPN and it is a costly solution.
Soft VPNs use software solutions to secure
remote connections with low or no-costs. Many
customers are adepts of Soft VPNs because there
are many free offers for software VPNs.
3. VPN protocols
separate forwarding table for each VLAN. Each
Traditional networks (IP, Frame Relay or ATM)
VLAN can be mapped to a different VPN. A CE
have many disadvantages regarding security. MPLS
router can support multiple virtual sites even if it
solve its problems [2] and L3 VPNs adopted it.
uses MPLS or not. On the same physical interface
Enterprise networks and military communications use
(e.g. Frame Relay or ATM) the customer can set up
MPLS VPN [3].
many logical interfaces to manage different VPNs.
The main framework of VPNs includes two
complementary technologies: MPLS and IPsec.
B. Secondly, other categories of VPNs are Cus-
IPsec offers authentication, encryption/decryption
tomer Edge-based or Provider Edge-based VPNs
and hashing services at the end-points of a network
(CE-VPN and PE-VPN), Outsourced or In-house
tunnel [4].
VPNs, Client-based or Web-based VPNs, Secure,
Trusted or Hybrid VPNs, regarding the network
management made by the customers or by the
network service provider (NSP).
34
MPLS switching works with simple labels attached
to the IP packets.
Usually on a L3 VPN, MPLS (Multiprotocol Label
Switching) transports frames through the service
TELECOMUNICAŢII ● Anul LII, nr. 2/2009
Virtual Private Netorks: An Overview
provider backbone and BGP (Border Gateway Pro-
4. Quality of services
tocol) routes the packets. This is a BGP/MPLS IP VPN
(RFC 2547, RFC 4577).
BGP/MPLS VPN model is scalable, reliable and
well fitted for provisioning of VPN services [5].
The CE and the PE routers communicate using
an IGP (Internal Gateway Protocol) such as OSPF
(Open Shortest Path First). The PE routers communi-
Communication networks offer today multi-layer
services over secure virtual links.
Provisioning VPN services has to ensure the required quality-of-service (QoS) which implies different
parameters: packet loss, delay, jitter and required
bandwidth.
VPN customers demand QoS similar to leased
cate using BGP (Border Gateway Protocol). So,
BGP/OSPF interaction procedures are applied on
line like scenario. The VPN should guaranty the QoS.
Quality of the voice service is reduced by delay,
the PE routers.
Traditional secure VPN needs to install client
jitter and packet loss.
software and different complex tasks. Using Secure
MPLS VPN has low delay and packet loss rate
Socket Layer (SSL) protocol, this aspect was over-
and provides QoS as connection-oriented services
whelmed [6], [7].
do.
SSL and other tunneling protocols such as point to
Bandwidth allocation for VPN services is an im-
point tunneling protocol (PPTP) and layer 2 tunneling
portant issue of traffic engineering. Different models
protocol over Internet protocol security (L2TP/IPSec)
for service provisioning focus on bandwidth efficiency
are described by Joha A.A. et al. [8] as remote
(pipe-model, hose-model) but the hose model solves
access VPN commonly used protocols.
better the ingress and egress bandwidth reservation
Address families are also important if the Internet
[10].
Protocol (IP) version is not the same for all the net-
QoS also depends on the VPN management
work nodes. VPN-IPv4 and VPN-IPv6 use different
system performances. For large and complex net-
identifiers according to the IP address length.
work structure, the management costs become very
A VPN-IPv4 address is a 12-byte sequence,
beginning with an 8-byte "Route Distinguisher (RD)"
large and policy-based network management solutions
must be found and applied.
and ending with a 4-byte IPv4 address (RFC 2547).
A VPN-IPv6 address is a 24-byte sequence,
5. Tendencies in VPN
beginning with the 8-byte "Route Distinguisher (RD)"
and ending with the 16-byte IPv6 address (draft-ietfl3vpn-bgp-ipv6-07.txt).
Some translation has to be made in the routing
table to ensure compatibility. The BGP Multiprotocol
Extensions allow BGP to route packets from multiple
address families.
Signaling is another aspect important for different
services such as voice over IP and trusted VPN can
offer on demand signaling for multimedia network
services [9].
TELECOMUNICAŢII ● Anul LII, nr. 2/2009
Today, an enormous interest exists on secure
wireless networks and mobile services in general, on
secure voice and real-time traffic over packet networks and so on.
VPNs need to support secure communication
between mobile VPN users in foreign networks and
the VPN services should diversify to offer all these
capabilities.
Mobile Virtual Private Network (MVPN), with
mobile users or mobile sites, is a new concept that
35
Luminiţa SCRIPCARIU, Ion BOGDAN
must be improved [11]. IETF developed a SIP-based
[5] Palmieri, F. , VPN scalability over high performance
mobile VPN with enhanced security (SIP - Session
backbones evaluating MPLS VPN against traditional
initiation protocol) [12].
approaches,
Proceedings
of
International
Symposium
on
Managed Dynamic VPN represents a solution to
maximize the VPN performances [13].
Other security protocols based on IPsec for
mobile users authentication, key scheduling or billing
are developed [14].
the
8th
Computers
IEEE
and
Communication, 2003, ISCC 2003, Antalya, Turkey,
Vol. 2, pp. 975 – 981, ISSN: 1530-1346,
ISBN: 0-7695-1961-X
[6] Yang Kuihe, Chu Xin, Implementation of Improved
VPN Based on SSL, 8th International Conference on
Converged data and voice networks and the actual
Electronic Measurement and Instruments, 2007.
increasing volume of traffic create new demands for
ICEMI '07, Xi'an, China, pp. 2-15 – 2-19, ISBN: 978-
VPN designers, including the economic aspect.
1-4244-1136-8
[7] Jingli Zhou Hongtao Xia Xiaofeng Wang Jifeng
6. Conclusions
Yu, A New VPN Solution Based on Asymmetrical SSL
Tunnels, Japan-China Joint Workshop on Frontier of
VPNs represent the best network security solution
Computer Science and Technology, 2006. FCST '06,
for large companies and private communications
Nov. 2006, Fukushima, Japan, pp.71 – 78,
(military, governmental etc.). Depending on the appli-
ISBN: 0-7695-2721-3
cation costs, customers can choose to implement a
[8] Joha, A.A. Ben Shatwan, F. Ashibani, M., Per-
specific type of VPN, using a hardware device or a
formance Evaluation for Remote Access VPN , 8th
software tool. VPN protocols evolve continuously
International Conference on Telecommunications in
and tend to solve specific critical problems of mobile
Modern Satellite, Cable and Broadcasting Services,
networks or multimedia services security.
References
2007, TELSIKS 2007, Serbia, 26-28 Sept. 2007,
pp. 587 – 592, ISBN: 978-1-4244-1467-3
[9] Ravindran, R.S., Changcheng Huang, Thulasiraman, K. , Topology abstraction as VPN service, IEEE
[1] http://www.vpnc.org/vpn-technologies.html, VPN Tech-
International Conference on Communications 2005,
nologies: Definitions and Requirements, VPN Con-
ICC 2005, 16-20 May 2005, Seoul, Korea, Vol. 1,
sortium, July 2008
pp. 105 – 109, Vol. 1, ISBN: 0-7803-8938-7
[2] Jing-bo Xia Ming-hui Li Lu-jun Wan , Research on
[10] Jian Chu, Chin-Tau Lea, New Architecture and
MPLS VPN Networking Application Based on OPNET,
Algorithms for Fast Construction of Hose-Model
International Symposium on Information Science and
VPNs, IEEE/ACM Transactions on Networking, June
Engineering, 2008, ISISE '08, Shanghai , China, Vol. 1,
2008, Volume: 16, Issue: 3, pp: 670 – 679, ISSN:
pp. 404 – 408, ISBN: 978-1-4244-2727-4
1063-6692
[3] Li Ming-hui Xia Jing-bo, Research and Simulation on
[11] Hui Zhang, Yajuan Qin, Hongke Zhang, Jianfeng
VPN Networking Based on MPLS, 4th International
Guan , Study on host and station mobility in BGP/MPLS
Conference on Wireless Communications, Networking
VPN, IET International Conference on Wireless,
and Mobile Computing, 2008. WiCOM '08. Dalian,China,
Mobile and Multimedia Networks, 2006, 6-9 Nov.
Oct. 2008, pp. 1 – 4, ISBN: 978-1-4244-2107-7
2006, Hangzhou, China, pp. 1 – 3, ISSN: 0537-9989,
[4] Chris Metz, The Latest in Virtual Private Networks:
Part I, IEEE INTERNET COMPUTING, JANUARY FEBRUARY 2003, pp. 87 – 91
36
ISBN: 0-86341-644-6
[12] Shun-Chao Huang, Zong-Hua Liu, Jyh-Cheng
Chen, SIP-based mobile VPN for real-time appli-
TELECOMUNICAŢII ● Anul LII, nr. 2/2009
Virtual Private Netorks: An Overview
cations, 2005 IEEE Wireless Communications and
Communications, 2007, ICC '07, Glasgow, GB, 24-28
Networking Conference, 13-17 March 2005, Volume: 4,
June 2007, pp. 211 – 216, ISBN: 1-4244-0353-7
pp. 2318 – 2323, ISSN: 1525-3511, ISBN: 0-7803-
[14] Ntantogian, C., Xenakis, C., A Security Protocol for
8966-2
Mutual Authentication and Mobile VPN Deployment in
[13] Ravindran, R.S. Changcheng Huang Thulasira-
B3G Networks, IEEE 18th International Symposium
man, K., Managed Dynamic VPN Service: Core
on Personal, Indoor and Mobile Radio Communica-
Capacity Sharing Schemes For Improved VPN
tions, 2007. PIMRC 2007. Athens, Greece, 3-7 Sept.
Performance, IEEE International Conference on
2007, pp. 1 – 5, ISBN: 978-1-4244-1144-3
TELECOMUNICAŢII ● Anul LII, nr. 2/2009
37