Networks Horizon

Overlay, Peer-to-Peer and MPLS VPN

The traditional peer-to-peer model requires strict uniqueness of IP address space. The overlapping addresses, usually resulting from usage of private IP addresses in customer networks, are one of the major obstacles to successful deployment of peer-to-peer VPN implementations.

Three solutions have been proposed to overcome this limitation.

1.       It can persuade the customers to re-number their networks. Most customers would not be willing to do that and would rather find another service provider.

2.       It can implement the VPN service with IP-over-IP tunnels, where the customer IP addresses are hidden from the service provider routers(Layer 3 overlay model)

3.       It can implement a complex network address translation (NAT) scheme that would translate customer addresses into a different (but  unique) set of addresses at the provider edge router and then translate those addresses back to the customer addresses before the packet would be sent from the egress PE router to the CE router. Although such a solution is technically feasible, the administrative overhead is prohibitively large and difficult to troubleshoot.

Types of VPN

Overlay VPN

In the overlay VPN model, the service provider network is a connection of point-to-point links or virtual circuits (VCs). Routing within the customer network is transparent to the service provider network, and routing protocols run directly between customer routers. The service provider has no knowledge of the customer routes and is simply responsible for providing point-to-point transport of data between the customer sites.

Figure  illustrates the deployment of an overlay VPN. The scenario adopts a hub-and-spoke topology whereby the Paris site is the hub, and both the London and Zurich sites are the spokes. The London site is linked up to the Paris site via a point-to-point VC #1. Likewise, the Zurich site is linked up to the Paris site via a point-to-point VC #2. In this instance, the layer-3 routing adjacencies are established between the CE routers at the various customer sites, and the service provider is not aware of this routing information at all. From the perspective of the CE routers, the service provider infrastructure appears as point-to-point links between Paris to London and Paris to Zurich.

  

These VPNs can be implemented at layer-1 using leased/dialup lines, at layer-2 using X.25/frame relay/ATM Virtual Circuits, or at layer-3 using IP (GRE) tunneling or IPSEC tunnels. Below implementations are used in Overlay Model

1.       Layer 1:  Service Provider established Layer 1 connectivity between customer sites via ISDN, DS0, T1, E1, SONET or SDH and further customer is responsible for implementations of all higher layers (data link and IP layer). Generally customer uses PPP or HDLC to establish connection.

2.       Layer 2: It adopts traditional switched WAN solution. Service Provider is responsible for establishing layer 2 VCs between customer sites via X.25, FR or ATM and customer is further accountable for IP layer and above

3.       Layer 3: VPN is implemented with Point to Point IP -over IP tunnels. This is referred as IP tunneling where a destination can be reached transparently without the source having to know the topology. Tunnels also enable the use of private network addressing across a service provider's backbone without the need for NAT (Network Address Translation). Tunnels are either GRE (Generic routing Encapsulation) or IP security (IPSEC).

·         GRE: it’s simpler, less overhead and of course less secure. These tunnels do not provide true confidentiality but can carry encrypted traffic. It is capable of handling IP multicast traffic between two sites.

·         IPSEC: its deployment is more complex and resource intensive (CPU) but it provides more robust security. It is IETF standard (Internet Engineering Task Force). It operates at layer 3. Since IPSec encryption works only on IP unicast frames so for better protection and to alleviate this deficit GRE can be used in conjunction with IPSec.

Overlay VPN model has a few major problems.

1.       One is the high level of configuration overhead.

2.       Requirement of a fully meshed deployment of point-to-point links or VCs over the service provider’s backbone to attain optimal routing.

3.       Customer routes are propagated in provider core.

4.       Provider is responsible for addressing so private addressing is not an option.

Peer-to-Peer VPN

The peer-to-peer model adopts a simple routing scheme for the customer. Both provider and customer network use the same network protocol and all the customer routes are carried within the core network (service provider network). The PE routers exchange routing information with the CE routers, and layer-3 routing adjacencies are established between the CE and PE routers at each site. Because peer-to-peer routing has been implemented, routing between sites is now optimal. Fully meshed deployment of point-to-point links or VCs over the service provider backbone is no longer applicable to attain optimal routing. Since there is no overlay mesh to contend with, the addition of new sites is easier, and circuit capacity sizing is not an issue. Because the service provider now participates in customer routing, provider-assigned or public address space needs to be deployed at the customer’s network, so private addressing is no longer an option.

Two approaches have been adopted:-

1.       Shared PE approach: common PE router that carries all customer routes. Routes are separated with communities and route filters (access list, route maps) on PE to CE interface. The complexity of the configuration results high maintenance cost, CPU utilization, memory requirement.

2.       Dedicated PE approach:  In this model, each customer has a dedicated PE router that carries only its own routes. Customer segregation is achieved through lack of routing information on the PE router. The P router contains all customer routes and filters routing updates between different PE routers using Border Gateway Protocol (BGP) Communities. Because each customer has a dedicated PE router, this approach is expensive to deploy, and hence it is not a cost-effective solution.

MPLS IP VPN

MPLS VPN is a true peer-to-peer model that combines the best of both worlds. It unites the customer security and segregation features implemented in the overlay model with the simplified customer routing deployed in the traditional peer-to-peer model. The MPLS VPN architecture is very similar to the dedicated PE router model, except the dedicated per customer routers are implemented as virtual routing tables within the PE router. In other words, customer segregation is achieved through the concept of virtual routing and forwarding (VRF) whereby the PE router is subdivided into virtual routers serving different VPNs (or customer sites). This establishes overlapping addresses in different customer sites since each customer is now assigned an independent routing table.

The PE routers hold the routing information only for directly connected VPNs. As a result, the size of the PE routing table is significantly reduced. The amount of routing information is proportional to the number of VPNs attached to the PE router. As such, the PE routing table will still grow when the number of directly connected VPNs increases. In addition, the PE routers participate in customer routing, ensuring optimal routing between sites and easy provisioning. Full routing within the service provider backbone is no longer required because multi protocol label switching (MPLS), and not traditional IP routing, is used to forward packets.

Two types of routing tables are used in PE router. One VPN routing table for its respective customers and Global routing table for non VPN (IGP) routes for the routing between various PE and P routers.