Networks Research Group Deployment of an IPv6-Enabled Dynamic VPN Infrastructure.

Networks Research Group

Deployment of an IPv6-Enabled Deployment of an IPv6-Enabled Dynamic VPN InfrastructureDynamic VPN Infrastructure

3 September 2003 Networks Research Group Seminar

2

Current Work

ProjectsProjects PastPast

ANDROIDANDROID RADIOACTIVERADIOACTIVE

PresentPresent 6NET6NET ICBICB

FutureFuture SEINITSEINIT

VPN TechnologiesVPN Technologies Netcelo VPN Netcelo VPN

ManagerManager ISI - X-BoneISI - X-Bone DRDC - DVCDRDC - DVC UMU - PBNMUMU - PBNM Entrust VPN Entrust VPN

ConnectorConnector

6NET VPN Infrastructure Deployment

““To look at the issues surrounding the To look at the issues surrounding the provision of IPv6 dynamic VPN provision of IPv6 dynamic VPN technology and deploy an IPv6-technology and deploy an IPv6-

Enabled VPN Infrastructure”Enabled VPN Infrastructure”

International Collaboration Board (ICB)

““To carry out an experimental To carry out an experimental deployment of an IPv6-Enabled VPN deployment of an IPv6-Enabled VPN

Infrastructure upon which one can Infrastructure upon which one can experiment on the sort of policies that experiment on the sort of policies that

coalition networks require”coalition networks require”


5

Netcelo VPN Management

Deployed During ANDROIDDeployed During ANDROID Single VPN ManagerSingle VPN Manager Full Mesh TopologyFull Mesh Topology Tested with Multicast ConferencingTested with Multicast Conferencing

Active Networking (Funnelweb)Active Networking (Funnelweb) Transcoding Active GatewayTranscoding Active Gateway

Proprietary SystemProprietary System


6

ISI X-Bone

UCL extended X-Bone for IPv6 capability during UCL extended X-Bone for IPv6 capability during RADIOACTIVERADIOACTIVE

Overlay Managers & Resource DaemonsOverlay Managers & Resource Daemons Invitation-Based Set-UpInvitation-Based Set-Up Choice Of TopologyChoice Of Topology Recursive OverlaysRecursive Overlays Demonstrated at DANCE - May 2002Demonstrated at DANCE - May 2002

3 sites - Star Topology3 sites - Star Topology Possibility of sub-optimal topologyPossibility of sub-optimal topology


7

DRDC DVC

““Provides secure/authenticated out-of-band Provides secure/authenticated out-of-band channels to establish, monitor and channels to establish, monitor and dismantle VPNs”dismantle VPNs”

Based On Ideas From X-BoneBased On Ideas From X-Bone Coalition-BasedCoalition-Based Full Mesh TopologyFull Mesh Topology Exchange of Security PoliciesExchange of Security Policies


8

UMU-PKIv6UMU-PKIv6 CA Provides X.509 Certificate Enrollment And CA Provides X.509 Certificate Enrollment And

Lifecycle Management for IPv6Lifecycle Management for IPv6 Supports LDAPv6, OCSP and SCEPSupports LDAPv6, OCSP and SCEP

UMU-PBNMUMU-PBNM Policy Management Tool (PMT)Policy Management Tool (PMT) Policy Decision Point (PDP)Policy Decision Point (PDP) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) VPN Enforcement Tool (VPN ETool)VPN Enforcement Tool (VPN ETool)

UMU-PBNM

COPS


9

Issues

No clear globally accepted VPN definitionNo clear globally accepted VPN definition Scope of a VPNScope of a VPN Uncertainty in:Uncertainty in:

What is requiredWhat is required How to develop itHow to develop it The Current status of each of the projectsThe Current status of each of the projects

VPN Workshop – July 2003VPN Workshop – July 2003 Aim to discuss and resolve issues of confusionAim to discuss and resolve issues of confusion Aim to encourage collaborationAim to encourage collaboration


10

Building An Ideal System

Each system excels in its particular area of Each system excels in its particular area of focusfocus X-Bone – Overlay Hierarchy, TopologyX-Bone – Overlay Hierarchy, Topology DVC – Distributed, Localised ControlDVC – Distributed, Localised Control UMU-PBNM – Security InfrastructureUMU-PBNM – Security Infrastructure

Want the best of all worldsWant the best of all worlds


11

Ideal System – Existing Features

Localisation and Security of DVCLocalisation and Security of DVC Distributed Nature of DVCDistributed Nature of DVC Platform Independence of DVC/X-BonePlatform Independence of DVC/X-Bone Hierarchic Nature of X-BoneHierarchic Nature of X-Bone Topological Flexibility of X-Bone/UMUTopological Flexibility of X-Bone/UMU Policy Management of UMUPolicy Management of UMU Security Management of UMUSecurity Management of UMU


12

Ideal System – New Features

Dynamic TopologyDynamic Topology (Secure?) Routing over VPN(Secure?) Routing over VPN Multicast CapabilityMulticast Capability QoS ProvisionQoS Provision


13

VPN Workshop – Summary

X-BoneX-Bone Expected to be IPv6-Enabled OctoberExpected to be IPv6-Enabled October Dynamic Overlay RoutingDynamic Overlay Routing Node Re-visitationNode Re-visitation Provides capability for topological definitionProvides capability for topological definition Does not allow addition/deletion of nodes to as Does not allow addition/deletion of nodes to as

existing overlayexisting overlay Combination with other systems looks Combination with other systems looks

promisingpromising


14

VPN Workshop – Summary cont.

DVCDVC Good model for flexible use of policiesGood model for flexible use of policies Agreed to move to IPv6 – target date Agreed to move to IPv6 – target date

NovemberNovember Currently moving toward XML based Currently moving toward XML based

policy definitionpolicy definition Discussing combination with UMUDiscussing combination with UMU


15


UMUUMU Security Management InfrastructureSecurity Management Infrastructure Policy Management InfrastructurePolicy Management Infrastructure VPN definition limited to 6WINDVPN definition limited to 6WIND


16


CiscoCisco Presented various approaches for large Presented various approaches for large

scale VPN deploymentscale VPN deployment Stated IPv6 IPSec solutions not planned Stated IPv6 IPSec solutions not planned

before mid-2004before mid-2004


17

VPN Workshop – Outcome

Updated parties on status of projectsUpdated parties on status of projects Discussions conducted on problems and Discussions conducted on problems and

issuesissues Consensus reached over issues of confusionConsensus reached over issues of confusion All parties agreed on collaborationAll parties agreed on collaboration Plans for hosting a further VPN Workshop Plans for hosting a further VPN Workshop

during Novemberduring November


18

Future Work

Re-evaluate X-Bone With EnhancementsRe-evaluate X-Bone With Enhancements Initial Deployment Potentially X-BoneInitial Deployment Potentially X-Bone

VPN Management SystemVPN Management System Dynamic Tunnel Establishment & ManagementDynamic Tunnel Establishment & Management Dynamic Topology (Bootstrapping)Dynamic Topology (Bootstrapping)

Policy DefinitionPolicy Definition Types of policiesTypes of policies

Networks Research Group

Manish [email protected]

Department of Computer ScienceDepartment of Computer Science

University College LondonUniversity College London

Networks Research Group Deployment of an IPv6-Enabled Dynamic VPN Infrastructure.

Documents

Transcript of Networks Research Group Deployment of an IPv6-Enabled Dynamic VPN Infrastructure.