So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a...
Transcript of So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a...
![Page 1: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/1.jpg)
15/22/1999 5:55 PM
So Your Customer Wants a VPN
Howard C. BerkowitzGett Communications
[email protected](703)998-5819
NANOG 16 -- May 1999 -- Eugene, OR
![Page 2: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/2.jpg)
25/22/1999 5:55 PM
Issues
• Understanding Requirements• Managing Expectations• Defining your Service• Deployment Issues
![Page 3: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/3.jpg)
35/22/1999 5:55 PM
Motivations
![Page 4: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/4.jpg)
45/22/1999 5:55 PM
Customer Goals
• Saving money• Saving money• Saving money• Saving money• Saving money• Saving money• Saving money• Saving money• Saving money• Saving money
• Enabling workforce distribution
• Building strategic alliances
• Improving operational flexibility
oooo
![Page 5: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/5.jpg)
55/22/1999 5:55 PM
Customer Constraints
• Availability & Performance• Security• Compatibility• Manageabiity• Budget
Clue Factor
oooo
![Page 6: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/6.jpg)
65/22/1999 5:55 PM
Common Customer Confusions
• VPN over IP = VPN over Internet– “whee! I can replace all my Frame Relay
with $20 a month ISP connections!”• VPN = “selling on the net”
– Membership must be established before communication
• “The VPN does all my security”• “I can get controlled QoS over the
Internet”
![Page 7: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/7.jpg)
Telecommuter
Road Warrior
Mobile UserSatellite Office User
Hotel
7
Workforce Distribution
Source: Cisco University VPN Seminar
![Page 8: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/8.jpg)
85/22/1999 5:55 PM
Special Challenges
• Voice• Video• Image retrieval• Greater involvement with applications
![Page 9: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/9.jpg)
95/22/1999 5:55 PM
High Speed Last Mile
• V.90, multiple modems (MLPPP)• ISDN• xDSL• Fixed wireless• Cable• Fiber to the neighborhood/building
![Page 10: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/10.jpg)
105/22/1999 5:55 PM
Network CommerceCost Savings
Cost PerTransaction
$0.00
$0.20
$0.40
$0.60
$0.80
$1.00
$1.20
Branch Telephone ATM PC Banking Internet
Department of Commerce, 5/98
![Page 11: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/11.jpg)
115/22/1999 5:55 PM
Customer Financial Analysis
![Page 12: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/12.jpg)
125/22/1999 5:55 PM
Cost Components
• Direct one-time costs– Access servers– Server routers
• Direct recurring costs– Dial charges– Line charges– Vendor support
• Indirect recurring costs– WAN Administrator
time– Security/server
administrator time
![Page 13: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/13.jpg)
Direct Cost Comparison
13
Recurring CostsRecurring CostsMonthly LongMonthly Long--DistanceDistancecharges per minutecharges per minute
Average use Per Day Average use Per Day Per User in Minutes Per User in Minutes
Traditional DialTraditional Dial--UpUp Access VPNAccess VPN
SetSet--up Costsup CostsNumber of UsersNumber of UsersRemote Access ServerRemote Access Server
OneOne--timetime--installation installation FeeFee——10 Phone Lines10 Phone Lines
2020$4,600$4,600
$1,000$1,000
$5,000$5,000
2020$3,000$3,000
$1,000$1,000
Number of UsersNumber of UsersAccess Router, T1/E1,Access Router, T1/E1,DSU/CSU, FirewallDSU/CSU, Firewall
VPN Client Software VPN Client Software ($50 per user)($50 per user)
T1/E1 installationT1/E1 installation
$0.10$0.10
9090
Central Site T1/E1Central Site T1/E1Intranet AccessIntranet Access
Monthly ISP accessMonthly ISP access($20 per user)($20 per user)
$2,500$2,500
$400$400
Source: Cisco University VPN Seminar
![Page 14: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/14.jpg)
145/22/1999 5:55 PM
Payback in Four Months!
• Payback: 4 months• Annual savings:
$30,000 • Capital outlay:
$10,600
Month
$10.6K
Capital Outlay
Payback
1 2 3 4 5 6 7 8 9 10 11 12
Source: Cisco University VPN Seminar
![Page 15: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/15.jpg)
90%90%
10%10%
10%10%
90%90%
Network Manager Network Manager Buys Products from Buys Products from
VPN Vendors and VPN Vendors and Manages NetworkManages Network
Network Manager Network Manager Provides Ongoing Provides Ongoing
Application and Application and Configuration Configuration
Management and Help Management and Help Desk SupportDesk Support
Net ManagerNet ManagerAdministersAdministers
Security ServerSecurity Server
SP Supplies Complete SP Supplies Complete VPN Solution, VPN Solution,
including Service, including Service, Training, and Help Training, and Help
DeskDesk
SP Supplies VPN SP Supplies VPN Equipment and Adds Equipment and Adds
QoS to Bandwidth QoS to Bandwidth OfferingOffering
50%50%
50%50%
SP SuppliesSP SuppliesBasic InternetBasic Internet
AccessAccess
Increasing Enterprise Network RoleIncreasing Enterprise Network Role
Infonetics, 1997Increasing Service Provider RoleIncreasing Service Provider Role
15
VPN Outsourcing Options
![Page 16: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/16.jpg)
165/22/1999 5:55 PM
Defining VPNs
![Page 17: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/17.jpg)
175/22/1999 5:55 PM
What is it?
• 3Com white paper– "A VPN is a connection that has the
appearance and many of the advantages of a dedicated link but occurs over a shared network." VPNs use tunneling
![Page 18: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/18.jpg)
185/22/1999 5:55 PM
What is it?
• Ascend (3 related architectures)– Virtual Private Remote Networking
(VPRN) with tunneling for remote LAN access
– Virtual Private Trunking (VPT) to establish the equivalent of leased lines among major facilities
– Virtual IP Routing (VIPR) to internetwork branch offices or establish extranets with closed user groups
![Page 19: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/19.jpg)
195/22/1999 5:55 PM
What is it?
• Cisco– Customer connectivity deployed on a
shared infrastructure with the same policies as a private network
• Ferguson & Huston– “A VPN is a private network constructed
within a public network infrastructure, such as the global Internet.”
![Page 20: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/20.jpg)
205/22/1999 5:55 PM
What is it?
• Infonetics– “VPNs use public networks to extend the
reach of the enterprise network to remote sites, individual remote workers, and business partners.”
• V--One– "the security technology that will enable
companies to leverage the Internet as private enterprise backbone infrastructure."
![Page 21: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/21.jpg)
215/22/1999 5:55 PM
IETF Work
• No WG yet. BOF last met in Orlando (December)
• Many working drafs at http://www/ietf.org/internet-drafts/xxx– draft-gleeson-vpn-framework-01.txt– draft-rosen-bgp-mpls-0x.txt– draft-berkowitz-vpn-tax-00.txt– draft-fox-vpnid-00.txt
![Page 22: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/22.jpg)
225/22/1999 5:55 PM
Scope and Function
Source: VPNet Technologies http://www.vpn.com/services/vpnsure.htm
![Page 23: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/23.jpg)
235/22/1999 5:55 PM
More Formally,a VPN has...
• Core User Capabilities• Optional user capabilities• Administrative model• Mapping methods• Transmission infrastructure
![Page 24: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/24.jpg)
245/22/1999 5:55 PM
Core User Capabilities
• User Scope– Intranet via provider– Extranet via provider– Hybrid/bypass
• Set of users and servers• Security policy• Availability policy• Addressing & Naming Model• VPN ID (which may be null)
![Page 25: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/25.jpg)
255/22/1999 5:55 PM
Optional User Capabilities
• Security mechanisms• QoS Mechanisms• Billing• Addressing & naming services• Non-IP support
![Page 26: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/26.jpg)
265/22/1999 5:55 PM
Operational Model
• Responsibility for premises routers– WAN– LAN
• Responsibllity for user support
• Responsibility for security
• Responsibility for QoS
• Help desk• Adds and changes• QoS
– Engineering– Measurement– Compliance
• Security– Policy– Enforcement– Response to events
![Page 27: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/27.jpg)
275/22/1999 5:55 PM
Mapping Functions
• Tunnels• Virtual circuits• Real on-demand circuits• Real dedicated lines
![Page 28: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/28.jpg)
285/22/1999 5:55 PM
Transmission Infrastructures
• Dial networks– local loop alternatives: xDSL, cable, etc
• Frame relay, ATM, other VC services• Routed IP clouds • MPLS• Dedicated lines• RFC 1149
![Page 29: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/29.jpg)
295/22/1999 5:55 PM
Core Capabilities
![Page 30: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/30.jpg)
305/22/1999 5:55 PM
Membership
• Has to be defined by customer• Endpoint may belong to:
– More than one VPN• Intranet• Extranet
– P�ublic Internet• Provider has to track multiple VPNs
![Page 31: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/31.jpg)
315/22/1999 5:55 PM
Security Policy (distinct from plan)
• Who is authorized to use what– Time of day, other qualifiers
• Kinds of users– Operations, inside, partners, public
• Enforcement policy– Something backed by top management
• Good policy is 1-2 pages
![Page 32: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/32.jpg)
325/22/1999 5:55 PM
A Secure Communication may have:
• Authenticity– User/client, server
• Integrity– Unitary vs.
sequential– Non-Repudiation
• Confidentiality– Lightweight,
middleweight, strong
• Availability– Network failures,
denial of service attacks
![Page 33: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/33.jpg)
335/22/1999 5:55 PM
Addressing & Naming Model
• Issues– Private vs. public space– PI vs PA– Multihomed routing– Routing registries– NAT
• Application transparency• End-to-end assumption traceability
– Other addressing & naming manipulation
![Page 34: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/34.jpg)
345/22/1999 5:55 PM
NHS Architecture
ISP 2Customer Distribution
DataCtr
ISP 1
Clinic �Data CtrLocal
�Trans.
Customer Core
Frame Relay Core VCs
Network Mgt
registered
Clinic address space
Arbitrary registered space -- transcriptionist addresses
may be private or registered
VPN
![Page 35: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/35.jpg)
355/22/1999 5:55 PM
Clinic Site
Clinic Network
Switch
PrinterVoiceServer
RouterNAT
Frame IPsec3DES
ISPAccess
Dial/ISDNInterface
PC
Management Port
Clinic network
PC
![Page 36: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/36.jpg)
365/22/1999 5:55 PM
Non-IP Services
• Issues– Does the ISP really understand these?– Transition planning– Performance expectations
![Page 37: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/37.jpg)
375/22/1999 5:55 PM
Trust Models
• End-to-end• Security gateway• ISP-centric
![Page 38: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/38.jpg)
385/22/1999 5:55 PM
Application Models
![Page 39: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/39.jpg)
395/22/1999 5:55 PM
Access VPN
RemoteUsers
CentralSite Clients
Core
CentralDistributionVPN Service
CentralServers
![Page 40: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/40.jpg)
405/22/1999 5:55 PM
VPN Distribution Tier
NetworkAccess Servers
ProviderNetwork
VPNRouter
InternetRouter
AccessControl
![Page 41: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/41.jpg)
415/22/1999 5:55 PM
InternetAccess
Dual VPN access
RemoteUsers
CentralSite Clients
Core
CentralDistributionVPN Service
CentralServers
![Page 42: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/42.jpg)
425/22/1999 5:55 PM
VPN service organization
Ent. 2
Ent. 1 Ent. 3
Ent. 4 Service Organization
![Page 43: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/43.jpg)
435/22/1999 5:55 PM
Hybrid VP�N
Ent. 2
Ent. 1 Ent. 3
Ent. 4 Service Organization
![Page 44: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/44.jpg)
445/22/1999 5:55 PM
VPN bypass
Ent. 2
Ent. 1 Ent. 3
Ent. 4 Service Organization
![Page 45: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/45.jpg)
455/22/1999 5:55 PM
Need for Policy Routing
Ent. 2
Ent. 1 Ent. 3
Ent. 4 Service Organization
X
![Page 46: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/46.jpg)
465/22/1999 5:55 PM
Optional User Capabilities
![Page 47: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/47.jpg)
475/22/1999 5:55 PM
Security Services
• Components– Host– Customer firewall– Network– Service provider
firewall– Certificate
Authority– Identification
servers– Log servers
• Activities– User IDs– Certificates– Key management– Attack detection– Attack response
![Page 48: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/48.jpg)
485/22/1999 5:55 PM
Who is Responsible?��
• User identifiation & authorization– Password/key
management– Per-user access
lists• End-to-end
encryption– Client distribution– Key management
• Network security– Customer
routers/firewalls– Provider devices– Key management– Intrusion detection
& response
![Page 49: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/49.jpg)
495/22/1999 5:55 PM
Encryption Performance Tradeoffs
• Clients– IPsec– SOCKS/SSL
• Application Servers– Software
encryption– Coprocessor
• Router– Software
encryption– Coprocessor
• Encryption server• Firewall• Access server
– Proxy– L2TP + IPsec
• Keys– Key size– Pregeneration– Change frequency– Revocation
![Page 50: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/50.jpg)
505/22/1999 5:55 PM
QoS Deployment
• Prerequisites– Policy– Means of
identifying and marking priority traffic
– Workload assumptions
• KISS mechanisms– Dedicated media– VCs with good SLA
• Advanced– RSVP– WFQ, WRED, etc.
• Bleeding edge– Multiprovider QoS
![Page 51: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/51.jpg)
515/22/1999 5:55 PM
Addressing & Naming Services
• Mechanisms– DNS
• inside & outside?• who runs?
– Dynamic addressing• DHCP inside• PPP (static inside, NAS pools, AAA server,
DHCP proxy)– Address management for infrastructure– Addressing & Naming Manipulation
• Caches, load-sharing mechanisms
![Page 52: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/52.jpg)
525/22/1999 5:55 PM
Non-IP services
• Mechanisms– Tunneling– Translation– Proxies
![Page 53: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/53.jpg)
535/22/1999 5:55 PM
Operational Responsibilities
![Page 54: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/54.jpg)
545/22/1999 5:55 PM
Control Points
• Customer router• ISP router at customer site• NAS��
![Page 55: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/55.jpg)
555/22/1999 5:55 PM
Help Desks
• Customer-operated single point• ISP-operated single point• Separate network & application
![Page 56: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/56.jpg)
565/22/1999 5:55 PM
Adds, Moves, & Changes
• Models– User to ISP– Customer admin to ISP
• Coordination between customer and ISP
![Page 57: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/57.jpg)
575/22/1999 5:55 PM
Mapping Functions & the User
![Page 58: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/58.jpg)
585/22/1999 5:55 PM
NATs and Proxies
Classic NAT
PAT/NAPT
Packet Filter
Frame Filter
StatefulPacket Filter
CircuitProxy
ApplicationProxy
Traffic-AwareProxy
Content-AwareProxy
Load SharingNAT
Load AwareDNS
ApplicationCaches
IPsecTunneling
![Page 59: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/59.jpg)
595/22/1999 5:55 PM
What has to happen?
Transport DataApplication Data
SourcePort
Dest.Port
Transport Checksum
SourceAddress
Dest.Address
IP Checksum
Transport DataApplication Data
SourcePort
Dest.Port
Transport Checksum
SourceAddress
Dest.Address
IP Checksum
NAT
![Page 60: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/60.jpg)
605/22/1999 5:55 PM
Layer 3/4 Tunnels
• IPsec (provides security)• GRE (carries security or runs over
trusted network)– PPTP– X9.17, etc.– Host IPsec with bogus addresses– Other encryption
![Page 61: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/61.jpg)
615/22/1999 5:55 PM
Layer 2 Tunnels
• Proxy remote access service• Upper layer protocol independent• Potential for roaming
![Page 62: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/62.jpg)
625/22/1999 5:55 PM
Basic Tunnel
Payload packet
Tunnel header
Delivery
Layer 2Of payload
Present onlywhen tunnelingnonroutablenrotocols
![Page 63: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/63.jpg)
635/22/1999 5:55 PM
Tunneling Traceroute
ISPRouter
1
ISPRouter
2
Tunnel
10.1.1.1/30 10.1.1.2/30
CustomerRouter
1
128.0.1.1/30
ISPRouter
3
CustomerRouter
2
128.0.1.2/30128.0.1.5/30
128.0.1.6/30
128.0.1.9/30128.0.1.10/30
128.0.1.13/30
128.0.1.14/30
![Page 64: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/64.jpg)
645/22/1999 5:55 PM
Tunneling MTU Issues
Payload packet
Host(MTU=1500)
IngressRouter(all interfaces MTU=1500) +20Delivery
Tunnel header +8
![Page 65: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/65.jpg)
655/22/1999 5:55 PM
Secure Paths
Trustedprovider
UntrustedproviderEncrypted
Multiplexed
Routed
Encrypted
![Page 66: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/66.jpg)
665/22/1999 5:55 PM
IPsec scope
End-to-end
Gateway-to-
GatewayHost-
to-Gateway
Gateway
H
Host-to-
Gateway
Gateway
H
H
H
![Page 67: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/67.jpg)
675/22/1999 5:55 PM
IPsec packets
Payload Payload
IPsec Processing
PayloadAH/ESP PayloadA�H/ESP
Tunnel Mode Transport
![Page 68: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/68.jpg)
685/22/1999 5:55 PM
Combined Tunnels--ISP security
IPsecIPsec
UserUser UserUser
ServerServerPPPPPP
L2TPL2TP
![Page 69: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/69.jpg)
695/22/1999 5:55 PM
Combined Tunnels -- user security
IPsecIPsec
UserUser UserUser
ServerServerIPsec+ PPPIPsec+ PPP
L2TPL2TP
![Page 70: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/70.jpg)
705/22/1999 5:55 PM
Transmission Infrastructure Constraints
![Page 71: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/71.jpg)
715/22/1999 5:55 PM
Basic Criteria
• Adequate bandwidth?– Dedicated– On-Demand
• Trust?
![Page 72: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/72.jpg)
725/22/1999 5:55 PM
Additional Criteria
• Fault tolerance• Quality of Service
– Service contract (ATM)– Dedicated facility– Traffic engineered routing
• RSVP• Emerging QOSR
![Page 73: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/73.jpg)
735/22/1999 5:55 PM
Routed Infrastructure
• Convergence• Policy/special considerations• Inter-provider coordination
![Page 74: So Your Customer Wants a VPN Howard C. Berkowitz · 1 5/22/1999 5:55 PM So Your Customer Wants a VPN Howard C. Berkowitz Gett Communications hcb@clark.net (703)998-5819 NANOG 16 --](https://reader033.fdocuments.in/reader033/viewer/2022050208/5f5b52eefb62e51181307693/html5/thumbnails/74.jpg)
745/22/1999 5:55 PM
Conclusions
• VPNs are a valuable approach to design– Even if we aren’t quite sure what they
are• Challenges for ISPs
– Understanding customer• requirements• perceptions and beliefs
– Managing expectations & responsibilities
– Use deployable technologies