Cloud Computing

www.Fastcloud.org
Home

Cloud Computing Articles

Definition of Cloud Computing
Basic Cloud Services
CC Value Proposition
Drive for change
Cloud Computing Business Model
Value Proposition
Evolution of Cloud Computing
Cloud Market Cascades
Glossary of Terms

Networking Articles

Carrier Ethernet
Virtual Private Networks
Protocol Label Switching

Whitepapers

Cloud_Whitepaper.pdf



 

VPNs: Secure Communications through the Internet

In Cloud Computing, applications, servers, storage, and other resources related to data centers are made available to end users via the public Internet and/or private Intranet. Users simply plug into the "cloud" much as they would an internal data center providing the same functions. The economics, scalability, and flexibility of the cloud is gaining major traction with both large and small customers.

 

Due to the cloud’s reliance on the Internet, one of the biggest challenges facing IT managers is delivering the necessary level of privacy and security while using the public Internet. This article will discuss the IP VPN, and how this solution enables network security as data traverses the Internet.

 

IP VPN Overview

 

In the network manager’s toolbox is a critical tool for networking securely across the internet: the VPN. A virtual private network (VPN) is a computer network that is implemented in an additional software layer (overlay) on top of an existing larger network for the purpose of creating a private scope of computer communications, or providing a secure extension of a private network into an insecure network, such as the Internet. The links between nodes of a virtual private network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be “tunneled” through the underlying transport network.

One common application of VPNs is to secure communications through the public Internet. A VPN does not need to have explicit security features such as authentication or traffic encryption. VPNs can also be used to separate the traffic of different user communities over an underlying network with strong security features, or to provide access to a network via customized or private routing mechanisms.

Additional layers of security can be applied, such as encryption and authentication, but this is based on an enterprise’s needs.

 

Generally, a VPN has a network topology more complex than a point-to-point connection. VPNs are also used to mask the IP address of individual computers within the Internet, in order, for instance, to surf the Worldwide Web anonymously.

 

MPLS

 

Multi-protocol Label Switching (MPLS) has been a huge success with the major service providers due to its ability to provide the guaranteed QOS, flexibility, and VPNs needed for supporting both large and small enterprises. The latest application of MPLS is implementing provider provisioned Virtual Private Networking (VPN). Using MPLS for implementing VPNs is a viable alternative to using a pure layer-2 solution, a pure layer-3 solution, or any of the tunneling methods commonly used for implementing VPNs.

 

When deciding on implementing an IP/MPLS-based VPN, the service provider has two choices:

·        A layer-3 approach, commonly referred to as MPLS Layer-3 VPN (RFC 2547bis)

·        A layer-2 approach, commonly referred to as MPLS Layer-2 VPN (RFC 4762)

 

Evaluating the merits of a given approach should be based on, but not necessarily restricted to, the following aspects of the approach:

 

·        Type of traffic supported

·        VPN connectivity scenarios that could be offered to the customer using this approach

·        Scalability

·        Deployment complexity

·        Service provisioning complexity

·        Complexity of management and troubleshooting

·        Deployment cost

·        Management and maintenance costs

 

It can not be claimed that one approach is better than the other, since each approach attacks the problem from a different angle. Hence, what might be the best choice for a given cusotmer does not necessarily have to be the best choice for another. But, first a brief overview of a VPN and why it is needed is useful.

 

MPLS Layer-3 VPNs

 

The layer-3 approach to creating MPLS-based VPNs offers a routed solution to the problem The de facto standard for implementing such VPNs is described in "RFC 2547bis”. The approach is also referred to as BGP/MPLS VPNs.

 

The approach relies on taking customer IP datagrams from a given site, looking up the destination IP address of the datagram in a forwarding table, then sending that datagram to its destination across the provider's network using an LSP.

In order for the service provider routers to acquire reachability information about a given customer's networks, the provider edge (PE) routers exchange routes with the customer edge (CE) routers. Hence, the BGP/MPLS VPNs approach follows the peer to peer model of VPNs. These routes are propagated to other PE routers carrying the same VPN(s) via BGP. However, they are never shared with the provider's core routers (P), since the PEs use LSPs to forward packets from one PE to the other. P routers do not need to know about the customer's networks in order to perform their label switching functions. A PE router receiving routes of a given VPN site from another PE, propagates the routes to the CE router of the connected site belonging to that same VPN, so that the CE will also learn about the networks in the remote site.

MPLS Layer-2 VPNs

The layer-2 approach is the newer approach to implementing MPLS-based VPNs, and it offers a layer-2 switched solution. The layer-2 approach provides complete separation between the provider's network and the customer's network, i.e., there is no route exchange between the PE devices and the CE devices. Hence, the approach follows the overlay model of VPNs.

 

The separation between the provider's network and the customer's networks provides simplicity. MPLS layer-2 VPNs provide emulated services capable of carrying customer layer-2 frames from one site to the other. This is done in a manner that is totally transparent to the CE devices. Handling customer layer-2 frames allows the service provider to offer a service that is independent of the layer-3 protocols in use by the customers, i.e., the provider would be able to carry IPv4, IPv6, IPX, DECNet, OSI, etc.

 

The layer-2 approach addresses two connectivity problems:

·        Providing Point-to-Point connectivity

·        Providing Multi-Point Connectivity

Which Way to Go: The Layer-3 or the Layer-2 Way

 

Comparing both approaches described above, it is clear that the layer-3 approach offers transport of IP traffic only. On the other hand, the layer-2 approach allows transporting any customer layer-3 protocol packets: IPv4, IPv6, IPX, OSI, etc. Many enterprise customers still use other protocols than IP in their IT infrastructure; hence, a layer-2 service is less restricting for them. Also, with IPv6 on the horizon, some organizations are already experimenting with IPv6, and in the near future, many will be migrating to it. To continue providing connectivity for those organizations using a layer-3 solution would require some enhancement to the current standard - like creating a VPN-IPv6 address family - and might require some upgrades to the provider's routers. A layer-2 solution could continue to serve those organizations, even when the provider network has not yet been upgraded to use IPv6 internally.

 

Possible Connectivity Scenarios
Several connectivity scenarios for customer sites could be implemented using both approaches. Both approaches could be used to implement the following connectivity scenarios:

·        Point-to-Point.

·        Hub and Spoke.

·        Partial Mesh.

·        Full Mesh.

·        Overlapping VPNs.

The layer-3 approach performs well at implementing scenarios 1, 4, and 5 in a manner that is transparent to the CE devices. However, the layer-3 approach could get a bit more complicated when implementing scenarios 2 and 3.

The layer-2 approach performs well at implementing scenarios 1, 2, 3, and 4. It is worth noting that when implementing scenarios 2 and 3, it is more straight forward to build the topology using VCs as in the layer-2 approach, than to build the topology by controlling BGP routes as in the layer-3 approach. Scenario 5 is also possible using the layer-2 approach, however, it requires some involvement from the CE device at the site where the overlap occurs: the CE device would have to control which routes get advertised in which VPN, i.e., it is not as transparent as in the layer-3 approach.


Costs
Comparing deployment costs, it is more likely that a layer-3 solution would cost slightly more than a layer-2 solution, due to the fact that the layer-3 approach relies on more sophisticated routers capable of handling multiple Virtual Routing Forwarding tables (VRFs).

 

Management and maintenance costs of a given solution are directly related to the complexity of that solution. A layer-3 solution is more likely to cost more due to its higher complexity. The complexity of the solution demands a certain level of technical know-how, and this translates into more man hours required to accomplish any task related to the solution.

 

Side-by-side Comparison

 

Major Features

IP-VPN

VPLS

 

 

 

Bridging or routing

Routing

Bridging: from the customers perspective

 

 

it looks as if all sites are connected to

 

 

single switched VLAN

 

 

 

Single or multi-protocol

Limited to IP only

Multi-protocol (examples: SNA, NetBios,

 

 

AppleTalk)

 

 

 

Outsource

Customers relinquish control of routing

Customers maintain control of routing

 

 

Coordination

IP addressing for each site on the VPN

SP not involved with routing and addressing

 

must be coordinated with SP

 

 

 

 

Leverage Expertise

Leverages expertise of SP

Leverages expertise of internal IT staff

 

 

 

 

 

Access to MPLS

TDM, FR, ATM, Ethernet

Ethernet

 

 

 

Standard

Mature standard

Standard

 

 

 

Retail Price

Estimate of 20% less than IP-VPN



 

 

 

 

Summary

 

Due to the cloud’s reliance on the Internet, one of the biggest challenges facing CIOs and IT managers is delivering the necessary level of privacy and security using the public Internet. This article discusses IP VPNs, and how these solutions enable the cloud to achieve its security as data traverses the Internet.

 

Currently, there are two main approaches to implementing IP/MPLS-based VPNs:

 

·        The layer-3 approach commonly referred to as MPLS Layer-3 VPN (RFC 2547bis)

·        The layer-2 approach commonly referred to as MPLS Layer-2 VPN (RFC 4762)

 

The layer-3 approach offers an IP only, routed solution which is capable of supporting multiple VPN topologies by leveraging the advanced route distribution control capabilities of BGP.

 

The layer-2 approach is the newer approach. It offers a layer-2 switched solution (Virtual Private LAN Service) for transporting customer layer-2 frames which makes it independent of the layer-3 protocol in use by the customer. It is, also, capable of supporting multiple VPN topologies through the use of virtual circuits (VCs).

 

A wise choice of an approach to adopt would consider the strengths and weaknesses of each approach, in addition to the current and future requirements of the service to be implemented, the existing infrastructure, and the costs involved.

Home | Mission and Vision | Founder | Privacy Policy | Contact