IPSec VPN Design [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

IPSec VPN Design [Electronic resources] - نسخه متنی

Vijay Bollapragada

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

 

 

Sitemap

 

 

Table of Contents

 

Copyright

 

About the Authors

 

About the Technical Editors

 

Acknowledgments

 

This Book Is Safari Enabled

 

Icons Used in This Book

 

Command Syntax Conventions

 

Introduction

 

Chapter 1. Introduction to VPNs

 

Motivations for Deploying a VPN

 

VPN Technologies

 

Summary

 

Chapter 2. IPSec Overview

 

Encryption Terminology

 

IPSec Security Protocols

 

Key Management and Security Associations

 

Summary

 

Chapter 3. Enhanced IPSec Features

 

IKE Keepalives

 

Dead Peer Detection

 

Idle Timeout

 

Reverse Route Injection

 

Stateful Failover

 

IPSec and Fragmentation

 

GRE and IPSec

 

IPSec and NAT

 

Summary

 

Chapter 4. IPSec Authentication and Authorization Models

 

Extended Authentication (XAUTH) and Mode Configuration (MODE-CFG)

 

Mode-Configuration (MODECFG)

 

Easy VPN (EzVPN)

 

Digital Certificates for IPSec VPNs

 

Summary

 

Chapter 5. IPSec VPN Architectures

 

IPSec VPN Connection Models

 

Hub-and-Spoke Architecture

 

Full-Mesh Architectures

 

Summary

 

Chapter 6. Designing Fault-Tolerant IPSec VPNs

 

Link Fault Tolerance

 

IPSec Peer Redundancy Using SLB

 

Intra-Chassis IPSec VPN Services Redundancy

 

Summary

 

Chapter 7. Auto-Configuration Architectures for Site-to-Site IPSec VPNs

 

IPSec Tunnel Endpoint Discovery

 

Dynamic Multipoint VPN

 

Summary

 

Chapter 8. IPSec and Application Interoperability

 

QoS-Enabled IPSec VPNs

 

VoIP Application Requirements for IPSec VPN Networks

 

IPSec VPN Architectural Considerations for VoIP

 

Multicast over IPSec VPNs

 

Summary

 

Chapter 9. Network-Based IPSec VPNs

 

Fundamentals of Network-Based VPNs

 

The Network-Based IPSec Solution: IOS Features

 

Operation of Network-Based IPSec VPNs

 

Network-Based VPN Deployment Scenarios

 

Summary

 

 
توضیحات
افزودن یادداشت جدید







Fundamentals of Network-Based VPNs


In a customer edge (CE) VPN or CE-based VPN that uses IPSec, all VPN configuration, encapsulation, and decapsulation is performed by the CEs. The provider network that provides connectivity to the CEs is simply providing a transport service to the CEs and is oblivious of the VPN configuration. In a network or provider edgebased VPN, all VPN configuration, encapsulation, and decapsulation is performed at the provider edge (PE); the CEs in this case are oblivious of the VPN configuration. Figure 9-1 shows a popular PE-based VPN defined in RFC 2547 using Multiprotocol Label Switching (MPLS).


Figure 9-1. PE-based MPLS VPN Using RFC 2547


[View full size image]

All the tunneling of CE-CE traffic in the MPLS VPN shown in Figure 9-1 is performed by the PE routers at the edge of the service provider network. MPLS VPNs have several advantages over the traditional overlay CE-based IPSec VPNs. Some salient advantages of PE-based VPNs over CE-based VPNs are as follows:

Increased scalability To connect N sites of an IPSec VPN for any-to-any connectivity, each CE will need (N-1) tunnels to every other CE. This means that every CE has to be able to deal with this scalability requirement, thereby increasing the cost of the CEs at sites where such a large CE may not be required. In contrast, the same any-to-any connectivity can be established between CEs of an MPLS VPN with a single connection from a CE to the PE. Also, the encapsulation and decapsulation is performed by the PE routers, thereby reducing the cost of the CE by not requiring expensive hardware encryption at the CE.

Greatly simplified configuration Every time a new site is added to a CE-based IPSec VPN, the configuration has to be changed in (N-1) sites for any-to-any connectivity. In an MPLS-VPN, only the configuration of the PE and the attached CE is changed; none of the remote CEs or remote PEs is affected. In other words, configuration complexity of MPLS-based VPNs is O(1) compared to O(n) for IPSec-based VPNs. This means that it is operationally easier and more economical for a service provider to provision an MPLS-based VPN.


Chapter 7, "Auto-Configuration Architectures for Site-to-Site IPSec VPNs") reduces configuration complexity, negating this advantage for MPLS VPN. But DMVPN also requires a dynamic routing protocol such as OSPF in the overlay tunnels, which has limitations as the number of sites of the VPN grows very large.

One of the primary limitations of MPLS VPN architecture is the requirement for each CE to have physical connectivity at Layer 2 to its corresponding PE. Now, imagine a service provider that is offering an MPLS VPN service to its customers. In this scenario, assume that one customer has five sites that need to be connected over the VPN and that the service provider has a point of presence (POP) in only four of the five locationswhich means only four of the sites can be part of the VPN. The following list presents the options available for the service provider to connect the fifth site to the VPN:

Option 1 The service provider can extend its backbone network and build a new POP in the new location. Although the most obvious solution, this option is usually not cost effective for the service provider and in some cases is simply not viable.

Option 2 The service provider may backhaul the customer's traffic across other providers using leased lines. This option is the next obvious option, but is also cost prohibitive, has long installation lead times, and may be subject to frequent outages.

Option 3 Connect the fifth site to the VPN via IPSec tunnels over the public Internet to every other site. However, there are several disadvantages of this option:

- Each site of this VPN now requires a CE that is IPSec-capable.

- IPSec requires (public) reachability to each CE endpoint. If the IPSec tunnels to each site have to traverse the Internet, all the CEs at the sites need IP reachability over the Internet, which might not be possible.

- Every site is exposed to the Internet and may require more security protection mechanisms.

Option 4 Build an IPSec tunnel from the remote CE to the service provider PE and map the IPSec tunnel into the appropriate MPLS VPN at the PE. This option is called the Network Based IPSec VPN solution, which is the subject of this chapter. Figure 9-2 illustrates this option. This would be a secure and cost-effective option.



Figure 9-2. Network-Based IPSec VPN


[View full size image]

There are several advantages of the Network Based IPSec VPN architecture:

The PE and CE need only IP connectivity; no dedicated Layer 2 connection is required.

Connectivity to the four original sites is retained via the MPLS VPN and no additional configuration is needed on the sites to connect the fifth site to the VPN.

Optimal routing from site to site is possible without a full-mesh configuration.

Secure connectivity for the new "off net" site. This is important because traffic from this site routinely transits the public Internet.


The rest of this chapter is dedicated to this architecture and presents the configuration and design of network-based VPNs.


/ 61