IPsec to MPLS VPN Integration Vijay Bollapragada Course Number Presentation_ID © 2001, Cisco Systems, Inc Agenda • IPsec VPN Overview • IPsec and MPLS VPN Integration • Architecture • Conclusions Presentation_ID â 2001, Cisco Systems, Inc IPsec Open standards for ensuring secure private communications over any IP network Negotiation, protocols, and formats • Network layer encryption and authentication • Data protected with network encryption, digital certification, and device authentication RFCs: 18251829 Presentation_ID â 2001, Cisco Systems, Inc IPsec Terminology IPSec = Internet Protocol Security (RFC 2401): An IETF standardized architecture that defines a set of standards that can be used to secure the Internet Protocol (IPv4 and IPv6) IKE = Internet Key Exchange (RFC 2409): A hybrid protocol (uses parts of Oakley and SKEME key exchanges in conjunction with ISAKMP) whose purpose is to provide authenticated keying material for, and secure negotiation of, Security Associations SA = Security Associations: A set of policies and keys between two parties used to protect information exchange between them IKE uses ISAKMP SAs which must include negotiations of the following attributes: encryption algorithm, hash algorithm, authentication method, and info re: Diffie-Hellmen group ISAKMP = Internet Security Association and Key Management Protocol (RFC 2407): Defines a framework for security association management and cryptographic key establishment for the Internet Presentation_ID © 2001, Cisco Systems, Inc IPSec Technology Primer Initiated by IPSec (CPE) AH Protocol (RFC 2402) Original IP Layer IP HDR Data IPSec Authenticated session IP HDR AH HDR Data ESP Transport Mode (RFC 2406) Original IP Layer IP HDR Data IPSec Encrypted session IP HDR ESP HDR Data Terminated by customer’s corporate gateway/Firewall or destination system Original IP Layer IP HDR Data Terminated by a corporate end-system or resource Original IP Layer IP HDR Data encrypted ESP Tunnel Mode (RFC 2406) Original IP Layer IP HDR Presentation_ID Data © 2001, Cisco Systems, Inc IPSec Tunnel New IP HDR ESP HDR IP HDR Data encrypted Terminated by customer’s corporate gateway/Firewall or destination system Original IP Layer IP HDR Data IPSec VPNs Advantages •Quickly provision VPN services without SP infrastructure changes (transparent to SP network) •Very high security for entire data path (including client-to-SP connection) •Very mobile and can span multiple SP networks •Hardware encryption accelerators now available to help address performance and scalability issues Presentation_ID © 2001, Cisco Systems, Inc Limitations •Not scalable •No tunnel sharing (like Layer tunneling) so each concurrent user terminates a separate tunnel on gateway •Encryption can severely limit performance of tunnel termination platform •IPSec (and all related protocols) expertise needed for provisioning •Client software must be installed and supported (support desk costs) •Limited added value and revenue stream potential •Export restrictions of encryption technology •Only supports tunneling of IP packets IPSEC TO MPLS SERVICE ARCHITECTURE Branch Office Access Corporate Intranet PE PE Local or Direct Dial ISP MPLS PE PE Internet = Frame PVC or 802.1Q Cable/DSL/ ISDN ISP Remote Users/ Telecommuters IP Presentation_ID Cisco VPN 5000 Client Software Is Tunnel Source: Windows 95/98/2000/NT Mac Linux Solaris IPsec Session © 2001, Cisco Systems, Inc = IPsec session Cisco VPN 5002/5008 Terminates IPsec Tunnels and Maps sessions into FR PVCs FR PVC, MPLS LSP IP IPsec to MPLS • IOS IPsec site to site and client sessions mapped directly into MPLS VPN by co-locating Cisco VPN 5002 or 5008 concentrators with Cisco IOS MPLS PE routers • Authenticate off-net sites via pre-shared keys and digital certificates • Authenticate remote users via AAA and digital certificates • CVPN5000 to support dynamic routing updates over IPsec protected GRE tunnels • For QoS, maintain packet classification (ToS byte/DSCP) on all traffic (ingress and egress) traveling through IPsec tunnels Presentation_ID © 2001, Cisco Systems, Inc VPN 5000 CUSTOMER VIRUTAL CONTEXTS (CVC) & VIRTUAL ROUTER (VR) ARCHITECTURE • Each CVC Has a VR Which Only Knows About its Network • CVC Identifies Routing Features and VPN for Specified Customer • Main CVC Defines Basic Functions of the System • Permits Overlapping IP Address Ranges CISCO VPN 5000 Cust VR HSSI FR •Features Configured Per CVC - IGP Routing - Static Routes, RIP, RIP 2, OSPF - L3/L2 Tunnel Mapping - IPsec, L2TP, GRE, FR PVC, 802.1Q VLAN - RADIUS Authentication/Accounting - Filter Sets Presentation_ID © 2001, Cisco Systems, Inc Cust VR DS3 FR PVC 10/100 Ether Cust VR Main VR 10/100 Ether or FR PVC Cust VR IPSEC to MPLS VPN Architecture Customer Virtual Contexts (CVC): Logical Interfaces MPLS Backbone Physical Ports CISCO IOS PE ROUTER VPN Tunnel Mapping CISCO VPN5000 VPN Termination Cust VR Cust VRF Cust VRF Cust VRF DS3 FR PVCs Cust VR Cust VR Main VR 10/100 Ether or DS3 FR Cust IPsec Tunnels Cust IPsec Tunnels Cust IPsec Tunnels INTERNET FR PVCs within a single DS3 port Each CVC, or FR PVC, is viewed as a CE from PE’s perspective Can run Static, RIPv2 or OSPF Presentation_ID © 2001, Cisco Systems, Inc 10 Presentation_ID © 1999, Cisco Systems, Inc 11 ... PVCs FR PVC, MPLS LSP IP IPsec to MPLS • IOS IPsec site to site and client sessions mapped directly into MPLS VPN by co-locating Cisco VPN 5002 or 5008 concentrators with Cisco IOS MPLS PE routers... Presentation_ID Cisco VPN 5000 Client Software Is Tunnel Source: Windows 95/98/2000/NT Mac Linux Solaris IPsec Session © 2001, Cisco Systems, Inc = IPsec session Cisco VPN 5002/5008 Terminates IPsec Tunnels...Agenda • IPsec VPN Overview • IPsec and MPLS VPN Integration Architecture Conclusions Presentation_ID â 2001, Cisco Systems, Inc IPsec • Open standards for ensuring