ip vpn overview

HUAWEI TECHNOLOGIES CO., LTD.

www.huawei.com

Huawei Confidential

Security Level:

英文标题 :40-47pt

副标题 :26-30pt

字体颜色 : 反白内部使用字体 :

FrutigerNext LT Medium

外部使用字体 : Arial

中文标题 :35-47pt

字体 : 黑体副标题 :24-28pt

字体颜色 : 反白字体 : 细黑体

IP VPN Overview

ISSUE 1.0

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

Foreword

VPN this technology has widely used in today

network. Along with the increasingly wide

application of the Internet, Virtual Private Network

(VPN) emerged to construct private networks on

public networks. “Virtual” here mainly indicates

that VPN is a kind of logical networks.


Objectives

Describe the concept of VPN and the types

of VPN

Describe the protocols realized the IP VPN


Chapter 1 VPN System OverviewChapter 1 VPN System Overview

Chapter 2 VPN Working MechanismChapter 2 VPN Working Mechanism


VPN Definition

VPN—Virtual Private Network Private network can be established on public network. "Virtual" here mainly indicates: this network is a kind

of logical network.　　


Internet

VPN Definition

Employees inbusiness trips

Tunnel

Leased line

Office

Headquarter

Branch

Partner

Remote office


VPN Features

Private ： VPN is only be used by VPN users Virtual ： this network is a kind of logical network. Specific: VPN is especially for specific enterprises or us

ers.


VPN Advantages

Reliable and safe connection

Flexible application of VPN

Creating VPN with service quality guarantee

Supporting the mobile access of foreign VPN users

Greatly improve utility of network resources, increase profit of the Internet Service Provider (ISP) accordingly.


Classification of VPN

IP VPN can be classified according to Operation Mode

,Service Application, Networking Mode, Realization Layer

,Connection Orientation Classified According to Operation Mod

VPNCPE-based VPN (Customer Premises Equipment based VPN) Network-based VPN (NBIP-VPN)



Based on the Service applications ： Access VPN Intranet VPN Extranet VPN


Access VPN

Dial network expansion: Employees on errands Remote small office

POP

POP

Originated by user

POP

Originated by ISP

HQ

Tunnel


Intranet VPN

Internet/ ISP IPATM/FR

Tunnel

HQ

Research Institute

Office

Branch


Extranet VPN

Internet/ ISP IPATM/FR

Branch

Partner

HQ

Remote Office



Based on networking Mode ： Virtual Leased Line (VLL) Virtual Private Dial Network (VPDN) Virtual Private LAN Segment (VPLS) Virtual Private Routing Network (VPRN)



Based on Connection Orientation ： Connection-oriented L2VPN Connection-oriented L3VPN


Classification Based on Realization Layer

Layer 2 VPN L2TP: Layer 2 Tunnel Protocol (RFC 2661) PPTP: Point To Point Tunnel Protocol L2F: Layer 2 Forwarding

Layer 3 VPN GRE : General Routing Encapsulation IPSEC : IP Security Protocol


S-MIME, Proxy,SET, Secure-PRC, SOCKSApplication layer

Transport layer

Network layer

Data-link layer

SSL, TLS, SSH

IPSec, GRE, MPLS/VPN

PPTP, L2F, L2TP

Classification Based on Realization Layer


Chapter 1 VPN System Overview

Chapter 2 VPN Working MechanismChapter 2 VPN Working Mechanism


VPN Fundaments

Through PSTN/ISDN network, the user accesses the ISP

NAS (Network Access Server) server. After NAS server

recognizes that this is a VPN user by checking user name

or access number, it establishes a connection to the

user’s destination VPN server, which is called tunnel. NAS will encapsulate the user data into IP packet and

transmit it to the VPN server through this tunnel. VPN server will remove the encapsulation to get the

original data after receiving this IP packet, and vice versa.


Tunnel

A tunnel is a logical extension for their PSTN/ISDN links

and the operation is the same as the physical links. Tunneling can be implemented based on a tunneling

protocol. Tunneling protocols can be divided into :

a. Layer 2 tunneling protocol

b. Layer 3 tunneling protocol.


Layer 2 Tunneling Protocol

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Forwarding (L2F)

Layer 2 Tunneling Protocol (L2TP)


Layer 3 Tunneling Protocol

Generic Routing Encapsulation RE (GRE ) IP Security (IPSec) ESP (Encapsulating Security Payload) IKE (Internet Key Exchange)


PPTP

Point-to-Point Tunneling Protocol Supported by Microsoft, Ascend, 3COM and other companies

and supported by Windows NT 4.0 and upper versions This protocol supports tunneling encapsulation of point-to-

point PPP in IP network PPTP uses an enhanced Generic Routing Encapsulation

(GRE) technology to provide encapsulation service of flow

control and congestion control for transmitted PPP packet.


L2F

Layer 2 Forwarding Supported by many other companies Supports the tunneling encapsulation for the

higher-level link layer, physically separating the

dial-up server and dial-up protocol connection.


L2TP

Layer 2 Tunneling Protocol Drafted by IETF, Microsoft and other companies and absorbing

the advantages of above two protocols, it is accepted by most

companies and has become the standard RFC Provides both dial-up VPN service and special line VPN service


GRE

Generic Routing Encapsulation Can encapsulate the datagram of some network layer

protocols (e.g. IP and IPX) The tunnel is a virtual point-to-point connection and can be

regarded as virtual interface only supporting point-to-point

connection in actual situation


Tunnel

InternetNovell IPXGroup1

Novell IPXGroup2

RouterA RouterB

Packet Encapsulation and Decapsulation through GRE


GRE’S Application

Novell IPXGroup 1

Novell IPXGroup 2

Tunnel

Internet

IPTerm 1

IPTerm 2

RouterA RouterB

Multi-Protocol Local Network Being Transmitted through Single-Protocol Backbone Network


GRE’S Application

Enlarge Operation Range of the Network with Hop-Limited Protocol

IP Network

IP Network

IP Network

PC PC

Tunnel


GRE’S Application

Connecting Some Discontinuous Sub-Networks to Establish VPN

Tunnel

group2

novellIP Network

group 1

novell


Layer 2 MPLS/VPNThe MPLS network is used to transfer layer 2 data for users transparently. From the perspective of users, MPLS is a layer 2 switching network, through which the layer 2 connection can be established among different stations.

Layer 2 MPLS/VPN modes Martini Kompella CCC VPLS

MPLS/VPN Overview


Layer 3 MPLS/VPNIn the layer 3 MPLS/VPN network, users are provided with VPN services by service providers in such a way that they are not aware of public networks. Users are using an independent network resource.

VPN packet forwarding Two layers of labels are encapsulated. The external-layer label is used for the forwarding of packets on public netw

orks. The internal-layer label is used to indicate the destination station of packets.

MPLS/VPN Overview


MPLS can identify the data packets of different applications. This capability of MPLS ensures the implementation of QoS with simpler methods than that of IP tunnels and VC-based networks.

MPLS segregates the communication signals of irrelevant users and enhances the security.

MPLS-based network differentiates data flows from each other to enhance the security without setting tunnels or encrypting the data.

MPLS VPN meets the requirements of VPN users and reduces the workloads of both the network and users. MPLS VPN can be used to establish any connection with high scalability.

MPLS/VPN Security Advantages


VPN working mechanism

The VPN techniqueSummerySummery

Summery

ip vpn overview

Documents