lisp tu-wien v3-0 2014-05-12 · lisp locator / identifier separation protocol basic principles,...
TRANSCRIPT
LISP
Locator / Identifier Separation Protocol Basic Principles, Multihoming and High Availability Aspects
Use Cases for Mission Critical Communication
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary
© 2014, D.I. M. Lindner, B. Gronau 2 LISP Mission Critical Communication v3.0
Today's World: Provider Assigned IP Addresses
Principle: Global IP address is assigned by IP service provider and represents topology information about location in the Internet
Principle: Global IP addresses are moved to the access border router Local IP addresses still represent topology information within a customer network but do not represent topology information within the Internet routing
Source: CiscoLive2012 presentation: “BRKRST-3045”
© 2014, D.I. M. Lindner, B. Gronau 3 LISP Mission Critical Communication v3.0
LISP
• Locator / Identifier Separation Protocol • Open Standard
– Currently experimental RFCs and IETF drafts only • RFCs 6830 - 6836
– Driven mainly by Cisco • Network based solution
– Available already in Cisco IOS and NX-OS • Original driven
– By routing scalability issues • In case of multi-homing to Internet service providers (ISPs) the PI
(provider independent) addressing and PA (provider assigned) addressing consumes BGP table space
© 2014, D.I. M. Lindner, B. Gronau 4 LISP Mission Critical Communication v3.0
Routing Scalability / Multihoming 1
Source: CiscoLive2013 presentation: “BRKRST-3045”
© 2014, D.I. M. Lindner, B. Gronau 5 LISP Mission Critical Communication v3.0
BGP Core Routing Table Size (IPv4)
Source: http://en.wikipedia.org/wiki/Border_Gateway_Protocol © 2014, D.I. M. Lindner, B. Gronau 6 LISP Mission Critical Communication v3.0
Routing Scalability / Multihoming 2
Source: CiscoLive2013 presentation: “BRKRST-3045”
© 2014, D.I. M. Lindner, B. Gronau 7 LISP Mission Critical Communication v3.0
LISP Base Ideas
– Separation of identity and location of an IP device / IP service • Remark: IP address covers both. Change of location means change of
IP address and hence change of identity.
– LISP mapping system • Consists of mapping server(s) and resolver(s)
– LISP border routers • Separate EID (endsystem identifier) address domain from RLOC
(routing locater) address domain
– Dynamic unidirectional encapsulation • Performed by LISP border routers
– Dynamic based caching • Triggered by data traffic between LISP sites
© 2014, D.I. M. Lindner, B. Gronau 8 LISP Mission Critical Communication v3.0
Routing Scalability / Multihoming 3
Source: CiscoLive2013 presentation: “BRKRST-3045”
© 2014, D.I. M. Lindner, B. Gronau 9 LISP Mission Critical Communication v3.0
LISP Mapping System Analogy
Source: CiscoLive2013 presentation: “BRKRST-3045”
© 2014, D.I. M. Lindner, B. Gronau 10 LISP Mission Critical Communication v3.0
LISP Basic Elements
LISP Mapping System (Mapping Server / Mapping Resolver)
10.1
.0.0
/16
10.2
.0.0
/16 IP WAN (e.g. ISPs)
RLOC Address Space (e.g. Internet Addresses)
EID Address Space LISP Site-1
EID Address Space LISP Site-2
172.16.1.1
172.17.1.1
172.16.2.1
172.99.1.1
ITR … Ingress Tunnel Router (performing LISP encapsulation)
ETR … Egress Tunnel Router (performing LISP decapsulation)
xTR … ITR plus ETR RLOC … Routing Locator EID … Endsystem Identifier
xTR
xTR
xTR
172.17.2.1
xTR
LISP Border Routers
LISP Border Routers
172.99.2.1
MS/MR-2 MS/MR-1
© 2014, D.I. M. Lindner, B. Gronau 11 LISP Mission Critical Communication v3.0
EID RLOC 10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
LISP Map-Registration
LISP MS / MR
10.1
.0.0
/16
10.2
.0.0
/16
EID Address Space LISP Site-1
EID Address Space LISP Site-2
172.17.1.1
172.16.2.1
172.99.1.1
EID RLOC 10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
ETR
ETR
ETR
Map Registration
Site Registration MS/MR
172.16.1.1
IP WAN (ISPs)
RLOC Address Space
Map Notify
t1
t2
t3
t4
LISP control message (well known UDP port 4342)
© 2014, D.I. M. Lindner, B. Gronau 12 LISP Mission Critical Communication v3.0
EID RLOC 10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
LISP Map-Request
LISP MS / MR
10.1
.0.0
/16
10.2
.0.0
/16
EID Address Space LISP Site-1
EID Address Space LISP Site-2
172.17.1.1
172.16.2.1
172.99.1.1
EID RLOC 10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
ITR ETR Map Reply 10.2.0.0 -> 172.16.2.1
10.1.1.1 -> 10.2.2.2
t0 t1
t2
t3
t4
tx … means time X
EID RLOC TTL
10.2.0.0/16 172.16.2.1 20 h
Mapping-Cache / ITR
t5
EID RLOC
10.2.0.0/16 172.16.2.1
Mapping Database ETR
172.16.1.1
Site Registration MS/MR
IP WAN (ISPs)
RLOC Address Space
LISP control message (well known UDP port 4342)
IP datagram
© 2014, D.I. M. Lindner, B. Gronau 13 LISP Mission Critical Communication v3.0
LISP Dynamic Encapsulation
10.1
.0.0
/16
10.2
.0.0
/16
EID Address Space LISP Site-1
EID Address Space LISP Site-2
172.17.1.1
172.16.2.1
ITR ETR
10.1.1.1 -> 10.2.2.2 t6
172.16.1.1->172.16.2.1 10.1.1.1 -> 10.2.2.2 plus IP Payload 10.1.1.1 -> 10.2.2.2
t8 t7
LISP Dynamic Unidirectional Tunnel
EID RLOC TTL
10.2.0.0/16 172.16.2.1 20 h
Mapping-Cache / ITR
172.16.1.1
IP WAN (ISPs)
RLOC Address Space
LISP data message (well known UDP port 4341)
IP datagram
© 2014, D.I. M. Lindner, B. Gronau 14 LISP Mission Critical Communication v3.0
LISP Encapsulation (Data Message)
Source : CiscoLive2013 presentation: “´TECIPM-3191”
© 2014, D.I. M. Lindner, B. Gronau 15 LISP Mission Critical Communication v3.0
LISP Address Family Agnostic
Slide taken from CiscoLive2013 presentation: “´TECIPM-3191”
© 2014, D.I. M. Lindner, B. Gronau 16 LISP Mission Critical Communication v3.0
Example: IPv4 RLOC & IPv6 EID
MS-MR-2
FD00
:0:1
:1::/
64
FD00
:0:2
:2::/
64
FD00:0:3:3::/64
EID Address Space IPv6 LISP Site-1
EID Address Space IPv6 LISP Site-2
EID Address Space IPv6 LISP Site-3
EID Address Space IPv6 LISP Site-4
172.16.2.1
172.16.3.1 172.16.4.1
172.99.1.1
FD00:0:4:4::/64
172.17.1.1
172.17.3.1
172.100.2.1
172.17.4.1
172.17.2.1 ISP-2
IPv4 RLOC Address Space
ISP-1
EID RLOC FD00:0:1:1::/64 172.16.1.1
FD00:0:1:1::/64 172.17.1.1
FD00:0:2:2::/64 172.16.2.1
FD00:0:2:2::/64 172.17.2.1 MS-MR-1
EID RLOC FD00:0:3:3::/64 172.16.3.1
FD00:0:3:3::/64 172.17.3.1
FD00:0:4:4::/64 172.16.4.1
FD00:0:4:4::/64 172.17.4.1
172.16.1.1
© 2014, D.I. M. Lindner, B. Gronau 17 LISP Mission Critical Communication v3.0
LISP Map-Registration (Control Message)
For details see RFC 6830 (source)
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Type=3 |P| Reserved |M| Record Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ID | Authentication Data Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Authentication Data ~ +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Record TTL | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ R | Locator Count | EID mask-len | ACT |A| Reserved | e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c | Rsvd | Map-Version Number | EID-Prefix-AFI | o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ r | EID-Prefix | d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | /| Priority | Weight | M Priority | M Weight | | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | o | Unused Flags |L|p|R| Loc-AFI | | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | \| Locator | +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
© 2014, D.I. M. Lindner, B. Gronau 18 LISP Mission Critical Communication v3.0
LISP Map-Notify (Control Message)
For details see RFC 6830 (source)
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Type=4 | Reserved | Record Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key ID | Authentication Data Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Authentication Data ~ +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Record TTL | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ R | Locator Count | EID mask-len | ACT |A| Reserved | e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c | Rsvd | Map-Version Number | EID-Prefix-AFI | o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ r | EID-Prefix | d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | /| Priority | Weight | M Priority | M Weight | | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | o | Unused Flags |L|p|R| Loc-AFI | | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | \| Locator | +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
© 2014, D.I. M. Lindner, B. Gronau 19 LISP Mission Critical Communication v3.0
LISP Map-Request (Control Message)
For details see RFC 6830 (source)
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Type=1 |A|M|P|S|p|s| Reserved | IRC | Record Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source-EID-AFI | Source EID Address ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ITR-RLOC-AFI 1 | ITR-RLOC Address 1 ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ITR-RLOC-AFI n | ITR-RLOC Address n ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / | Reserved | EID mask-len | EID-Prefix-AFI | Rec +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ | EID-Prefix ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Map-Reply Record ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
© 2014, D.I. M. Lindner, B. Gronau 20 LISP Mission Critical Communication v3.0
LISP Map-Reply (Control Message)
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Type=2 |P|E|S| Reserved | Record Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce . . . | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . Nonce | +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Record TTL | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ R | Locator Count | EID mask-len | ACT |A| Reserved | e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c | Rsvd | Map-Version Number | EID-Prefix-AFI | o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ r | EID-Prefix | d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | /| Priority | Weight | M Priority | M Weight | | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | o | Unused Flags |L|p|R| Loc-AFI | | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | \| Locator | +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
For details see RFC 6830 (source)
© 2014, D.I. M. Lindner, B. Gronau 21 LISP Mission Critical Communication v3.0
Interoperation – Proxy ITR (1)
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
IP WAN RLOC Address Space
EID Address Space LISP Site-1
EID Address Space LISP Site-2
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1 172.17.99.1
172.16.5.1
172.16.55.0/24
RLOC Address Space Non-LISP Site
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Mapping Database MS/MR
PITR OSPF ASBR
172.16.88.88
RLOC Routing Message 10.1.0.0/16 is reachable via 172.16.88.88 10.2.0.0/16 is reachable via 172.16.88.88
t0
© 2014, D.I. M. Lindner, B. Gronau 22 LISP Mission Critical Communication v3.0
Interoperation – Proxy ITR (2)
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
IP WAN RLOC Address Space
EID Address Space LISP Site-2
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1 172.17.99.1
172.16.5.1
172.16.55.0/24
RLOC Address Space Non-LISP Site
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Mapping Database MS/MR
PITR OSPF ASBR
172.16.88.88
172.
16.5
5.91
-> 1
0.1.
1.1
t1
Map Request / Map Reply
t2
LISP data message
t5
172.16.55.91 -> 10.1.1.1
t6
t3
t2
t4
© 2014, D.I. M. Lindner, B. Gronau 23 LISP Mission Critical Communication v3.0
Interoperation – Proxy ETR (1)
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
IP WAN RLOC Address Space
EID Address Space LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.99
172.16.99.1 172.17.99.1
uRPF -Check PE
use PETR = 172.16.99.99
PETR
172.16.5.1
172.16.55.0/24
RLOC Address Space Non-LISP Site
EID Address Space LISP Site-2
use PETR = 172.16.99.99
10.1.1.1 -> 172.16.55.91
10.1.1.1 -> 172.16.55.91
t7
t8
t9
t10
© 2014, D.I. M. Lindner, B. Gronau 24 LISP Mission Critical Communication v3.0
Interoperation – Proxy ETR (2)
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
IP WAN RLOC Address Space
EID Address Space LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.99
172.16.99.1 172.17.99.1 use PETR = 172.16.99.99
PETR
172.16.5.1
172.16.55.0/24
RLOC Address Space Non-LISP Site
EID Address Space LISP Site-2
use PETR = 172.16.99.99
PITR OSPF ASBR
172.16.88.88
RLOC Routing Message 10.1.0.0/16 is reachable via 172.16.88.88
10.1.1.1 <-> 172.16.55.91
© 2014, D.I. M. Lindner, B. Gronau 25 LISP Mission Critical Communication v3.0
LISP Results:
• Healing routing scalability for the Internet – Original intention
• Easier multihoming – Incoming traffic engineering without complex BGP
configurations • But LISP allows a lot of other use cases
– Enterprise usage • Given back control from the service provider to the customer
– Mobility – Virtualization – Seamless communication – No requirements for an overall implementation day-one
• Usage of PITR / PETR • No changes for end systems and service providers
© 2014, D.I. M. Lindner, B. Gronau 26 LISP Mission Critical Communication v3.0
LISP Results (cont.):
• Interesting topics: – Replacing Mobile IPv4/IPv6 with LISP mobility
• VM mobility (VM move across IP subnets instead of L2 subnet extension)
• Georedundancy
– Replacing MPLS/VPNs with LISP VPNs • Separation of networks suing the same infrastructure
– Easier transition to IPv6 • LISP is address family agnostic
– Combination GETVPN and LISP • Group key encrypted IPsec technology • Encrypted VPNs
© 2014, D.I. M. Lindner, B. Gronau 27 LISP Mission Critical Communication v3.0
LISP Results (cont.):
• Interesting topics: – Virtualization
• Note: cloud computing is combination of mobility, multi-tenancy and segmentation/virtualization
– LISP mobile node (www.lispmob.org) • Open-source implementation of mobile node for Linux and Android
– OpenLISP • open-source implementation for FreeBSD
© 2014, D.I. M. Lindner, B. Gronau 28 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 29 LISP Mission Critical Communication v3.0
LISP & Mission Critical Communication (1)
• LISP elements of interest – Multihoming = Redundancy
• Important element of safety critical design • Convergence time should be very low (second range) to achieve high
availability • Focus: Fast automatic recovery of single point of failures
– Multihoming to different ISPs • Without interaction with ISPs routing (e.g. BGP) • Ease of LISP configuration for inbound traffic engineering • Two provider strategy for transportation of parallel flows
– Minimal design in focus • Two MSs/MRs often sufficient (no LISP-ALT, LISP-DDT) • No Internet routing scalability issues • Only few map cache entries
© 2014, D.I. M. Lindner, B. Gronau 30 LISP Mission Critical Communication v3.0
LISP & Mission Critical Communication (2)
• LISP elements of interest (cont.) – Mobility
• Seamless communication for mission critical traffic (e.g. voice) • Only short interruption
– Mobile Node (LISPmob) • Seamless communication for mission critical traffic (e.g. voice) • Even no interruption possible (smooth switchover) • “Make before break”
– Address Family Agnostic • IPv6 EIDs tunneled over IPv4 service provider infrastructure • Pure IPv6 or IPv4 solution over whatever infrastructure • No dual-stack issues
© 2014, D.I. M. Lindner, B. Gronau 31 LISP Mission Critical Communication v3.0
LISP & Mission Critical Communication (3)
• LISP elements of interest (cont.) – Natural VPN behavior
• Separation from IP service provider infrastructure and from any other customers of this service provider
• Customer controlled VPN versus IP service provider controlled MPLS-VPN
– Security • Scalability of GETVPN (group-key, stateless) together with
scalability of “stateless” LISP tunneling • Note1:
– Compare it with traditional point-to-point IPsec (stateful, site-site IPsec VPN) combined with static and not scalable GRE tunneling
• Note2: – Compare ease of configuration of LISP and GETVPN with DMVPN
© 2014, D.I. M. Lindner, B. Gronau 32 LISP Mission Critical Communication v3.0
LISP & Mission Critical Communication (4)
• LISP elements of interest (cont.) – Ease of deployment
• EID sites with distributed applications fulfilling a mission can be preconfigured
– IP addressing, DNS, ACLs, Firewalling etc.) – Prepared and fully tested before actual operation takes place
• Only LISP routers and Mapping Servers / Mapping Resolvers need IP addresses out of the range of the IP provider infrastructure in case of mission
• No NAT issues need to be considered in such a case -> good for applications
• Motto: “Just get the necessary IP addresses (for LISP RLOCs and MSs/MRs) from the service provider”
– No coordination of EID addresses with ISPs addresses – No coordination of EID routing with ISPs routing
© 2014, D.I. M. Lindner, B. Gronau 33 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 34 LISP Mission Critical Communication v3.0
Multihoming Basic & High Availability
10.1
.0.0
/16
10.2
.0.0
/16
RLOC Address Space
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.99.1.1 172.99.2.1
MS-MR-2 MS-MR-1
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2,1
Site Registration MS-MR-1
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2,1
Site Registration MS-MR-2
IP WAN
EID RLOC TTL
10.2.0.0/16 172.16.2.1 1h
10.2.0.0/16 172.17.2.1 1h
Mapping-Cache ITR1/2
EID LISP Site-2
xTR2
xTR1
xTR4
xTR3
EID RLOC TTL
10.1.0.0/16 172.16.1.1 1h
10.1.0.0/16 172.17.1.1 1h
Mapping-Cache ITR3/4
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
Mapping Database ETR1/2 EID RLOC
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Mapping Database ETR3/4
© 2014, D.I. M. Lindner, B. Gronau 35 LISP Mission Critical Communication v3.0
Sessions: Multihoming Default Hash Behavior
10.1
.0.0
/16
10.2
.0.0
/16
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2
Mapping-Cache ITR1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
C1-C2
S1-S2
C1-S2
S1-C1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- S1-C1
10.2.0.0/16 172.17.2.1 <- S1-S2
Mapping-Cache ITR2
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR3
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1
10.1.0.0/16 172.17.1.1 <- S2-C1
Mapping-Cache ITR4
C2-S1
C2-C1
S2-C1
S2-S1
RLOC Address Space
IP WAN
Def-GW
Def-GW
Def-GW
CEF-FIB
CEF-FIB
CEF-FIB
CEF-FIB
xTR1
Session flow is asymmetrical !!!
© 2014, D.I. M. Lindner, B. Gronau 36 LISP Mission Critical Communication v3.0
Path-Diversity
MS-MR-2 10
.1.0
.0/1
6
10.2
.0.0
/16
10.3.0.0/16
EID LISP Site-1 EID LISP Site-2
EID LISP Site-3 EID LISP Site-4
172.16.1.1 172.16.2.1
172.16.3.1 172.16.4.1
172.16.99.1
10.4.0.0/16
172.17.1.1
172.17.3.1 172.17.4.1
172.17.2.1
MS-MR-1
172.17.99.1
ISP-2
ISP-1
WAN Link ISP-1
WAN Link ISP-2 ISP-2 RLOC Space 172.17.0.0/16 ISP-1 RLOC Space 172.16.0.0/16
© 2014, D.I. M. Lindner, B. Gronau 37 LISP Mission Critical Communication v3.0
Path-Diversity: Failure
MS-MR-2 10
.1.0
.0/1
6
10.2
.0.0
/16
10.3.0.0/16
EID LISP Site-1 EID LISP Site-2
EID LISP Site-3 EID LISP Site-4
172.16.1.1 172.16.2.1
172.16.3.1 172.16.4.1
10.4.0.0/16
172.17.1.1
172.17.3.1 172.17.4.1
172.17.2.1
MS-MR-1
ISP-2
ISP-1
© 2014, D.I. M. Lindner, B. Gronau 38 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 39 LISP Mission Critical Communication v3.0
HSRP Topology LISP Site-1
xTR1
10.1.0.0 / 16
HSRP Group 1 xTR-1 Active
xTR-2 Standby Preemption
TrackLine on fa0/8 Virtual Router 10.1.0.253
VR1: 10.1.0.253 10.1.0.251
xTR2
10.1.0.252
172.16.1.1
HSRP Protocol
IP WAN
VR2: 10.1.0.254
HSRP Group 2 xTR-2 Active xTR-1 Standby Preemption TrackLine on fa0/8 Virtual Router 10.1.0.254
EID LISP Site-1
172.17.1.1
Default-Gateway 10.1.0.253 Default-Gateway 10.1.0.254
fa0/8 fa0/8
HSRP … Hot Standby Router Protocol
© 2014, D.I. M. Lindner, B. Gronau 40 LISP Mission Critical Communication v3.0
Multihoming Failure 1 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.17.1.1
172.16.2.1
172.17.2.1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2
Mapping-Cache ITR1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
C1-C2
S1-S2
C1-S2
S1-C1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- S1-C1
10.2.0.0/16 172.17.2.1 <- S1-S2
Mapping-Cache ITR2
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR3
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1
10.1.0.0/16 172.17.1.1 <- S2-C1
Mapping-Cache ITR4
C2-S1
C2-C1
S2-C1
S2-S1
RLOC Address Space
IP WAN
Def-GW
Def-GW
Def-GW
CEF-FIB
CEF-FIB
CEF-FIB
CEF-FIB
xTR1
t0
t1
t1
t1 t2
HSR
P 172.16.1.1
HSRP in xTR1 switches to active after HSRP timeout (deadtime). Could be in the sub-second range with HSRPv2
© 2014, D.I. M. Lindner, B. Gronau 41 LISP Mission Critical Communication v3.0
Multihoming Failure 2 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.17.1.1
172.16.2.1
172.17.2.1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2, S1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2, S1-S2
Mapping-Cache ITR1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
C1-C2, S1-C1
C1-S2, S1-S2
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR3
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1
10.1.0.0/16 172.17.1.1 <- S2-C1
Mapping-Cache ITR4
C2-S1
C2-C1
S2-C1
S2-S1
RLOC Address Space
IP WAN
Def-GW
Def-GW
CEF-FIB CEF-FIB
CEF-FIB
xTR1 t3
t3
t3
t3
172.16.1.1
black holes
Incoming traffic is black-holed to xTR2 as long as map caches in ITR3 and ITR4 are not actualized
Outgoing traffic of EID LISP site-1 will now take xTR1 (t3)
© 2014, D.I. M. Lindner, B. Gronau 42 LISP Mission Critical Communication v3.0
Multihoming Failure 3 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
C1-C2, S1-C2 (Locator-Bits xTR2-> Dead)
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR3
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR4
C2-S1
C2-C1
S2-C1
S2-S1
RLOC Address Space
IP WAN
Def-GW
Def-GW
CEF-FIB
CEF-FIB
xTR1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2, S1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2, S1-S2
Mapping-Cache ITR1 CEF-FIB
LISP-Local Probe t4
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
Mapping Database ITR1
t5
t6
t7
xTR1 uses LISP-local probes to proof reachability of xTR2 (t4). After xTR-1 recognized that xTR2 is not reachable any more (timeout > 5 seconds) and clears entry in database (t5) LSB reports can be sent in LISP.data packets (t6). xTR3 now knows that the corresponding RLOC of xTR2 is down (t7) Because of lack of data traffic from xTR1 to xTR4 no LSB reports will inform xTR4 about that.
© 2014, D.I. M. Lindner, B. Gronau 43 LISP Mission Critical Communication v3.0
Multihoming Failure 4 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1, C2-C1
Mapping-Cache ITR3
C2-S1, C2-C1
S2-S1
RLOC Address Space
IP WAN
Def-GW
Def-GW
CEF-FIB
xTR1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2, S1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2, S1-S2
Mapping-Cache ITR1 CEF-FIB
EID RLOC
10.1.0.0/16 172.16.1.1
Mapping Database ITR1
t8
t8
C2-C1
S2-C1
t8 C1-C2, S1-C2 (Locator-Bits xTR2-> Dead)
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR4 CEF-FIB
Outgoing traffic of EID LISP site-2 via xTR3 will now converge to the remaining RLOC of site-1 (t8) (Map-Request probing of xTR1 for 10.1.0.0 done by xTR3 is omitted to keep the picture simple!!!)
Still some incoming traffic is black-holed to xTR2 as long as map cache in ITR4 is not actualized
© 2014, D.I. M. Lindner, B. Gronau 44 LISP Mission Critical Communication v3.0
Multihoming Failure 5 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1, C2-C1
Mapping-Cache ITR3
C2-S1, C2-C1
S2-S1
RLOC Address Space
IP WAN
Def-GW
Def-GW
CEF-FIB
xTR1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2, S1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2, S1-S2
Mapping-Cache ITR1 CEF-FIB
EID RLOC
10.1.0.0/16 172.16.1.1
Mapping Database ITR1
S2-C1
C1-C2, S1-C2 (Locator-Bits xTR2-> Dead)
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1
10.1.0.0/16 172.17.1.1 <- C2-C1
Mapping-Cache ITR4 CEF-FIB
LISP-Remote Probe t9
t10
t11
xTR4 uses LISP-remote probes to proof reachability of xTR-2 (t9). After xTR4 recognized that xTR-2 is not reachable any more (timeout interval up to 60 seconds t10), outgoing traffic of EID LISP site-2 via xTR4 will now converge to the remaining RLOC of site-1 (t11) -> next slide
© 2014, D.I. M. Lindner, B. Gronau 45 LISP Mission Critical Communication v3.0
Multihoming Failure 6 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1, C2-C1
Mapping-Cache ITR3
C2-S1, C2-C1
S2-S1, S2-C1
RLOC Address Space
IP WAN
Def-GW
Def-GW
CEF-FIB
xTR1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2, S1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2, S1-S2
Mapping-Cache ITR1 CEF-FIB
EID RLOC
10.1.0.0/16 172.16.1.1
Mapping Database ITR1
C1-C2, S1-C2 (Locator-Bits xTR2-> Dead)
t11
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1, S2-C1
Mapping-Cache ITR4 CEF-FIB
t12
Failure repair after 10-60 seconds !!!
© 2014, D.I. M. Lindner, B. Gronau 46 LISP Mission Critical Communication v3.0
Multihoming Failure 7 10
.1.0
.0/1
6
10.2
.0.0
/16
EID LISP Site-1
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
EID LISP Site-2
xTR2
Def-GW
xTR4
xTR3
C1 C2
S2 S1
EID RLOC Session
10.1.0.0/16 172.16.1.1 <- C2-S1, C2-C1
Mapping-Cache ITR3
C2-S1, C2-C1
S2-S1, S2-C1
RLOC Address Space
IP WAN
Def-GW
Def-GW
CEF-FIB
xTR1
EID RLOC Session
10.2.0.0/16 172.16.2.1 <- C1-C2, S1-C2
10.2.0.0/16 172.17.2.1 <- C1-S2, S1-S2
Mapping-Cache ITR1 CEF-FIB
EID RLOC
10.1.0.0/16 172.16.1.1
Mapping Database ITR1
C1-C2, S1-C2 (Locator-Bits xTR2-> Dead)
t12
EID RLOC Session
10.1.0.0/16 172.16.1.1 <-S2-S1, S2-C1
Mapping-Cache ITR4 CEF-FIB
C1-S2, S1-S2 (Locator-Bits xTR2-> Dead)
Final scenario session flow in both directions
© 2014, D.I. M. Lindner, B. Gronau 47 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 48 LISP Mission Critical Communication v3.0
Multihoming Advanced & High Availability
10.1
.0.0
/24
10.2
.0.0
/24
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.99.1.1
MS/MR
EID RLOC
10.1.0.0/25 172.16.1.1 Prio 1
10.1.0.0/25 172.17.1.1 Prio 2
10.1.0.128/25 172.16.1.1 Prio 2
10.1.0.128./25 172.17.1.1 Prio 1
Site Registration MS-MR-Part1 EID RLOC
10.2.0.0/25 172.16.2.1 Prio 1
10.2.0.0/25 172.17.2.1 Prio 2
10.2.0.128/16 172.16.2.1 Prio 2
10.2.0.128/16 172.17.2.1 Prio 1
Site Registration MS-MR-Part2
IP WAN
xTR2
xTR1
xTR4
xTR3
EID RLOC
10.1.0.0/25 172.16.1.1 Prio 1
10.1.0.128/25 172.17.1.1 Prio 2
Mapping Database ETR1
EID1-L
EID1-U
EID2-L
EID2-U
EID RLOC
10.1.0.0/25 172.16.1.1 Prio 2
10.1.0.128/25 172.17.1.1 Prio 1
Mapping Database ETR2
EID RLOC
10.2.0.0/25 172.16.2.1 Prio 1
10.2.0.128/25 172.17.2.1 Prio 2
Mapping Database ETR3
EID RLOC
10.2.0.0/25 172.16.2.1 Prio 2
10.2.0.128/25 172.17.2.1 Prio 1
Mapping Database ETR4
EID1-L EID1-U
EID1-L EID1-U
EID2-L EID2-U
EID2-L EID2-U
EID address space is splitted in two ranges: Lower (L, 10.x.0.0/25) and Upper (H, 10.x.0.128/25). ETRs using priority 1 and 2 to signal a preferred = active RLOC and backup RLOC
© 2014, D.I. M. Lindner, B. Gronau 49 LISP Mission Critical Communication v3.0
Sessions: Multihoming Symmetrical Behavior
10.1
.0.0
/24
10.2
.0.0
/24
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
IP WAN
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-U -> EID2-L
10.2.0.0/25 172.17.2.1 2
10.2.0.128/25 172.17.2.1 1 EID1-U -> EID2-U
10.2.0.128/25 172.16.2.1 2
Mapping-Cache ITR2
xTR2
xTR1
xTR4
xTR3
EID1-L <-> EID2-L
EID1-U <-> EID2-U
Def-GW for EID1-L
Def-GW for EID1-U
Def-GW for EID2-L
Def-GW for EID2-U
EID1-L <-> EID2-U
EID1-U <-> EID2-L
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-U -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-U -> EID1-U
10.1.0.128/25 172.16.1.1 2
Mapping-Cache ITR4
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-L -> EID2-L
10.2.0.0/25 172.17.2.1 2
10.2.0.128/25 172.17.2.1 1 EID1-L -> EID2-U
10.2.0.128/25 172.16.2.1 2
Mapping-Cache ITR1
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-L -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-L -> EID1-U
10.1.0.128/25 172.16.1.1 2
Mapping-Cache ITR3 Session flow is symmetrical !!!
© 2014, D.I. M. Lindner, B. Gronau 50 LISP Mission Critical Communication v3.0
Multihoming Symmetrical Behavior – ISP 1 and 2
10.1
.0.0
/16
10.2
.0.0
/16
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
IP WAN
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1
10.2.0.0/25 172.17.2.1 2
10.2.0.128/25 172.17.2.1 1 EID1-U -> EID2-U
10.2.0.128/25 172.16.2.1 2
Mapping-Cache ITR2
xTR2
xTR1
xTR4
xTR3
EID1-L <-> EID2-L
EID1-U <-> EID2-U
Def-GW for EID1-L (A systems)
Def-GW for EID1-U (B systems)
Def-GW for EID2-L (A systems)
Def-GW for EID2-U (B systems)
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-U -> EID1-U
10.1.0.128/25 172.16.1.1 2
Mapping-Cache ITR4
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-L -> EID2-L
10.2.0.0/25 172.17.2.1 2
10.2.0.128/25 172.17.2.1 1
10.2.0.128/25 172.16.2.1 2
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-L -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1
10.1.0.128/25 172.16.1.1 2
ISP 1
ISP 2
Mapping-Cache ITR1 Mapping-Cache ITR3
© 2014, D.I. M. Lindner, B. Gronau 51 LISP Mission Critical Communication v3.0
Multihoming Failure 1
10.1
.0.0
/16
10.2
.0.0
/16
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
IP WAN
xTR2
xTR1
xTR4
xTR3
Def-GW for EID1-L
Def-GW for EID1-U
Def-GW for EID2-L
Def-GW for EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-U -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-U -> EID1-U
10.1.0.128/25 172.16.1.1 2
Mapping-Cache ITR4
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-L -> EID2-L
10.2.0.0/25 172.17.2.1 2
10.2.0.128/25 172.17.2.1 1 EID1-L -> EID2-U
10.2.0.128/25 172.16.2.1 2
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-L -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-L -> EID1-U
10.1.0.128/25 172.16.1.1 2
EID1-U <-> EID2-L
EID1-L <-> EID2-U
EID1-U <-> EID2-U
EID1-L <-> EID2-L
t0
t1
t1 t2
HSR
P
HSRP in xTR1 switches to active after HSRP timeout (deadtime). Could be in the subsecond range with HSRPv2
Mapping-Cache ITR1 Mapping-Cache ITR3
© 2014, D.I. M. Lindner, B. Gronau 52 LISP Mission Critical Communication v3.0
Multihoming Failure 2
10.1
.0.0
/16
10.2
.0.0
/16
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
IP WAN
xTR2
xTR1
xTR4
xTR3
Def-GW for EID1-L
Def-GW for EID1-U
Def-GW for EID2-L
Def-GW for EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-U -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-U -> EID1-U
10.1.0.128/25 172.16.1.1 2
Mapping-Cache ITR4
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-L -> EID2-L EID1-U -> EID2-L
10.2.0.128/25 172.17.2.1 1 EID1-L -> EID2-U EID1-U -> EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-L -> EID1-L
10.1.0.0/25 172.17.1.1 2
10.1.0.128/25 172.17.1.1 1 EID2-L -> EID1-U
10.1.0.128/25 172.16.1.1 2
EID1-U <-> EID2-L
EID1-L <-> EID2-U
EID1-U <-> EID2-U
EID1-L <-> EID2-L
HSRP triggers via Embedded Event Manager EEM (t3) setting of “Locator Down” in LSB Reports without waiting for timeout of LISP- Local Probe
Locator-Bits xTR2-> Dead Locator-Bits xTR2-> Dead
t3
t3
t3
t3
Mapping-Cache ITR1 Mapping-Cache ITR3
© 2014, D.I. M. Lindner, B. Gronau 53 LISP Mission Critical Communication v3.0
Multihoming Failure 3
10.1
.0.0
/16
10.2
.0.0
/16
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
IP WAN
xTR2
xTR1
xTR4
xTR3
Def-GW for EID1-L
Def-GW for EID1-U
Def-GW for EID2-L
Def-GW for EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-U -> EID1-L
10.1.0.128/25 172.17.1.1 1 EID2-U -> EID1-U
10.1.0.128/25 172.16.1.1 2 EID2-U -> EID1-U
Mapping-Cache ITR4
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-L -> EID2-L EID1-U -> EID2-L
10.2.0.128/25 172.17.2.1 1 EID1-L -> EID2-U EID1-U -> EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-L -> EID1-L
10.1.0.128/25 172.17.1.1 1 EID2-L -> EID1-U
10.1.0.128/25 172.16.1.1 2 EID2-L -> EID1-U
EID1-U <-> EID2-L
EID1-L <-> EID2-U
EID1-U <-> EID2-U
EID1-L <-> EID2-L
Receiving of continuous LSB Reports with “Locator-Down” triggers switchover to backup RLOC (Prio2) after 5 -20 reports received in a sequence (t4) without waiting for timeout of Remote-LISP probes
Locator-Bits xTR2-> Dead Locator-Bits xTR2-> Dead
t4
t4
t4
t4
Empiric measurement: Pings with 200ms deadtime -> after 4-5 Pings -> 1 second Pings with 50ms deadtime -> after 15-20 pings -> 1 second
Mapping-Cache ITR1 Mapping-Cache ITR3
© 2014, D.I. M. Lindner, B. Gronau 54 LISP Mission Critical Communication v3.0
Multihoming Failure 4
10.1
.0.0
/16
10.2
.0.0
/16
RLOC Address Space
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
IP WAN
xTR2
xTR1
xTR4
xTR3
Def-GW for EID1-L
Def-GW for EID1-U
Def-GW for EID2-L
Def-GW for EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-U -> EID1-L
10.1.0.128/25 172.16.1.1 2 EID2-U -> EID1-U
Mapping-Cache ITR4
EID RLOC PRIO Session
10.2.0.0/25 172.16.2.1 1 EID1-L -> EID2-L EID1-U -> EID2-L
10.2.0.128/25 172.17.2.1 1 EID1-L -> EID2-U EID1-U -> EID2-U
EID RLOC PRIO Session
10.1.0.0/25 172.16.1.1 1 EID2-L -> EID1-L
10.1.0.128/25 172.16.1.1 2 EID2-L -> EID1-U
EID1-U <-> EID2-L
EID1-L <-> EID2-U EID1-U <-> EID2-U
EID1-L <-> EID2-L
Failure repair after 2-4 seconds !!! Mapping-Cache ITR1
Mapping-Cache ITR3
© 2014, D.I. M. Lindner, B. Gronau 55 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 56 LISP Mission Critical Communication v3.0
Disaster Recovery (Before) 1
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
10.3.0.0/16 10.3.0.0/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1
EID Address Space LISP Site-2
EID Address Space LISP Site-3A Data Center
EID Address Space LISP Site-3B
Backup Datacenter
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.3.1 172.17.3.1 172.16.4.1 172.17.4.1
172.16.99.1 172.17.99.1
EID RLOC
10.3.0.0/16 172.16.3.1
10.3.0.0/16 172.17.3.1
Site Registration MS-MR-1
EID RLOC
10.3.0.0/16 172.16.3.1
10.3.0.0/16 172.17.3.1
Site Registration MS-MR-2
EID RLOC TTL
10.3.0.0/16 172.16.3.1 1h
10.3.0.0/16 172.17.3.1 1h
Mapping-Cache ITRs Site-1
EID RLOC TTL
10.3.0.0/16 172.16.3.1 1h
10.3.0.0/16 172.17.3.1 1h
Mapping-Cache ITRs Site-2
172.16.5.1
10.4.0.0/16
LISP Site-4 Datacenter Sync / NOC
Interfaces not activated
© 2014, D.I. M. Lindner, B. Gronau 57 LISP Mission Critical Communication v3.0
Disaster Recovery (After) 2
58
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
10.3.0.0/16 10.3.0.0/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1
EID Address Space LISP Site-2
EID Address Space LISP Site-3A Data Center
EID Address Space LISP Site-3B
Backup Datacenter
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.3.1 172.17.3.1 172.16.4.1 172.17.4.1
172.16.99.1 172.17.99.1
EID RLOC
10.3.0.0/16 172.16.4.1
10.3.0.0/16 172.17.4.1
EID RLOC
10.3.0.0/16 172.16.4.1
10.3.0.0/16 172.17.4.1
EID RLOC TTL
10.3.0.0/16 172.16.4.1 1h
10.3.0.0/16 172.17.3.1 1h
Mapping-Cache ITRs Site-1
EID RLOC TTL
10.3.0.0/16 172.16.4.1 1h
10.3.0.0/16 172.17.4.1 1h
Mapping-Cache ITRs Site-2
172.16.5.1
10.4.0.0/16
LISP Site-4 Datacenter Sync / NOC
Map
Reg
iste
r 10.
3.0.
0
t0 t1 t1
t2
t3 t3
t4
Map cache cleared (t4) by NOC script
Site Registration MS-MR-1 Site Registration MS-MR-2
Interfaces activated (t1) by NOC script
© 2014, D.I. M. Lindner, B. Gronau 58 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 59 LISP Mission Critical Communication v3.0
Deployable Systems - Mission 1
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.4
.0.0
/16
10.3.0.0/16 10.2.0.0/16
IP WAN (ISPs used for mission 1)
RLOC Address Space
EID Address Space LISP Site Hospital
EID Address Space LISP Site Police
EID Address Space LISP Site Government
EID Address Space LISP Site Fire Control
172.16.29.19
172.17.44.12
172.16.29.12
172.17.44.29
172.16.29.44 172.17.44.31 172.16.29.11
172.17.44.28
172.16.29.99 172.17.44.99
EID RLOC
10.1.0.0/16 172.16.29.19
10.1.0.0/16 172.17.44.12
10.2.0.0/16 172.16.29.11
10.2.0.0/16 172.17.44.28
Site Registration MS/MR Part 1 EID RLOC
10.3.0.0/16 172.16.29.44
10.3.0.0/16 172.17.44.31
10.4.0.0/16 172.16.29.12
10.4.0.0/16 172.17.44.29
Site Registration MS/MR Part 2
© 2014, D.I. M. Lindner, B. Gronau 60 LISP Mission Critical Communication v3.0
Deployable Systems - Mission 2
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.4
.0.0
/16
10.2
.0.0
/16
10.3.0.0/16 10.1.0.0/16
EID Address Space LISP Site Police
EID Address Space LISP Site Fire Control
EID Address Space LISP Site Government
EID Address Space LISP Site Hospital
199.54.29.11
201.33.44.11
199.54.29.13
201.33.44.13
201.33.44.12 199.54.29.12
201.33.44.14 199.54.29.14
EID RLOC
10.2.0.0/16 199.54.29.13
10.2.0.0/16 201.33.44.13
10.1.0.0/16 199.54.29.12
EID RLOC
10.4.0.0/16 199.54.29.11
10.4.0.0/16 201.33.44.31
10.3.0.0/16 201.33.44.12
Site Registration MS/MR Part 1 Site Registration MS/MR Part 2
IP WAN (ISPs used for mission 2)
RLOC Address Space
EID addresses and applications are kept untouched.
Only RLOCs have to be changed
© 2014, D.I. M. Lindner, B. Gronau 61 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 62 LISP Mission Critical Communication v3.0
Base VPN 1
LISP MS-1 / MR-1 LISP
MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
10.3.0.0/16 10.4.0.0/16
IP WAN (ISPs) (EID address not routed!!!)
RLOC Address Space
EID Address Space LISP Site-1
EID Address Space LISP Site-2
EID Address Space LISP Site-3
EID Address Space LISP Site-4
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.3.1 172.17.3.1 172.16.4.1 172.17.4.1
172.16.99.1 172.17.99.1
172.16.55.0/24
RLOC Address Space Non-LISP Site
uRPF-Check
PE
CE
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
EID RLOC
10.3.0.0/16 172.16.3.1
10.3.0.0/16 172.17.3.1
10.4.0.0/16 172.16.4.1
10.4.0.0/16 172.17.4.1
Site Registration MS/MR Part 1 Site Registration MS/MR Part 2 Packet Level Firewall with ACLs for permit of lisp.control and lisp.data messages coming from allowed RLOCs and MS/MR
uRPF Check … Unicast Reverse Path Forwarding check against ip source address spoofing done by ISP PEs
© 2014, D.I. M. Lindner, B. Gronau 63 LISP Mission Critical Communication v3.0
Base VPN 2
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16
10.3.0.0/16 10.4.0.0/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1 VPN RED
EID Address Space LISP Site-2 VPN GREEN
EID Address Space LISP Site-3 VPN GREEN
EID Address Space LISP Site-4 VPN RED
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.3.1 172.17.3.1 172.16.4.1 172.17.4.1
172.16.99.1 172.17.99.1
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.4.0.0/16 172.16.4.1
10.4.0.0/16 172.17.4.1
Site Registration MS-1/MR -1
EID RLOC
10.3.0.0/16 172.16.3.1
10.3.0.0/16 172.17.3.1
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Site Registration MS-2/MR-2 RED GREEN
© 2014, D.I. M. Lindner, B. Gronau 64 LISP Mission Critical Communication v3.0
Base VPN 3
LISP MS-1 / MR-1
LISP MS-2 / MR-2
10.1
.0.0
/16
10.2
.0.0
/16 IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1 VRF RED
EID Address Space LISP Site-2 VPN GREEN
EID Address Space LISP Site-4 RF RED
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.3.1 172.17.3.1 172.16.4.1 172.17.4.1
172.16.99.1 172.17.99.1
10.4.0.0/16
RED/GREEN RED/GREEN
10.4.0.0/16
10.1.0.0/16
EID Address Space LISP Site-4 VRF GREEN
EID Address Space LISP Site-1 VRF GREEN
EID RLOC VRF - IID
10.1.0.0/16 172.16.1.1 Site-1 RED
10.1.0.0/16 172.17.1.1 Site-1 RED
10.4.0.0/16 172.16.4.1 Site-4 RED
10.4.0.0/16 172.17.4.1 Site-4 RED
Site Registration MS/MR Part 1
EID RLOC VRF- IID
10.4.0.0/16 172.16.1.1 Site-1 GREEN
10.4.0.0/16 172.17.1.1 Site-1 GREEN
10.1.0.0/16 172.16.4.1 Site-4 GREEN
10.1.0.0/16 172.17.4,1 Site-4 GREEN
10.2.0.0/16 172.16.2.1 Site-2 GREEN
10.2.0.0/16 172.17.2.1 Site-2 GREEN
Site Registration MS/MR Part 2
IID … LISP Instance ID
© 2014, D.I. M. Lindner, B. Gronau 65 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 66 LISP Mission Critical Communication v3.0
LISP/GETVPN Variant 1
LISP MS / MR
10.1
.0.0
/16
10.4
.0.0
/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1: VRF Green 10.1.0.0/16 Default 172.31.31.2/32 Default 172.31.31.3/32 GETVPN EID
Key-Server
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1
172.16.100.1
GETVPN GM EID
172.31.31.1
EID Address Space LISP Site KS: Default 172.31.31.2/32
172.31.31.2
GETVPN GM EID
172.31.31.3
GETVPN GM EID
172.31.31.4
GETVPN GM EID
172.31.31.5
EID RLOC
172.31.31.1/32 172.16.100.1
172.31.31.2/32 172.16.1.1
172.31.31.3/32 172.17.1.1
172.31.31.4/32 172.16.2.1
172.31.31.5/32 172.17.2.1
Site Registration MS/MR Part 2 LISP sites Default EIDs
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.4.0.0/16 172.16.2.1
10.4.0.0/16 172.17.2.1
Site Registration MS/MR Part 1 LISP sites VRF Green EIDs
EID Address Space LISP Site-2: VRF Green 10.4.0.0/16 Default 172.31.31.4/32 Default 172.31.31.5/32
lp0
lp0
lp0
lp0
lp0
VRF Green communication endpoint IP addresses are not encrypted
and lisp.control messages are not secured by GETVPN !!!
Green Green
GETVPN crypto map on interface LISP0.GREEN
GETVPN crypto map on interface LISP0.GREEN
All LISP routers are GETVPN group members on EID default lp0 interface address
© 2014, D.I. M. Lindner, B. Gronau 67 LISP Mission Critical Communication v3.0
LISP/GETVPN Variant 2
LISP MS / MR
10.1
.0.0
/16
10.4
.0.0
/16
10.3.0.0/16 10.2.0.0/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1
EID Address Space LISP Site-4
EID Address Space LISP Site-3
EID Address Space LISP Site-2
GETVPN RLOC KS
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.3.1 172.17.3.1 172.16.4.1 172.17.4.1
172.16.100.1 172.167.100.1
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC GETVPN
GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN crypto map on interface RLOC !!!
Lisp.data (and therefore EID communication endpoint IP addresses) and all lisp.control messages
are encrypted !!!
All LISP routers and MS/MR are GETVPN group members on their RLOC interface address
© 2014, D.I. M. Lindner, B. Gronau 68 LISP Mission Critical Communication v3.0
Are EID IP Host Addresses Encrypted Or Not?
Source: CiscoLive2013 presentation: “´TECIPM-3191”
EID IP Host addresses are in light green
Variant 2 !!
Variant 1 !!
© 2014, D.I. M. Lindner, B. Gronau 69 LISP Mission Critical Communication v3.0
LISP-SEC – Is it 100% Secure?
Source: CiscoLive2013 presentation: “´TECIPM-3191”
With LISP combined with GETVPN Variant 2 -> LISP-SEC may not be necessary anymore !!!
© 2014, D.I. M. Lindner, B. Gronau 70 LISP Mission Critical Communication v3.0
LISP/GETVPN Variant 3
LISP MS / MR
10.1
.0.0
/16
10.4
.0.0
/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1: VRF Green 10.1.0.0/16 Default 172.31.31.2/32 Default 172.31.31.3/32 GETVPN EID
Key-Server
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1
172.16.100.1
GETVPN GM EID
172.31.31.1
EID Address Space LISP Site KS: Default 172.31.31.2/32
172.31.31.2
GETVPN GM EID
172.31.31.3
GETVPN GM-EID
172.31.31.4
GETVPN GM EID
172.31.31.5
EID Address Space LISP Site-2: VRF Green 10.4.0.0/16 Default 172.31.31.4/32 Default 172.31.31.5/32
lp0
lp0
lp0
lp0
lp0
GETVPN RLOC integrity protection of lisp.data / lisp control messages
GETVPN EID encryption of GREEN traffic
Green Green
GETVPN GM RLOC
GETVPN RLOC KS
172.16.100.1
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN EID crypto map on interface LISP0.GREEN GETVPN RLOC crypto map on interface RLOC
© 2014, D.I. M. Lindner, B. Gronau 71 LISP Mission Critical Communication v3.0
LISP/GETVPN Variant 1 (EID) plus VRF
LISP MS / MR RED
10.2
.0.0
/16 IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1 VRF RED
EID Address Space LISP Site-2 VRF RED
GETVPN KS RED
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1 172.16.100.1
GETVPN GM RED
172.31.31.1
EID Address Space LISP Site-KS RED
172.31.31.2
172.32.32.2
GETVPN GM RED
172.31.31.3
172.32.32.3
10.1
.0.0
/16
10.1.0.0/16
EID Address Space LISP Site-1 VRF GREEN
GM
GM
10.2.0.0/16
GETVPN GM GREEN
GETVPN GM GREEN
EID Address Space LISP Site-2 VRF GREEN
GM
GM
LISP MS / MR GREEN
172.16.99.1 172.17.99.1
172.32.32.1
GETVPN KS GREEN
EID Address Space LISP Site-KS RED
172.17.100.1
lp0
lp0
lp1
lp1
lp0
lp0
lp1
lp1
© 2014, D.I. M. Lindner, B. Gronau 72 LISP Mission Critical Communication v3.0
LISP/GETVPN Variant 2 (RLOC) plus VRF plus SEC-GW
LISP MS / MR
10.2
.0.0
/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1 VRF RED
EID Address Space LISP Site-2 VRF RED
GETVPN RLOC KS
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1 172.16.100.1
GETVPN GM RLOC
172.32.32.2
GETVPN GM RLOC
10.1
.0.0
/16
10.1.0.0/16
EID Address Space LISP Site-1 VRF GREEN
10.2.0.0/16
EID Address Space LISP Site-2 VRF GREEN
172.16.99.1
77.77.0.0/16
SEC-GW protected TOP Secret Zone Site 1
88.88.0.0/16
SEC-GW protected TOP Secret Zone Site 2
10.1.1.1->10.2.1.1
SEC-GW Static IPsec Tunnel e.g. ASA Site-Site-VPN or SINA-Box
Special Protection !!!
IPsec 77.77.1.1 -> 88.88.1.1
10.2.1.1->10.1.1.1
GETVPN GM RLOC
Lisp.data and lisp.control messages are encrypted !!! -> Base Protection
88.88.1.1 77.77.1.1
10.1.1.1 10.2.1.1
GETVPN GM RLOC
GETVPN GM RLOC
© 2014, D.I. M. Lindner, B. Gronau 73 LISP Mission Critical Communication v3.0
LISP/GETVPN Variant 2 (RLOC) plus VRF plus Cisco AnyConnect
LISP MS / MR
10.2
.0.0
/16
IP WAN (ISPs)
RLOC Address Space
EID Address Space LISP Site-1 VRF RED
EID Address Space LISP Site-2 VRF RED
GETVPN RLOC KS
172.16.1.1
172.17.1.1
172.16.2.1
172.17.2.1
172.16.99.1 172.16.100.1
GETVPN GM RLOC
EID Address Space LISP Site-KS RED
172.32.32.2
GETVPN GM RLOC
10.1
.0.0
/16
10.1.0.0/16
EID Address Space LISP Site-1 VRF GREEN
10.2.0.0/16
EID Address Space LISP Site-2 VRF GREEN
172.16.99.1
88.88.0.0/16
10.1.1.1->10.2.1.1
Dynamic IPsec Tunnel e.g. ASA Client-Site-VPN
Special Protection !!!
IPsec 88.88.2.1 -> 88.88.1.1
10.2.1.1->10.1.1.1
GETVPN GM RLOC
Lisp.data and lisp.control messages are encrypted !!! -> Base Protection
IP Host with AnyConnect-Client-SW
10.1.1.1 10.2.1.1
88.88.1.1
88.88.2.1
GETVPN GM RLOC
GETVPN GM RLOC
© 2014, D.I. M. Lindner, B. Gronau 74 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 75 LISP Mission Critical Communication v3.0
LISP VM Mobility Start Scenario
LISP MS / MR
10.1.0.0/16
10.25.0.0/16
IP WAN
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
EID RLOC
10.1.0.0/16 172.16.1.1
------------------- ------------------
10.25.0.0/16 172.17.25.1
Site Registration MS/MR Part
RLOC Address Space
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3
HSRP Grp 1 HSRP Grp 1
VR:10.2.0.3
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
Mapping Database ETRs Site 1
LISP Site-2
EID Site-2
LISP Remote
IP Host Client Remote IP Address 10.25.0.25 / 32
IP Host Client Site-2 IP Address 10.2.0.10 / 32 MAC address:11-12-13-14-15-16 Default-Gateway 10.2.0.3 ARP Cache for IP 10.2.0.3: -> 00-00-0C-9F-F0-01
EID RLOC
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Mapping Database ETRs Site 2
EID RLOC
10.25.0.0/16 172.16.25.1
10.25.0.0/16 172.17.25.1
Mapping Database ETRs Site Remote
VM-WEB-SRV IP Address: 10.1.15.15 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.0.3: -> 00-00-0C-9F-F0-01
IP Host Client Site-1 IP Address 10.1.0.20 / 32
MAC address:07-08-09-10-11-12 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.0.3: -> 00-00-0C-9F-F0-01
ARP Cache for IP 10.1.15.15: -> 01-02-03-04-05-06
© 2014, D.I. M. Lindner, B. Gronau 76 LISP Mission Critical Communication v3.0
Packet FLOW before VM Move
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
EID RLOC
10.1.0.0/16 172.16.1.1
Mapping Cache ITR Site Remote
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3
HSRP Grp 1 HSRP Grp 1
VR:10.2.0.3
VM-WEB-SRV (ESXi-Site1) IP Address: 10.1.15.15 / 32 Default-Gateway 10.1.0.3
IP Host Client Site-1 IP Address 10.1.0.20 / 32 Default-Gateway 10.1.0.3
EID RLOC
10.25.0.0/16 172.16.25.1
10.2.0.0/16 172.17.2.1
Mapping Cache ITRs Site 1
LISP Site-2
EID Site-2
LISP Remote
IP Host Client Site-2 IP Address 10.2.0.10 / 32 Default-Gateway 10.2.0.3
EID RLOC
10.1.0.0/16 172.16.1.1
Mapping Cache ITRs Site 2
LISP MS / MR
IP Host Client Remote IP Address 10.25.0.25 / 32
IP Host Client Site-1 and VM-WEB-SRV use direct delivery without usage of any default gateway
© 2014, D.I. M. Lindner, B. Gronau 77 LISP Mission Critical Communication v3.0
LISP Mobility VM Move 1
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1 172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
VM-WEB-SRV (ESXi-Site2) IP Address: 10.1.15.15 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.0.3: -> 00-00-0C-9F-F0-01
EID RLOC
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
10.1.15.15/32 172.16.2.1
10.1.15.15/32 172.17.2.1
Mapping Database ETRs Site 2
LISP Site-2
EID Site-2
LISP Remote
VM-Move t1 t2
Map Notify Peer t4 Detection
t3
t5
EID RLOC
10.1.0.0/16 172.16.1.1
------------------- ------------------
10.25.0.0/16 172.17.25.1
10.1.15.15/32 172.16.2.1
10.1.15.15/32 172.17.2.1
Site Registration MS/MR Part
t7
Map
Not
ify S
ite 1
t8
Net NextHop
10.1.0.0/16 local
10.1.15.15/32 /null
Routing Table xTRs Site 1
t9
EID RLOC
10.25.0.0/16 172.16.25.1
10.25.0.0/16 172.17.25.1
10.1.15.15/32 172.16.2.1
10.1.15.15/32 172.17.2.1
Mapping Cache ITRs Site 1
LISP MS / MR
IP Host Client Remote IP Address 10.25.0.25 / 32
Map Notify Peer t11
t10
© 2014, D.I. M. Lindner, B. Gronau 78 LISP Mission Critical Communication v3.0
LISP Mobility VM Move 2
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
VM-WEB-SRV IP Address: 10.1.15.15 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.0.3: -> 00-00-0C-9F-F0-01
LISP Site-2
EID Site-2
LISP Remote
EID RLOC
10.25.0.0/16 172.16.25.1
10.25.0.0/16 172.17.25.1
Mapping Cache ITRs Site 1
t12
EID RLOC
10.1.0.0/16 172.16.1.1
--------------------- -----------------
10.2.0.0/16 172.17.2.1
10.1.15.15/32 172.16.2.1
10.1.15.15/32 172.17.2.1
Mapping Cache ITR Site Remote
t17 Map Request
Map Reply
t14
t15
t16
SMR … Solicited Map Request to be sent to prior ITRs who already have a mapping cache entry for 10.1.0.0/16 Recognition of such ITRs: 1. based on own mapping cache (stores to whom packets are sent) 2. data driven (packets arrive for destination 10.1.15.15)
LISP MS / MR
IP Host Client Remote IP Address 10.25.0.25 / 32
© 2014, D.I. M. Lindner, B. Gronau 79 LISP Mission Critical Communication v3.0
LISP Mobility Remote Traffic Redirection
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
VM-WEB-SRV IP Address: 10.1.15.15 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.0.3: -> 00-00-0C-9F-F0-01
LISP Site-2
EID Site-2
LISP Remote
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
------------- ---------------
10.1.15.15/32 172.16.2.1
10.1.15.15/32 172.17.2.1
Mapping Cache ITR Site Remote
EID RLOC
10.25.0.0/16 172.16.25.1
Mapping Cache ITRs Site 2
IP Host Client Site-1 IP Address 10.1.0.20 / 32 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.15.15: -> 01-02-03-04-05-06 IP Host Client Site-1 believes that
VM-WEB-SRV is still on local network 10.1.0.0
??? VM-WEB-SRV old location
LISP MS / MR
IP Host Client Remote IP Address 10.25.0.25 / 32
IP Host Client Site-2 IP Address 10.2.0.10 / 32
MAC address:11-12-13-14-15-16 Default-Gateway 10.2.0.3
© 2014, D.I. M. Lindner, B. Gronau 80 LISP Mission Critical Communication v3.0
LISP Mobility Traffic Redirection Old Site LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
VM-WEB-SRV IP Address: 10.1.15.15 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.0.3: -> 00-00-0C-9F-F0-01
LISP Site-2
EID Site-2
LISP Remote
EID RLOC
10.1.0.0/16 172.16.16.1
Mapping Cache ITRs Site 2
IP Host Client Site-1 IP Address 10.1.0.20 / 32 Default-Gateway 10.1.0.3
ARP Cache for IP 10.1.15.15: -> 00-00-0C-9F-F0-01
LISP Site 1 ITRs know that 10.1.15.15 has moved and use gratuitous ARP and proxy-ARP to redirect traffic from 10.1.0.20 destined to 10.1.15.15 to their Ethernet interfaces (HSRP MAC address) Gratuitous ARP refreshes the ARP cache of local PCs for IP 10.1.15.15 to 00-00-0C-9F-F0-01. Proxy ARP answers any ARP request for IP 10.1.15.1 with 00-00-0C-9F-F0-01 on behalf of the moved VM-WEB-SRV
EID RLOC
10.1.15.15/32 172.17.2.1
Mapping Cache ITRs Site 1
IP Host Client Site-2 IP Address 10.2.0.10 / 32
MAC address:11-12-13-14-15-16 Default-Gateway 10.2.0.3
© 2014, D.I. M. Lindner, B. Gronau 81 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 82 LISP Mission Critical Communication v3.0
LISP Mobility Geo-Redundancy 1 LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
IP WAN
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
EID RLOC
10.1.0.0/16 172.16.1.1
10.3.3.21/32 172.16.1.1
10.3.3.21/32 172.17.2.1
10.25.0.0/16 172.17.25.1
Site Registration MS/MR Part
RLOC Address Space
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3
HSRP Grp 1 HSRP Grp 1
VR:10.2.0.3
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.3.3.21/32 172.16.1.1
10.3.3.21/32 172.17.1.1
Mapping Database ETRs Site 1
LISP Site-2
EID Site-2
LISP Remote
EID RLOC
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Mapping Database ETRs Site 2
SQLSRV Secondary IP Address: 10.3.3.21/ 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.3.3.21
ARP Cache for remote IP addresses: -> 00-00-0C-9F-F0-01
© 2014, D.I. M. Lindner, B. Gronau 83 LISP Mission Critical Communication v3.0
LISP Mobility Geo-Redundancy 2 LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
EID RLOC
10.3.3.21/32 172.16.1.1
Mapping Cache ITR Site Remote
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3
HSRP Grp 1 HSRP Grp 1
VR:10.2.0.3
SQL-SRV Secondary IP Address: 10.3.3.21 / 32
Default-Gateway 10.3.3.21
IP Host Client Site-1 IP Address 10.1.0.20 / 32 Default-Gateway 10.1.0.3
EID RLOC
10.25.0.0/16 172.16.25.1
10.2.0.0/16 172.17.2.1
Mapping Cache ITRs Site 1 LISP Site-2
EID Site-2
LISP Remote
IP Host Client Site-2 IP Address 10.2.0.10 / 32 Default-Gateway 10.2.0.3
EID RLOC
10.3.3.21/32 172.17.1.1
Mapping Cache ITRs Site 2
© 2014, D.I. M. Lindner, B. Gronau 84 LISP Mission Critical Communication v3.0
LISP Mobility Geo-Redundancy 3 LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1 172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
SQL-SRV Secondary IP Address: 10.3.3.21 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.3.3.21
ARP Cache for remote IP addresses: -> 00-00-0C-9F-F0-01
EID RLOC
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
10.3.3.21/32 172.16.2.1
10.3.3.21/32 172.17.2.1
Mapping Database ETRs Site 2
LISP Site-2
EID Site-2
LISP Remote
SRV-Move t1
t2 Map Notify Peer t4
Detection t3
t5
EID RLOC
10.1.0.0/16 172.16.1.1
------------------- ------------------
10.25.0.0/16 172.17.25.1
10.3.3.21/32 172.16.2.1
10.3.3.21/32 172.17.2.1
Site Registration MS/MR Part
t7
Map
Not
ify S
ite 1
t8
t9
EID RLOC
10.25.0.0/16 172.16.25.1
10.25.0.0/16 172.17.25.1
10.3.3.21/32 172.16.2.1
10.3.3.21/32 172.17.2.1
Mapping Cache ITRs Site 1
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.3.3.21/32 172.16.1.1
10.3.3.21/32 172.17.1.1
Mapping Database ETRs Site 1
t1 … SQL-SRV move by deactivation of secondary IP address on site 1 and activating secondary IP address on site 2 Note: negotiation about roles outside of LISP technology
© 2014, D.I. M. Lindner, B. Gronau 85 LISP Mission Critical Communication v3.0
LISP Mobility Geo-Redundancy 4 LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
LISP Site-2
EID Site-2
LISP Remote
Map Notify Peer t10
EID RLOC
10.3.3.21/32 172.16.2.1
10.3.3.21/32 172.17.2.1
Mapping Cache ITR Site Remote
t15
Map Request
Map Reply
t12
t13
t14
SQL-SRV Secondary IP Address: 10.3.3.21 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.3.3.21
ARP Cache for remote IP addresses: -> 00-00-0C-9F-F0-01
© 2014, D.I. M. Lindner, B. Gronau 86 LISP Mission Critical Communication v3.0
LISP Mobility Geo-Redundancy 5 LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
LISP Site-1
EID Remote
172.16.99.1 172.17.25.1
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3 VR:10.2.0.3
LISP Site-2
EID Site-2
LISP Remote
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
------------- ---------------
10.3.3.21/32 172.16.2.1
10.3.3.21/32 172.17.2.1
Mapping Cache ITR Site Remote
EID RLOC
10.25.0.0/16 172.16.25.1
10.1.0.0/16 172.16.1.1
Mapping Cache ITRs Site 2
SQL-SRV old location
SQL-SRV Secondary IP Address: 10.3.3.21 / 32
MAC address: 01-02-03-04-05-06 Default-Gateway 10.3.3.21
ARP Cache for remote IP addresses: -> 00-00-0C-9F-F0-01
Mapping Cache ITRs Site 1
EID RLOC
10.3.3.21/32 172.16.2.1
© 2014, D.I. M. Lindner, B. Gronau 87 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 88 LISP Mission Critical Communication v3.0
LISP Mobility For Roaming Devices LISP
MS / MR
10.1.0.0/16
10.25.0.0/16
IP WAN
LISP Site-1
EID Site-3
172.16.99.1 172.17.25.1
EID RLOC
10.1.0.0/16 172.16.1.1
10.3.3.21/32 172.16.1.1
10.3.3.21/32 172.17.2.1
10.25.0.0/16 172.17.25.1
10.3.3.22/32 172.17.25.1
Site Registration MS/MR Part
RLOC Address Space
172.16.25.1
10.2.0.0/16
EID Site-1
172.16.1.1
172.16.2.1 172.17.1.1 172.17.2.1
VR:10.1.0.3
HSRP Grp 1 HSRP Grp 1
VR:10.2.0.3
EID RLOC
10.1.0.0/16 172.16.1.1
10.1.0.0/16 172.17.1.1
10.3.3.21/32 172.16.1.1
10.3.3.21/32 172.17.1.1
Mapping Database ETRs Site 1
LISP Site-2
EID Site-2
LISP Site-3
IP Host Client Site-2 IP Address 10.2.0.10 / 32 Default-Gateway 10.2.0.3
EID RLOC
10.2.0.0/16 172.16.2.1
10.2.0.0/16 172.17.2.1
Mapping Database ETRs Site 2
EID RLOC
10.25.0.0/16 172.16.25.1
10.25.0.0/16 172.17.25.1
10.3.3.22/32 172.17.25.1
Mapping Database ETRs Site 3
Roaming-Device 1 IP Address: 10.3.3.21/ 32 MAC address: 01-02-03-04-05-06 Default-Gateway 10.3.3.21
IP Host Client Site-1 IP Address 10.1.0.20 / 32 Default-Gateway 10.1.0.3
Roaming-Device 2 IP Address: 10.3.3.22/ 32 MAC address: 01-02-03-04-05-06 Default-Gateway 10.3.3.22
VR:10.25.0.3 HSRP Grp 1
© 2014, D.I. M. Lindner, B. Gronau 89 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 90 LISP Mission Critical Communication v3.0
LISP Mobile Node 1
10.3.3.21/32
10.1
.0.0
/16
RLOC Address Space EID Mobile Node-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
EID RLOC PRIO Interface
10.3.3.21/32 172.17.1.1 2 LTE down
10.3.3.21/32 172.18.1.1 3 UMTS up
Mapping Database EID Mobile Node-X
EID RLOC
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
Mapping Database ETR1/2
ISP2 – UMTS 172.18.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.21/32 172.18.1.1 3
EID RLOC TTL
10.3.3.21/32 172.18.1.1 1h
Mapping-Cache ITR1/2
LISP Mobile Node (LISPmob)
Android tablet / Smartphone
© 2014, D.I. M. Lindner, B. Gronau 91 LISP Mission Critical Communication v3.0
10.3.3.21/32
LISP Mobile Node 2
10.1
.0.0
/16
RLOC Address Space EID Mobile Node-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
ISP1 - LTE
ISP2 – UMTS 172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.21/32 172.18.1.1 3
10.3.3.21/32 172.17.1.1 2
EID RLOC PRIO Interface
10.3.3.21/32 172.17.1.1 2 LTE up
10.3.3.21/32 172.18.1.1 3 UMTS up
Mapping Database EID Mobile Node-X
EID RLOC TTL
10.3.3.21/32 172.17.1.1 1h
Mapping-Cache ITR1/2
Move without break to LTE
Android tablet / Smartphone
© 2014, D.I. M. Lindner, B. Gronau 92 LISP Mission Critical Communication v3.0
10.3.3.21/32
LISP Mobile Node 3
10.1
.0.0
/16
RLOC Address Space EID Mobile Node-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
ISP1 - LTE
ISP2 – UMTS
ISP3 – WLAN/VDSL
172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.21/32 172.18.1.1 3
10.3.3.21/32 172.17.1.1 2
10.3.3.21/32 172.19.1.1 1
EID RLOC PRIO Interface
10.3.3.21/32 172.17.1.1 2 LTE up
10.3.3.21/32 172.18.1.1 3 UMTS up
10.3.3.21/32 172.19.1.1 1 WLAN/VDSL up
Mapping Database EID Mobile Node-X
EID RLOC TTL
10.3.3.21/32 172.19.1.1 1h
Mapping-Cache ITR1/2
Move without break to VDSL
Android tablet / Smartphone
© 2014, D.I. M. Lindner, B. Gronau 93 LISP Mission Critical Communication v3.0
10.3.3.21/32
LISP Mobile Node 4
10.1
.0.0
/16
RLOC Address Space EID Mobile Node-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
ISP1 - LTE
ISP2 – UMTS
ISP3 – WLAN/VDSL
172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.21/32 172.18.1.1 3
10.3.3.21/32 172.17.1.1 2
10.3.3.21/32 172.19.1.1 4
EID RLOC PRIO Interface
10.3.3.21/32 172.17.1.1 2 LTE up
10.3.3.21/32 172.18.1.1 3 UMTS up
10.3.3.21/32 172.19.1.1 4 WLAN/VDSL up
Mapping Database EID Mobile Node-X
EID RLOC TTL
10.3.3.21/32 172.17.1.1 1h
Mapping-Cache ITR1/2
Solicited move back to LTE without a break
e.g. EEM detects WLAN signal strength below threshold and change PRIO to 4
Android tablet / Smartphone
© 2014, D.I. M. Lindner, B. Gronau 94 LISP Mission Critical Communication v3.0
10.3.3.21/32
LISP Mobile Node 5
10.1
.0.0
/16
RLOC Address Space EID Mobile Node-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
ISP1 - LTE
ISP2 – UMTS
ISP3 – WLAN/VDSL
172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.21/32 172.18.1.1 3
10.3.3.21/32 172.17.1.1 2
10.3.3.21/32 172.19.1.1 1
EID RLOC PRIO Interface
10.3.3.21/32 172.17.1.1 2 LTE up
10.3.3.21/32 172.18.1.1 3 UMTS up
10.3.3.21/32 172.19.1.1 1 WLAN/VDSL up
Mapping Database EID Mobile Node-X
EID RLOC TTL
10.3.3.21/32 172.19.1.1 1h
Mapping-Cache ITR1/2
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN RLOC KS
172.16.100.1
Base protection with GETVPN Variant 2
LISPmob & GETVPN
Android tablet / Smartphone
© 2014, D.I. M. Lindner, B. Gronau 95 LISP Mission Critical Communication v3.0
LISP Mobile Node 6
10.1
.0.0
/16
RLOC Address Space EID Mobile Node-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
ISP1 - LTE
ISP2 – UMTS
ISP3 – WLAN/VDSL
172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.21/32 172.18.1.1 3
10.3.3.21/32 172.17.1.1 2
10.3.3.21/32 172.19.1.1 1 172.16.100.1
Advanced protection with AnyConnect
IP Host with AnyConnect-Client-SW
10.3.3.21
88.88.2.1
10.3.3.21->10.2.1.1
Dynamic IPsec Tunnel e.g. ASA Client-Site-VPN
IPsec 88.88.2.1 -> 88.88.1.1
10.2.1.1->10.3.3.21
88.88.0.0/16
10.2.1.1
88.88.1.1
LISPmob & GETVPN & AnyConnect
Android tablet / Smartphone
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN GM RLOC
GETVPN RLOC KS
© 2014, D.I. M. Lindner, B. Gronau 96 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 97 LISP Mission Critical Communication v3.0
Mobility in Public Safety 1
10.3
.3.0
/28
10.1
.0.0
/16
RLOC Address Space EID Mobile Site-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
EID RLOC PRIO Interface
10.3.3.0/28 172.17.1.1 2 LTE down
10.3.3.0/28 172.18.1.1 3 UMTS up
Mapping Database EID Mobile Site-X
EID RLOC
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
Mapping Database ETR1/2
ISP2 – UMTS 172.18.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.0/28 172.18.1.1 3
EID RLOC TTL
10.3.3.0/28 172.18.1.1 1h
Mapping-Cache ITR1/2
Police car with LISP router
© 2014, D.I. M. Lindner, B. Gronau 98 LISP Mission Critical Communication v3.0
Mobility in Public Safety 2
10.3
.3.0
/28
10.1
.0.0
/16
RLOC Address Space EID Mobile Site-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
ISP1 - LTE
ISP2 – UMTS 172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.0/28 172.18.1.1 3
10.3.3.0/28 172.17.1.1 2
EID RLOC PRIO Interface
10.3.3.0/28 172.17.1.1 2 LTE up
10.3.3.0/28 172.18.1.1 3 UMTS up
Mapping Database EID Mobile Site-X
EID RLOC TTL
10.3.3.0/28 172.17.1.1 1h
Mapping-Cache ITR1/2
Move without break to LTE
Police car with LISP router
© 2014, D.I. M. Lindner, B. Gronau 99 LISP Mission Critical Communication v3.0
Mobility in Aeronautics 1
10.3
.3.0
/28
10.1
.0.0
/16
RLOC Address Space EID Mobile Site-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
EID RLOC PRIO Interface
10.3.3.0/28 172.17.1.1 1 Radio Link 2 down
10.3.3.0/28 172.18.1.1 1 Radio Link 1 up
Mapping Database EID Mobile Site-X
EID RLOC
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
Mapping Database ETR1/2
Radio Data Link 1 172.18.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.0/28 172.18.1.1 1
EID RLOC TTL
10.3.3.0/28 172.18.1.1 1h
Mapping-Cache ITR1/2
Airplane with LISP router
ANSP Area
Application 1
Application 2
© 2014, D.I. M. Lindner, B. Gronau 100 LISP Mission Critical Communication v3.0
Mobility in Aeronautics 2
10.3
.3.0
/28
10.1
.0.0
/16
RLOC Address Space EID Mobile Site-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
Radio Data Link 2
Radio Data Link 1 172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.0/28 172.18.1.1 1
10.3.3.0/28 172.17.1.1 1
10.3.3.0/28 172.19.1.1 1
EID RLOC TTL
10.3.3.0/28 172.18.1.1 1h
10.3.3.0/28 172.17.1.1 1h
Mapping-Cache ITR1/2
Load balancing of incoming traffic. Outgoing traffic engineering
based on application type
Airplane with LISP router
ANSP Area
EID RLOC PRIO Interface
10.3.3.0/28 172.17.1.1 1 Radio Link 2 down
10.3.3.0/28 172.18.1.1 1 Radio Link 1 up
10.3.3.0/28 172.19.1.1 1 SAT Link up
Mapping Database EID Mobile Site-X
Application 1
Application 2
ISP3 – WLAN/VDSL 172.19.1.1
Application 3
© 2014, D.I. M. Lindner, B. Gronau 101 LISP Mission Critical Communication v3.0
Mobility in Aeronautics 3
10.3
.3.0
/28
10.1
.0.0
/16
RLOC Address Space EID Mobile Site-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
Radio Data Link 2
Radio Data Link 1 172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.0/28 172.18.1.1 1
10.3.3.0/28 172.17.1.1 2
EID RLOC TTL
10.3.3.0/28 172.18.1.1 1h
Mapping-Cache ITR1/2
Airplane with LISP router
ANSP Area
EID RLOC PRIO Interface
10.3.3.0/28 172.17.1.1 2 Radio Link 2 up
10.3.3.0/28 172.18.1.1 1 Radio Link 1 up
Mapping Database EID Mobile Site-X
Application 1
Application 2
Solicited move without break to radio link 1 again
e.g. EEM detects radio data link signal strength below threshold and change PRIO to 2
© 2014, D.I. M. Lindner, B. Gronau 102 LISP Mission Critical Communication v3.0
Mobility in Aeronautics 3
10.3
.3.0
/28
10.1
.0.0
/16
RLOC Address Space EID Mobile Site-X
172.16.2.1
172.17.2.1
172.99.2.1
MS-MR
Site Registration MS-MR
EID LISP Site-1
xTR
xTR2
xTR1
Radio Data Link 2
Radio Data Link 1 172.18.1.1
172.19.1.1
172.17.1.1
EID RLOC PRIO
10.1.0.0/16 172.16.2.1
10.1.0.0/16 172.17.2.1
10.3.3.0/28 172.18.1.1 1
10.3.3.0/28 172.17.1.1 2
EID RLOC TTL
10.3.3.0/28 172.18.1.1 1h
Mapping-Cache ITR1/2
Airplane with LISP router
ANSP Area
EID RLOC PRIO Interface
10.3.3.0/28 172.17.1.1 2 Radio Link 2 up
10.3.3.0/28 172.18.1.1 1 Radio Link 1 up
Mapping Database EID Mobile Site-X
Application 1
Application 2
Solicited move without break to radio link 1 again
e.g. EEM detects radio data link signal strength below threshold and change PRIO to 2
ISP3 – SAT 172.19.1.1
© 2014, D.I. M. Lindner, B. Gronau 103 LISP Mission Critical Communication v3.0
Agenda • LISP Introduction • LISP & Mission Critical Communication • LISP Multihoming
– Multihoming Default Load Balancing – Multihoming Failure Scenario – Multihoming Active/Backup
• LISP Use Cases – Disaster Recovery – Deployable Systems – Base VPNs – Encrypted VPNs – Mobility VMmove – Mobility Geo Redundancy – Mobility Roaming Devices – LISP Mobile Node (LISPmob) – LISP Mobile Site
• Summary © 2014, D.I. M. Lindner, B. Gronau 104 LISP Mission Critical Communication v3.0
Summary 1 – Multihoming
• Redundancy • Fast automatic recovery of single point of failures • Focus on fast convergence • High Availability
– Multihoming and LISP Mobility • Constraint based routing (QoS, application type) to different service
providers / data links • Seamless communication without interruption • “Move before break”
– Mobility • Identity remains the same • New operation models • Traditionally clients dial in and pull information versus information
push from centers
© 2014, D.I. M. Lindner, B. Gronau 105 LISP Mission Critical Communication v3.0
Summary 2
– LISP and GETVPN • Base protection in the transport system • Integrity of messages • Optional Encryption
– Service provider independency • Separation of addressing and routing • Address family agnostic • IPv6 over IPv4, …
– Simplicity of configuration • Fast deployment • Fast return into operation in case of disaster • Needs less skills for operation and maintenance
© 2014, D.I. M. Lindner, B. Gronau 106 LISP Mission Critical Communication v3.0