1 / 62

VPN and DSL WAN Design

VPN and DSL WAN Design. Chapter Topics. DSL Technologies VPNs. DSL Technologies. DSL Technologies. When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services.

konala
Download Presentation

VPN and DSL WAN Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VPN and DSL WAN Design

  2. Chapter Topics • DSL Technologies • VPNs

  3. DSL Technologies

  4. DSL Technologies • When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services. • DSL increases connectivity options for fixed remote access and extranet offices and users • DSL connection is “always on” • Charges are typically a fixed monthly fee • In some major markets, private DSL access is available • permanent virtual circuits (PVCs) extend the enterprise network to the DSL access device

  5. DSL Technologies • DSL is favorably priced based on cost for equivalent bandwidth when compared to dial-up access • Provides price advantages over leased lines and packet network services • Disadvantages of DSL include • spotty availability due to distance and infrastructure quality • lack of guaranteed transport bandwidth through the intermediate public networks • security issues within the Internet • cable modems offer comparable service for remote access at a similar cost

  6. DSL Types • DSL is a physical layer technology • Marketplace has many variations • Forms of DSL include the following: • ADSL • SDSL • IDSL • High-bit-rate DSL (HDSL) • VDSL • Two leading schemes are SDSL and ADSL

  7. Basic DSL Architecture

  8. ADSL – Asymmetric DSL • Targeted for residential customers • Defined by the American National Standards Institute (ANSI) T1.413 standard • Provides asymmetric speed with a downlink speed (from the central office to the customer) faster than the uplink speed

  9. ADSL • Downstream rates range from 256 kbps to 8 Mbps • Upstream rates range from 16 kbps to 800 kbps • ADSL transmissions work at distances up to 18,000 ft (5488 m) over a single copper twisted pair

  10. ADSL ADSL G.lite is a variant specification that reduces the device requirements of ADSL • eliminates the requirement for special wiring installation services • provides rates up to 1.5 Mbps • Another variant is Rate Adaptive ADSL (RADSL) • Allows the DSL modem to adapt its speed based on the quality and length of the line

  11. ADSL Sample Services • Some examples of services are • 384 kbps download/128 kbps uplink • 768 kbps download/ 128 kbps uplink • 786 kbps download/ 256 kbps uplink • 1.5 Mbps download/128 kbps uplink • 1.5 Mbps download/384 kbps uplink • 6 Mbps download/384 Kbps uplink

  12. HDSL – High Bit-rate DSL • Provides 1.544 Mbps of bandwidth but uses two twisted-pair lines (4 wires) • Range is limited to 12,000 ft (3658.5 m) • Signal repeaters can extend the service • Used primarily for digital-loop carrier systems, interexchange points of presence (POPs), and private data networks • HDSL-2 is a two-wire version that provides the same speeds or double the speed with four wires

  13. SDSL – Symmetric DSL • Provides equal bandwidth for both the uplink and downlink lines • Targeted to business customers to replace their more expensive T1 circuits • Uses a single twisted-pair line • Operating range limited to 22,000 ft

  14. SDSL – Symmetric DSL • Often marketed as business DSL • Speeds up to 2.3 Mbps • Service examples are • 144 kbps symmetric • 192 kbps symmetric • 384 kbps symmetric • 768 kbps symmetric • 1.1 Mbps symmetric • 1.5 Mbps symmetric

  15. IDSL – ISDN DSL • Developed to provide DSL service to locations using existing ISDN facilities • Redirects ISDN traffic to a DSLAM • Maintains all the electrical capabilities of ISDN • CPE is still any ISDN Basic Rate Interface (BRI) bridge/router • Provides a flat rate for the ISDN type service versus the per-call rate of ISDN. • Provide the same data capabilities over longer local loop facilities • IDSL is cheaper than ISDN

  16. VDSL – Very High Rate DSL • Asymmetric DSL services at speeds much greater than ADSL • Uses a single pair to provide up to 52 Mbps downlink speeds and up to 16 Mbps uplink speeds • Only selected areas offer VDSL • Limited to 4000 ft from the central office

  17. LRE over VDSL • Provides Ethernet services over existing Category 1/2/3 twisted-pair wiring • Speeds from 5 to 15 Mbps (full duplex) • Distances up to 5000 ft.

  18. DSL Specifications

  19. VPNs

  20. Foundation • VPNs create private tunnels across the Internet • Create these tunnels from a single host to a VPN concentrator • Create site-to-site tunnels between offices

  21. VPN Tunnels • You can use several different technologies to create VPN tunnels: • GRE • Point-to-Point Tunneling Protocol (PPTP) • Microsoft Point-to-Point Encryption (MPPE) • VPDN • IPSec • MPLS

  22. GRE • Cisco tunneling protocol that encapsulates entire packets into new IP headers • creates a virtual point-to-point link between two Cisco routers • new header has the source and destination addresses of the tunnel end points • virtual link crosses an IP network • described in RFC 1701 • created to tunnel IP and other packet types • Encapsulated packets types can be IPpackets or non-IP packets, such as Novell IPX or AppleTalk packets

  23. PPTP • Described in RFC 2637 • Network protocol developed by a vendor consortium • Allows for transfers of data from client PCs to enterprise servers using tunneled PPP through an IP network • Client software is deployed in Windows 95, ME, NT, 2000, and XP • Cisco added support for PPTP to Cisco IOS routers, PIX Firewalls, and VPN concentrators

  24. MPPE • Microsoft protocol • Part of Microsoft’s PPTP client VPN solution • Converts PPP packets into an encrypted form • Used for creating VPNs over dial-up networks • Most Cisco access platforms support MPPE

  25. VPDN • A VPDN is a network that extends remote access to a private network using a shared infrastructure • Cisco protocol • Allows a private dial-in service to span across several remote-access servers (RAS)

  26. VPDN • Use Layer 2 tunnel technologies to extend the network connection from a remote user across an Internet service provider (ISP) network to a private network • Layer 2 technologies include • Layer 2 Forwarding Protocol (L2F) • Layer 2 Tunnel Protocol (L2TP) • PPTP

  27. VPDN • No need to connect to central office through the PSTN • VPDN users connect to the local ISP • ISP forwards the PPP session to a tunnel server • Forwarding calls through the Internet will save money

  28. VPDN Tunnel

  29. IPSec • Provides a set of security services at the IP layer • Defined in RFC 2401 • Architecture IPv4 & IPv6 can use • IPSec is a set of protocols, key management, and algorithms for authentication and encryption.

  30. IPSec • Two central protocols for IPSec are • IP AH • provides data-connection integrity and data-origin authentication for connectionless IP communications • can use AH alone or with ESP • described in RFC 2402 • ESP • provides data confidentiality, data-origin authentication, and limited traffic-flow confidentiality • described in RFC 2406

  31. IPSec - IKE • uses the Internet Key Exchange (IKE) protocol for the automatic exchange of keys to form security associations (SA) between two systems • IKE is not used if the SAs are configured manually • eliminates the need to manually specify all of the IPSec SA parameters of both peers and allows encryption keys to change during IPSec sessions • IKE is described in RFC 2409

  32. IPSec Algorithms • ESP protocol uses encryption algorithms such as DES and 3DES for bulk encryption and for data confidentiality during IKE key exchange

  33. IPSec Connection Steps • IPSec operation follows five steps: • Step 1: Process initiation • Specification of the type of traffic to be encrypted • Step 2: IKE Phase 1 • Authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges • Step 3: IKE Phase 2 • negotiates the IPSec SA • Step 4: Data transfer • Step 5: Tunnel termination • Tunnel is terminated if the IPSec SA are deleted or their lifetimes expire

  34. AH • Provides connectionless integrity (data integrity) for packet headers and data payload and authentication • Does not provide confidentiality • Authentication comes from applying a one-way hash function to the packet to create a message digest

  35. AH Hash

  36. AH - Hash • Hot all the IP header fields are used to hash the IP header • fields that change are not part of the hash process • Time-To-Live

  37. ESP • Provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service and limited traffic-flow confidentiality as negotiated by the end points when they establish a SA • Packet authentication is provided by an optional field • Authentication is performed after encryption • Encryption through 56-bit DES and 3DES.

  38. ESP Tunnel Mode • Provides protection of the IP header fields only in tunnel mode • original IP header and payload are encrypted

  39. ESP Transport Mode • Only the IP data is encrypted • ESP inserts an IPSec header between the original IP header and the encrypted data

  40. DES and 3DES • DES is an older U.S. Government-approved standard widely used for encryption • Uses a 56-bit key to scramble and unscramble messages • Exported DES uses a 40-bit bit version • DES breaks data into 64-bit blocks and then processes it with a 56-bit shared secret key

  41. DES and 3DES • Latest DES standard uses a 3-by-56 bit key • a 168-bit key called Triple DES • input is encrypted three times • data is broken into 64-bit blocks • 3DES then processes each block three times, each time with an independent key

  42. DES and 3DES • Two IPSec peers must first exchange their shared secret key • Can encrypt and decrypt the message or generate and verify a message authentication code • After the two IPSec peers obtain their shared keys, they can use DES or 3DES for data encryption

  43. HMACs • Both AH and ESP use HMACs to ensure data integrity and authentication • HMACs use hash functions and private keys to perform message authentication • IPSec specifies the use of HMAC-MD5 and HMAC-SHA-1 for IKE and IPSec.

  44. MD5 • A hash algorithm used to authenticate packet data • Uses a 128-bit key to perform a hash function to produce a 128-bit authentication value of the input data • Message digest serves as a signature of the data • Signature is inserted into the AH or ESP headers • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet

  45. SHA-1 • A hash algorithm used to authenticate packet data • Uses a 160-bit secret key to produce a 160-bit authentication value of the input data • Signature is inserted into the AH or ESP headers • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet

  46. Diffie-Hellman • A key-agreement algorithm used by two end devices to agree on a shared secret key • IKE uses Diffie-Hellman for key exchange during IKE Phase 1 • secret keys are then used by encryption algorithms

  47. Diffie-Hellman: How it Works • Each Diffie-Hellman peer generates a public and private key pair • public key is calculated from the private key • private key is kept secret • public keys are exchanged between the peers • peer then computes the same shared secret number by combining the other’s public key and its own private key • shared secret number is converted into a shared secret key • shared secret key is never exchanged

  48. WAN Design Using IPSec Tunnels • Enterprises can reduce their WAN costs by replacing traditional circuits (FR/ATM/Dedicated Cirucits) with site-to-site VPN tunnels over the Internet • Point-to-point IPSec tunnels replace the permanent circuits • Access to the Internet can come from dial-up, cable-modem, or DSL technologies

  49. Wan Design Using IPSec Tunnels

  50. MPLS • A transport service that can provide VPNs • An advantage of using MPLS for VPN service is the ability to offer service guarantees • Guarantees are not currently possible when using the Internet to transport VPNs

More Related