vpn and dsl wan design n.
Skip this Video
Loading SlideShow in 5 Seconds..
VPN and DSL WAN Design PowerPoint Presentation
Download Presentation
VPN and DSL WAN Design

VPN and DSL WAN Design

172 Views Download Presentation
Download Presentation

VPN and DSL WAN Design

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. VPN and DSL WAN Design

  2. Chapter Topics • DSL Technologies • VPNs

  3. DSL Technologies

  4. DSL Technologies • When used with VPN technologies, DSL can provide WAN connectivity for remote offices at a lower cost than dedicated services. • DSL increases connectivity options for fixed remote access and extranet offices and users • DSL connection is “always on” • Charges are typically a fixed monthly fee • In some major markets, private DSL access is available • permanent virtual circuits (PVCs) extend the enterprise network to the DSL access device

  5. DSL Technologies • DSL is favorably priced based on cost for equivalent bandwidth when compared to dial-up access • Provides price advantages over leased lines and packet network services • Disadvantages of DSL include • spotty availability due to distance and infrastructure quality • lack of guaranteed transport bandwidth through the intermediate public networks • security issues within the Internet • cable modems offer comparable service for remote access at a similar cost

  6. DSL Types • DSL is a physical layer technology • Marketplace has many variations • Forms of DSL include the following: • ADSL • SDSL • IDSL • High-bit-rate DSL (HDSL) • VDSL • Two leading schemes are SDSL and ADSL

  7. Basic DSL Architecture

  8. ADSL – Asymmetric DSL • Targeted for residential customers • Defined by the American National Standards Institute (ANSI) T1.413 standard • Provides asymmetric speed with a downlink speed (from the central office to the customer) faster than the uplink speed

  9. ADSL • Downstream rates range from 256 kbps to 8 Mbps • Upstream rates range from 16 kbps to 800 kbps • ADSL transmissions work at distances up to 18,000 ft (5488 m) over a single copper twisted pair

  10. ADSL ADSL G.lite is a variant specification that reduces the device requirements of ADSL • eliminates the requirement for special wiring installation services • provides rates up to 1.5 Mbps • Another variant is Rate Adaptive ADSL (RADSL) • Allows the DSL modem to adapt its speed based on the quality and length of the line

  11. ADSL Sample Services • Some examples of services are • 384 kbps download/128 kbps uplink • 768 kbps download/ 128 kbps uplink • 786 kbps download/ 256 kbps uplink • 1.5 Mbps download/128 kbps uplink • 1.5 Mbps download/384 kbps uplink • 6 Mbps download/384 Kbps uplink

  12. HDSL – High Bit-rate DSL • Provides 1.544 Mbps of bandwidth but uses two twisted-pair lines (4 wires) • Range is limited to 12,000 ft (3658.5 m) • Signal repeaters can extend the service • Used primarily for digital-loop carrier systems, interexchange points of presence (POPs), and private data networks • HDSL-2 is a two-wire version that provides the same speeds or double the speed with four wires

  13. SDSL – Symmetric DSL • Provides equal bandwidth for both the uplink and downlink lines • Targeted to business customers to replace their more expensive T1 circuits • Uses a single twisted-pair line • Operating range limited to 22,000 ft

  14. SDSL – Symmetric DSL • Often marketed as business DSL • Speeds up to 2.3 Mbps • Service examples are • 144 kbps symmetric • 192 kbps symmetric • 384 kbps symmetric • 768 kbps symmetric • 1.1 Mbps symmetric • 1.5 Mbps symmetric

  15. IDSL – ISDN DSL • Developed to provide DSL service to locations using existing ISDN facilities • Redirects ISDN traffic to a DSLAM • Maintains all the electrical capabilities of ISDN • CPE is still any ISDN Basic Rate Interface (BRI) bridge/router • Provides a flat rate for the ISDN type service versus the per-call rate of ISDN. • Provide the same data capabilities over longer local loop facilities • IDSL is cheaper than ISDN

  16. VDSL – Very High Rate DSL • Asymmetric DSL services at speeds much greater than ADSL • Uses a single pair to provide up to 52 Mbps downlink speeds and up to 16 Mbps uplink speeds • Only selected areas offer VDSL • Limited to 4000 ft from the central office

  17. LRE over VDSL • Provides Ethernet services over existing Category 1/2/3 twisted-pair wiring • Speeds from 5 to 15 Mbps (full duplex) • Distances up to 5000 ft.

  18. DSL Specifications

  19. VPNs

  20. Foundation • VPNs create private tunnels across the Internet • Create these tunnels from a single host to a VPN concentrator • Create site-to-site tunnels between offices

  21. VPN Tunnels • You can use several different technologies to create VPN tunnels: • GRE • Point-to-Point Tunneling Protocol (PPTP) • Microsoft Point-to-Point Encryption (MPPE) • VPDN • IPSec • MPLS

  22. GRE • Cisco tunneling protocol that encapsulates entire packets into new IP headers • creates a virtual point-to-point link between two Cisco routers • new header has the source and destination addresses of the tunnel end points • virtual link crosses an IP network • described in RFC 1701 • created to tunnel IP and other packet types • Encapsulated packets types can be IPpackets or non-IP packets, such as Novell IPX or AppleTalk packets

  23. PPTP • Described in RFC 2637 • Network protocol developed by a vendor consortium • Allows for transfers of data from client PCs to enterprise servers using tunneled PPP through an IP network • Client software is deployed in Windows 95, ME, NT, 2000, and XP • Cisco added support for PPTP to Cisco IOS routers, PIX Firewalls, and VPN concentrators

  24. MPPE • Microsoft protocol • Part of Microsoft’s PPTP client VPN solution • Converts PPP packets into an encrypted form • Used for creating VPNs over dial-up networks • Most Cisco access platforms support MPPE

  25. VPDN • A VPDN is a network that extends remote access to a private network using a shared infrastructure • Cisco protocol • Allows a private dial-in service to span across several remote-access servers (RAS)

  26. VPDN • Use Layer 2 tunnel technologies to extend the network connection from a remote user across an Internet service provider (ISP) network to a private network • Layer 2 technologies include • Layer 2 Forwarding Protocol (L2F) • Layer 2 Tunnel Protocol (L2TP) • PPTP

  27. VPDN • No need to connect to central office through the PSTN • VPDN users connect to the local ISP • ISP forwards the PPP session to a tunnel server • Forwarding calls through the Internet will save money

  28. VPDN Tunnel

  29. IPSec • Provides a set of security services at the IP layer • Defined in RFC 2401 • Architecture IPv4 & IPv6 can use • IPSec is a set of protocols, key management, and algorithms for authentication and encryption.

  30. IPSec • Two central protocols for IPSec are • IP AH • provides data-connection integrity and data-origin authentication for connectionless IP communications • can use AH alone or with ESP • described in RFC 2402 • ESP • provides data confidentiality, data-origin authentication, and limited traffic-flow confidentiality • described in RFC 2406

  31. IPSec - IKE • uses the Internet Key Exchange (IKE) protocol for the automatic exchange of keys to form security associations (SA) between two systems • IKE is not used if the SAs are configured manually • eliminates the need to manually specify all of the IPSec SA parameters of both peers and allows encryption keys to change during IPSec sessions • IKE is described in RFC 2409

  32. IPSec Algorithms • ESP protocol uses encryption algorithms such as DES and 3DES for bulk encryption and for data confidentiality during IKE key exchange

  33. IPSec Connection Steps • IPSec operation follows five steps: • Step 1: Process initiation • Specification of the type of traffic to be encrypted • Step 2: IKE Phase 1 • Authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges • Step 3: IKE Phase 2 • negotiates the IPSec SA • Step 4: Data transfer • Step 5: Tunnel termination • Tunnel is terminated if the IPSec SA are deleted or their lifetimes expire

  34. AH • Provides connectionless integrity (data integrity) for packet headers and data payload and authentication • Does not provide confidentiality • Authentication comes from applying a one-way hash function to the packet to create a message digest

  35. AH Hash

  36. AH - Hash • Hot all the IP header fields are used to hash the IP header • fields that change are not part of the hash process • Time-To-Live

  37. ESP • Provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service and limited traffic-flow confidentiality as negotiated by the end points when they establish a SA • Packet authentication is provided by an optional field • Authentication is performed after encryption • Encryption through 56-bit DES and 3DES.

  38. ESP Tunnel Mode • Provides protection of the IP header fields only in tunnel mode • original IP header and payload are encrypted

  39. ESP Transport Mode • Only the IP data is encrypted • ESP inserts an IPSec header between the original IP header and the encrypted data

  40. DES and 3DES • DES is an older U.S. Government-approved standard widely used for encryption • Uses a 56-bit key to scramble and unscramble messages • Exported DES uses a 40-bit bit version • DES breaks data into 64-bit blocks and then processes it with a 56-bit shared secret key

  41. DES and 3DES • Latest DES standard uses a 3-by-56 bit key • a 168-bit key called Triple DES • input is encrypted three times • data is broken into 64-bit blocks • 3DES then processes each block three times, each time with an independent key

  42. DES and 3DES • Two IPSec peers must first exchange their shared secret key • Can encrypt and decrypt the message or generate and verify a message authentication code • After the two IPSec peers obtain their shared keys, they can use DES or 3DES for data encryption

  43. HMACs • Both AH and ESP use HMACs to ensure data integrity and authentication • HMACs use hash functions and private keys to perform message authentication • IPSec specifies the use of HMAC-MD5 and HMAC-SHA-1 for IKE and IPSec.

  44. MD5 • A hash algorithm used to authenticate packet data • Uses a 128-bit key to perform a hash function to produce a 128-bit authentication value of the input data • Message digest serves as a signature of the data • Signature is inserted into the AH or ESP headers • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet

  45. SHA-1 • A hash algorithm used to authenticate packet data • Uses a 160-bit secret key to produce a 160-bit authentication value of the input data • Signature is inserted into the AH or ESP headers • Receiving IPSec peer computes the authentication value of the received packet and compares it to the value stored in the received packet

  46. Diffie-Hellman • A key-agreement algorithm used by two end devices to agree on a shared secret key • IKE uses Diffie-Hellman for key exchange during IKE Phase 1 • secret keys are then used by encryption algorithms

  47. Diffie-Hellman: How it Works • Each Diffie-Hellman peer generates a public and private key pair • public key is calculated from the private key • private key is kept secret • public keys are exchanged between the peers • peer then computes the same shared secret number by combining the other’s public key and its own private key • shared secret number is converted into a shared secret key • shared secret key is never exchanged

  48. WAN Design Using IPSec Tunnels • Enterprises can reduce their WAN costs by replacing traditional circuits (FR/ATM/Dedicated Cirucits) with site-to-site VPN tunnels over the Internet • Point-to-point IPSec tunnels replace the permanent circuits • Access to the Internet can come from dial-up, cable-modem, or DSL technologies

  49. Wan Design Using IPSec Tunnels

  50. MPLS • A transport service that can provide VPNs • An advantage of using MPLS for VPN service is the ability to offer service guarantees • Guarantees are not currently possible when using the Internet to transport VPNs