Cisco press IPSEC VPN design 2nd edition apr 2005 ISBN 1587051117
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (5.2 MB, 581 trang )
IPSecVPNDesign
ByVijayBollapragada,MohamedKhalid,
ScottWainner
Publisher :CiscoPress
PubDate :April07,2005
ISBN :1-58705-111-7
Pages :384
MasterIPSec-basedVirtualPrivateNetworkswithguidancefrom
theCiscoSystems®VPNSolutionsgroup
UnderstandhowIPSecVPNsaredesigned,built,and
administered
ImproveVPNperformancethroughenablingofmodernVPN
servicessuchasperformance,scalability,QoS,packet
processing,multicast,andsecurity
Tableof
•
Contents
• Index
IntegrateIPSecVPNswithMPLS,FrameRelay,andATM
technologies
Asthenumberofremotebranchesandwork-from-home
employeesgrowsthroughoutcorporateAmerica,VPNsare
becomingessentialtobothenterprisenetworksandservice
providers.IPSecisoneofthemorepopulartechnologiesfor
deployingIP-basedVPNs.IPSecVPNDesignprovidesasolid
understandingofthedesignandarchitecturalissuesofIPSec
VPNs.SomebookscoverIPSecprotocols,buttheydonotaddress
overalldesignissues.Thisbookfillsthatvoid.
IPSecVPNDesignconsistsofthreemainsections.Thefirst
sectionprovidesacomprehensiveintroductiontotheIPSec
protocol,includingIPSecPeerModels.Thissectionalsoincludes
anintroductiontosite-to-site,network-based,andremoteaccess
VPNs.ThesecondsectionisdedicatedtoananalysisofIPSecVPN
architectureandproperdesignmethodologies.Peerrelationships
andfaulttolerancemodelsandarchitecturesareexaminedin
detail.PartthreeaddressesenablingVPNservices,suchas
performance,scalability,packetprocessing,QoS,multicast,and
security.ThisbookalsocoverstheintegrationofIPSecVPNswith
otherLayer3(MPLSVPN)andLayer2(FrameRelay,ATM)
technologies;anddiscussesmanagement,provisioning,and
troubleshootingtechniques.Casestudieshighlightdesign,
implementation,andmanagementadvicetobeappliedinboth
serviceproviderandenterpriseenvironments.
IPSecVPNDesign
ByVijayBollapragada,MohamedKhalid,
ScottWainner
Publisher :CiscoPress
PubDate :April07,2005
Tableof
•
ISBN :1-58705-111-7
Contents
Pages :384
• Index
Copyright
AbouttheAuthors
AbouttheTechnicalEditors
Acknowledgments
ThisBookIsSafariEnabled
IconsUsedinThisBook
CommandSyntaxConventions
Introduction
Chapter1.IntroductiontoVPNs
MotivationsforDeployingaVPN
VPNTechnologies
Summary
Chapter2.IPSecOverview
EncryptionTerminology
IPSecSecurityProtocols
KeyManagementandSecurityAssociations
Summary
Chapter3.EnhancedIPSecFeatures
IKEKeepalives
DeadPeerDetection
IdleTimeout
ReverseRouteInjection
StatefulFailover
IPSecandFragmentation
GREandIPSec
IPSecandNAT
Summary
Chapter4.IPSecAuthenticationandAuthorizationModels
ExtendedAuthentication(XAUTH)andModeConfiguration(MODE-CFG)
Mode-Configuration(MODECFG)
EasyVPN(EzVPN)
DigitalCertificatesforIPSecVPNs
Summary
Chapter5.IPSecVPNArchitectures
IPSecVPNConnectionModels
Hub-and-SpokeArchitecture
Full-MeshArchitectures
Summary
Chapter6.DesigningFault-TolerantIPSecVPNs
LinkFaultTolerance
IPSecPeerRedundancyUsingSLB
Intra-ChassisIPSecVPNServicesRedundancy
Summary
Chapter7.Auto-ConfigurationArchitecturesforSite-to-SiteIPSecVPNs
IPSecTunnelEndpointDiscovery
DynamicMultipointVPN
Summary
Chapter8.IPSecandApplicationInteroperability
QoS-EnabledIPSecVPNs
VoIPApplicationRequirementsforIPSecVPNNetworks
IPSecVPNArchitecturalConsiderationsforVoIP
MulticastoverIPSecVPNs
Summary
Chapter9.Network-BasedIPSecVPNs
FundamentalsofNetwork-BasedVPNs
TheNetwork-BasedIPSecSolution:IOSFeatures
OperationofNetwork-BasedIPSecVPNs
Network-BasedVPNDeploymentScenarios
Summary
Index
Copyright
IPSecVPNDesign
VijayBollapragada,MohamedKhalid,ScottWainner
Copyright©2005CiscoSystems,Inc.
CiscoPresslogoisatrademarkofCiscoSystems,Inc.
Publishedby:
CiscoPress
800East96thStreet
Indianapolis,IN46240USA
Allrightsreserved.Nopartofthisbookmaybereproducedor
transmittedinanyformorbyanymeans,electronicor
mechanical,includingphotocopying,recording,orbyany
informationstorageandretrievalsystem,withoutwritten
permissionfromthepublisher,exceptfortheinclusionofbrief
quotationsinareview.
PrintedintheUnitedStatesofAmerica1234567890
FirstPrintingApril2005
LibraryofCongressCataloging-in-PublicationNumber:
2002106378
ISBN:1-58705-111-7
WarningandDisclaimer
ThisbookisdesignedtoprovideinformationaboutIPSecVPN
design.Everyefforthasbeenmadetomakethisbookas
completeandasaccurateaspossible,butnowarrantyor
fitnessisimplied.
Theinformationisprovidedonan"asis"basis.Theauthors,
CiscoPress,andCiscoSystems,Inc.shallhaveneitherliability
norresponsibilitytoanypersonorentitywithrespecttoany
lossordamagesarisingfromtheinformationcontainedinthis
bookorfromtheuseofthediscsorprogramsthatmay
accompanyit.
Theopinionsexpressedinthisbookbelongtotheauthorand
arenotnecessarilythoseofCiscoSystems,Inc.
CorporateandGovernmentSales
CiscoPressoffersexcellentdiscountsonthisbookwhen
orderedinquantityforbulkpurchasesorspecialsales.
Formoreinformation,pleasecontactU.S.Corporateand
GovernmentSales,1-800-382-3419,
ForsalesoutsidetheU.S.,pleasecontactInternationalSalesat
TrademarkAcknowledgments
Alltermsmentionedinthisbookthatareknowntobe
trademarksorservicemarkshavebeenappropriately
capitalized.CiscoPressorCiscoSystems,Inc.cannotattestto
theaccuracyofthisinformation.Useofaterminthisbook
shouldnotberegardedasaffectingthevalidityofany
trademarkorservicemark.
FeedbackInformation
AtCiscoPress,ourgoalistocreatein-depthtechnicalbooksof
thehighestqualityandvalue.Eachbookiscraftedwithcare
andprecision,undergoingrigorousdevelopmentthatinvolves
theuniqueexpertiseofmembersfromtheprofessional
technicalcommunity.
Readers'feedbackisanaturalcontinuationofthisprocess.If
youhaveanycommentsregardinghowwecouldimprovethe
qualityofthisbook,orotherwisealterittobettersuityour
needs,youcancontactusthroughemailat
Pleasemakesuretoincludethe
booktitleandISBNinyourmessage.
Wegreatlyappreciateyourassistance.
Publisher
JohnWait
Editor-in-Chief
JohnKane
CiscoRepresentative
AnthonyWolfenden
CiscoPressProgram
Manager
JeffBrady
ExecutiveEditor
BrettBartow
ProductionManager
PatrickKanouse
DevelopmentEditor
GrantMunroe
ProjectEditor
SheilaSchroeder
CopyEditor
MichelleGrandin
TechnicalEditors
AnthonyKwan,SureshSubbarao,Michael
Sullenberger
TeamCoordinator
TammiBarnett
CoverDesigner
LouisaAdair
Composition
MarkShirar
Indexer
TimWright
CorporateHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-4000
800553-NETS(6387)
Fax:408526-4100
EuropeanHeadquarters
CiscoSystemsInternationalBV
Haarlerbergpark
Haarlerbergweg13-19
1101CHAmsterdam
TheNetherlands
www.europe.cisco.com
Tel:310203571000
Fax:310203571100
AmericasHeadquarters
CiscoSystems,Inc.
170WestTasmanDrive
SanJose,CA95134-1706
USA
www.cisco.com
Tel:408526-7660
Fax:408527-0883
AsiaPacificHeadquarters
CiscoSystems,Inc.
CapitalTower
168RobinsonRoad
#22-01to#29-01
Singapore068912
www.cisco.com
Tel:+6563177777
Fax:+6563177799
CiscoSystemshasmorethan200officesinthefollowing
countriesandregions.Addresses,phonenumbers,andfax
numbersarelistedontheCisco.comWebsiteat
www.cisco.com/go/offices.
Argentina•Australia•Austria•Belgium•Brazil•Bulgaria•
Canada•Chile•ChinaPRC•Colombia•CostaRica•Croatia•
CzechRepublic•Denmark•Dubai,UAE•Finland•France•
Germany•Greece•HongKongSAR•Hungary•India•
Indonesia•Ireland•Israel•Italy•Japan•Korea•
Luxembourg•Malaysia•Mexico•TheNetherlands•New
Zealand•Norway•Peru•Philippines•Poland•Portugal•
PuertoRico•Romania•Russia•SaudiArabia•Scotland•
Singapore•Slovakia•Slovenia•SouthAfrica•Spain•
Sweden•Switzerland•Taiwan•Thailand•Turkey•Ukraine•
UnitedKingdom•UnitedStates•Venezuela•Vietnam•
Zimbabwe
Copyright©2003CiscoSystems,Inc.Allrightsreserved.CCIP,
CCSP,theCiscoArrowlogo,theCiscoPoweredNetworkmark,
theCiscoSystemsVerifiedlogo,CiscoUnity,FollowMe
Browsing,FormShare,iQNetReadinessScorecard,Networking
Academy,andScriptSharearetrademarksofCiscoSystems,
Inc.;ChangingtheWayWeWork,Live,Play,andLearn,The
FastestWaytoIncreaseYourInternetQuotientandiQuick
StudyareservicemarksofCiscoSystems,Inc.;andAironet,
ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCNA,CCNP,Cisco,
theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,the
CiscoIOSlogo,CiscoPress,CiscoSystems,CiscoSystems
Capital,theCiscoSystemslogo,EmpoweringtheInternet
Generation,Enterprise/Solver,EtherChannel,EtherSwitch,Fast
Step,GigaStack,InternetQuotientIOS,IP/TV,iQExpertise,the
iQlogo,LightStream,MGX,MICA,theNetworkerslogo,Network
Registrar,Packet,PIX,Post-Routing,Pre-Routing,RateMUX,
Registrar,SlideCast,SMARTnet,StrataViewPlus,Stratm,
SwitchProbe,TeleRouter,TransPath,andVCOareregistered
trademarksofCiscoSystems,Inc.and/oritsaffiliatesinthe
U.S.andcertainothercountries.
AllothertrademarksmentionedinthisdocumentorWebsite
arethepropertyoftheirrespectiveowners.Theuseoftheword
partnerdoesnotimplyapartnershiprelationshipbetweenCisco
andanyothercompany.(0303R)
PrintedintheUSA
Dedications
VijayBollapragada:Tomybestfriendandwife,Leena,for
herloveandencouragementandforallowingmetotake
preciousfamilytimeawaytowritethisbook.Tomytwolovely
children,AmitaandAbhishek,tomyparentsforinstillingthe
rightvaluesinme,andallmywonderfulfriends.
Thankstomycoauthors,MoandScott,forbearingwithme
duringthetrialsandtribulationsofbookwritingandteaching
methingsalongtheway.AndthankstotheawesomefolksI
workwithatCiscothatconstantlykeepmechallengedand
remindmethatthereissomethingnewtolearneveryday.
MohamedKhalid:Firstandforemost,Iwouldliketo
acknowledgemyparentstheirdedication,sacrifice,and
encouragementhavebeeninstrumentalinallmyachievements
andsuccess.ThankstomywifeFarhath,whogavemethetime
andconstantencouragementtofinishthebook.
ThankstoScottWainner,Haseeb,andSunilwhoprovided
valuabletechnicalinsights.Lastbutnotleast,Iamdeeply
gratefultomyfriendandco-author,VijayBollapragada,who
cajoled,encouraged,andassistedmeincompletingthisbook.
ScottWainner:Iwouldliketoacknowledgemywife,Jill,for
herlove,patience,andencouragement.Therearenever
enoughhoursintheday,soIthankherforcaringforour
family.I'dalsoliketothankmychildrenCraig,Brett,Natalie,
andCarolinefortheirpatienceandinspirationinexploringlife's
possibilities.
SpecialthanksgotomyfatherandlatemotherTomand
Zenithforbeinganinspirationandguidingforceinmylife.To
mycolleagues,VijayandMo,youguysrockandit'sbeenan
honorworkingwithyoualltheseyears.Andfinally,I'dlike
acknowledgemyGodforgrantingmethegiftstofulfillthis
dream.
AbouttheAuthors
VijayBollapragada,CCIENo.1606,isadirectorinthe
NetworkSystemsIntegrationandTestEngineeringgroupat
CiscoSystems,whereheworksonthearchitecture,design,and
validationofcomplexnetworksolutions.Anexpertinrouter
architectureandIPRouting,Vijayisaco-authorofanother
CiscoPresspublicationtitledInsideCiscoIOSSoftware
Architecture.VijayisalsoanadjunctprofessorintheElectrical
EngineeringdepartmentatDukeUniversity.
MohamedKhalid,CCIENo.2435,isatechnicalleaderworking
withIPVPNsolutionsatCiscoSystems.Heworksextensively
withserviceprovidersacrosstheglobeandtheirassociated
Ciscoaccountteamstodeterminetechnicalandengineering
requirementsforvariousIPVPNarchitectures.
ScottWainnerisaDistinguishedSystemsEngineerintheU.S.
ServiceProviderSalesOrganizationatCiscoSystems,wherehe
focusesonVPNarchitectureandsolutiondevelopment.Inthis
capacity,heworksdirectlywithcustomersinaconsultingrole
byprovidingguidanceonIPVPNarchitectureswhile
interpretingcustomerrequirementsanddrivinginternal
developmentinitiativeswithinCiscoSystems.Scotthasmore
than18yearsofexperienceinthenetworkingindustryin
variousrolesincludingnetworkoperations,network
installation/provisioning,engineering,andproductengineering.
Mostrecently,hehasfocusedhiseffortsonL2VPNandL3VPN
servicemodelsusingMPLSVPN,PseudowireEmulation,and
IPSec/SSLtoprovideVPNservicestobothenterprisesand
serviceproviders.HeholdsaB.S.inElectricalEngineeringfrom
theUnitedStatesAirForceAcademyandaM.S.inElectronics
andComputerEngineeringfromGeorgeMasonUniversityin
Fairfax,Virginia.Scottiscurrentlyanactivememberofthe
IEEEandtheIETF.
AbouttheTechnicalEditors
AnthonyKwanisthedirectorandexecutiveprojectmanager
ofinfrastructureforHTA;CCNP,CCDP,MCSE,MasterASE,
MCNE,CCIE(written).Hehastenyearsofexperienceinthe
internetworkingindustry.Hedesignedandbuiltanumberof
securedenterprisedatacenterswithanupwardbudgetof$120
million.Healsodirectedanumberofconsultingfirmsin
buildingaNetworkInfrastructureandTechnologyconsulting
practice.HeisafrequentcontributortoCiscoPressandother
publicationsspecializinginnetworkingtechnology.Hecanbe
reachedat
SureshSubbaraohasworkedinthenetworkingareaforthe
last10years.HeiscurrentlyanetworkengineeratCisco
SystemsfocusingonsecurityservicesforServiceProviderswith
aspecialemphasisonIPSecVPNs.
MichaelSullenbergerreceivedabachelorofsciencedegreein
mathematicsfromHarveyMuddCollegein1981.Hestarted
workingwithcomputernetworksattheStanfordLinear
AcceleratorCenter(SLAC)in1981asaFortranprogrammer
andasauseroftheBITnetnetwork,anearlyworldwide9600
baudnetwork.AtSLACMichaelalsomanagedDECVMS
computersandgainedknowledgeoftheDECnetandLAT
protocol.HewasalsopartoftheintroductionofEthernetand
FDDInetworkstoSLAC.In1988Michaelmovedtothe
networkinggroup,whereheassistedintransformingalarge
bridged,primarilyDECnet,networktoaroutedmulti-protocol,
primarilyTCP/IP,network.In1994,heleftSLACtoworkfora
smallcompany,TGV,thatwroteTCP/IPstacksandapplications
forOpenVMSandWindowssystems.AtTGVheworkedin
technicalsupportwherehelearnedthedetailsofTCP/IPfrom
theIPlayerthroughtheApplicationlayer.TGVwasboughtby
Ciscoin1996,andMichaelmovedintotheRoutingProtocols
group,whereheenhancedhisknowledgeofTCP/IPbyadding
informationonthelink-layerandIProutingprotocols.In1998,
MichaelmovedtotheEscalationTeamatCisco,wherehe
continuestoexpandhisTCP/IPknowledgeinareassuchasNAT,
HSRP,GREandIPsecEncryption.In2000,hestartedaproject,
astheprinciplearchitect,thatbecametheCiscoDynamic
MultipointVPN(DMVPN)solutionforscalingIPsecVPN
networks.In2004,theDMVPNsolutionwontheCiscoPioneer
Award.Michaelcontinuestothisdayworkingonenhancing
DMVPNaswellasdesigningandtroubleshootingDMVPNand
IPsecnetworks.Alsostartingin2000Michaelhasbeena
speakereachyearattheCiscoNetworkersConferencesinthe
areaofsite-to-siteIPsecandDMVPNnetworks.
Acknowledgments
Thisbookwouldhavenotbeenpossiblewithoutthehelpof
manypeoplewhosemanycommentsandsuggestionsimproved
theendresult.First,wewouldliketothankthetechnical
reviewersforthebook,whichincludeAnthonyKwan,Mike
Sullenberger,andSureshSubbarao.Theirknowledgeofthe
subject,attentiontodetail,andsuggestionswereinvaluable.
WewouldliketothankBrettBartowofCiscoPressfor
constantlykeepingthepressureandpullingallofthistogether.
Withouthishelp,thisprojectwouldhaveneverseenthelightof
day.WewouldalsoliketothankGrantMunroeandChris
ClevelandfromCiscoPressfortheirattentiontodetailand
editorialcommentsthatimprovedthequalityofthebook
tremendously.WewouldalsoliketothanktheIPSec
developmentteamatCiscotheyaretheonesthatwriteand
perfectthecodethatmakesallthefeaturesdiscussedinthis
bookpossible.
ThisBookIsSafariEnabled
TheSafari®Enabledicononthecoverofyourfavorite
technologybookmeansthebookisavailablethroughSafari
Bookshelf.Whenyoubuythisbook,yougetfreeaccesstothe
onlineeditionfor45days.
SafariBookshelfisanelectronicreferencelibrarythatletsyou
easilysearchthousandsoftechnicalbooks,findcodesamples,
downloadchapters,andaccesstechnicalinformationwhenever
andwhereveryouneedit.
Togain45-daySafariEnabledaccesstothisbook:
Goto />Completethebriefregistrationform
EnterthecouponcodeZ8HY-WQDH-PUGS-B2HS-GRCF
IfyouhavedifficultyregisteringonSafariBookshelfor
accessingtheonlineedition,pleasee-mail
IconsUsedinThisBook
CommandSyntaxConventions
Theconventionsusedtopresentcommandsyntaxinthisbook
arethesameconventionsusedintheIOSCommandReference.
TheCommandReferencedescribestheseconventionsas
follows:
Boldfaceindicatescommandsandkeywordsthatare
enteredliterallyasshown.Inactualconfigurationexamples
andoutput(notgeneralcommandsyntax),boldface
indicatescommandsthataremanuallyinputbytheuser
(suchasashowcommand).
Italicsindicateargumentsforwhichyousupplyactual
values.
Verticalbars(|)separatealternative,mutuallyexclusive
elements.
Squarebrackets[]indicateoptionalelements.
Braces{}indicatearequiredchoice.
Braceswithinbrackets[{}]indicatearequiredchoice
withinanoptionalelement.
Introduction
VPNsarebecomingmoreimportantforbothenterprisesand
serviceproviders.IPSecspecificallyisoneofthemorepopular
technologiesfordeployingIP-basedVPNs.Therearemany
booksinthemarketthatgointotechnicaldetailsofIPSec
protocolsandcoverproductlevelconfiguration,buttheydonot
addressoveralldesignissuesfordeployingIPSecVPNs.
TheGoalsofThisBook
Theobjectiveofthisbookistoprovideyouwithagood
understandingofdesignandarchitecturalissuesofIPSecVPNs.
Thisbookwillalsogiveyouguidanceonenablingvalue-added
servicesandintegratingIPSecVPNswithotherLayer3(MPLS
VPN)technologies.
WhoShouldReadThisBook
Theprimaryaudienceforthisbookisnetworkengineers
involvedindesign,deployment,andtroubleshootingofIPSec
VPNs.Theassumptioninthisbookisthatyouhaveagood
understandingofbasicIProuting,althoughIPSecknowledgeis
notaprerequisite.
HowThisBookIsOrganized
Thebookisdividedintothreegeneralparts.PartIcoversthe
generalarchitectureofIPSec,includingitsprotocolsandCisco
IOSIPSecimplementationdetails.PartII,beginningwith
Chapter5,examinestheIPSecVPNdesignprinciplescovering
hub-and-spoke,full-mesh,andfault-tolerantdesigns.PartII
alsocoversdynamicconfigurationmodelsusedtosimplifyIPSec
VPNsdesigns,andpresentsacasestudy.PartIII,beginning
withChapter8,coversdesignissuesinaddingservicestoan
IPSecVPNsuchasvoice,multicast,andintegratingIPSecVPNs
withMPLsVPNs.Thebookisorganizedasfollows:
PartI,"IntroductionandConcepts"
-Chapter1,"IntroductiontoVPNs"Providesan
introductiontoVPNconceptsandcoversabrief
introductiontovariousVPNtechnologies.
-Chapter2,"IPSecOverview"Givesanoverviewof
IPSecprotocolsanddescribesdifferencesbetween
transportmodeandtunnelmode.CiscoIOSIPSec
packetprocessingisalsoexplainedinthischapter.
-Chapter3,"EnhancedIPSecFeatures"Introduces
advancedIPSecfeaturesthatimproveIPSecVPN
scalabilityandfaulttolerance,suchasdeadpeer
detectionandcontrolplanekeepalives.Thischapter
alsoexplainsthechallengesofIPSecinteroperatingwith
NetworkAddressTranslation(NAT)andPathMaximum
TransmissionUnitdetection(PMTUD)andhowto
overcomethesechallenges.
-Chapter4,"IPSecAuthenticationand
AuthorizationModels"ExploresIPSecfeaturesthat
areprimarilycalleduponfortheremoteaccessusers
suchasExtendedAuthentication(XAUTH)andModeconfiguration(MODE-CFG).ItalsoexplainstheCisco
EzVPNconnectionmodelanddigitalcertificateconcepts.
PartII,"DesignandDeployment"
-Chapter5,"IPSecVPNArchitectures"Covers
variousIPSecconnectionsmodelssuchasnativeIPSec,
GRE,andremoteaccess.Deploymentarchitecturesfor
eachoftheconnectionmodelsareexploredwithpros
andconsforeacharchitecture.
-Chapter6,"DesigningFault-TolerantIPSec
VPNs"Discusseshowtointroducefaulttoleranceinto
VPNarchitecturesanddescribesthecaveatswiththe
variousfault-tolerancemethods.
-Chapter7,"Auto-ConfigurationArchitecturesfor
Site-to-SiteIPSecVPNs"Coversmechanismsto
alleviatetheconfigurationcomplexityofalarge-scale
IPSecVPN;TunnelEndpointDiscovery(TED)and
DynamicMultipointVPNs(DMVPN)arethetwo
mechanismsdiscussedindepth.
PartIII,"ServiceEnhancements"
-Chapter8,"IPSecandApplication
Interoperability"ExaminestheissueswithIPSec
VPNsinthecontextoftherunningapplicationssuchas
voiceandmulticastovertheVPN.
-Chapter9,"Network-BasedIPSecVPNs"
Concludesbyintroducingtheconceptofnetwork-based
VPNs.
Chapter1.IntroductiontoVPNs
Virtualprivatenetworks,commonlyreferredtoasVPNs,arenot
anentirelynewconceptinnetworking.Asthenamesuggests,a
VPNcanbedefinedasaprivatenetworkservicedeliveredover
apublicnetworkinfrastructure.Atelephonecallbetweentwo
partiesisthesimplestexampleofavirtualprivateconnection
overapublictelephonenetwork.Twoimportantcharacteristics
ofaVPNarethatitisvirtualandprivate.
TherearemanytypesofVPNs,suchasFrameRelayandATM,
andentirebookscanandhavebeenwrittenabouteachofthese
VPNtechnologies.ThefocusofthisbookisonaVPNtechnology
knownasIPSec.
MotivationsforDeployingaVPN
ThischapterintroducessomeoftheVPNtechnologiesandhelps
toexplainthemotivationsfordeployingaVPN.Theprimary
reasonfordeployingaVPNiscostsavings.Corporationswith
officesallovertheworldoftenneedtointerconnectthemin
ordertoconducteverydaybusiness.Fortheseconnections,
theycaneitherusededicatedleasedlinesthatrunbetweenthe
officesorhaveeachsiteconnectlocallytoapublicnetwork,
suchastheInternet,andformaVPNoverthepublicnetwork.
Figure1-1showsaninternationalcorporationthatconnectsto
eachsiteusingleasedlines.Eachconnectionispoint-to-point
andrequiresadedicatedleasedlinetoconnectittoanother
site.Ifeachsiteneedstobeconnectedtoeveryothersite(a
situationalsoknownasany-to-anyorfull-meshconnectivity),
n-1leasedlineswouldberequiredateachsitewherenisthe
numberofsites.Leasedlinesaretypicallypricedbasedonthe
distancebetweenthesitesandbandwidthoffered.Crosscountryandintercontinentallinksaretypicallyveryexpensive,
makingfull-meshconnectivitywithleasedlinesveryexpensive.
Figure1-1.ConnectingSitesofaCorporationover
LeasedLines
Figure1-2showsanalternatemethodofconnectingthesame
sitesofthecorporation,thistimeoverapublicnetworksuchas
theInternet.Inthismodel,eachsiteisconnectedtothepublic
networkatitsclosestpoint,possiblyviaaleasedline,butall
connectionsbetweensitesarevirtualconnections.Thecloudin
thefigurerepresentsavirtualconnectionbetweenthesites,as
opposedtoaphysicaldedicatedconnectionbetweensitesinthe
leased-linemodel.
Figure1-2.ConnectingSitesofaCorporationover
aPublicNetwork
Note
Apublicnetworkcanbedefinedasanetworkwith
aninfrastructuresharedbymanyusersofthat
network.Bearinmindthattheword"public"does
notmeanthatthenetworkisavailablefreeto
anyone.ManyserviceprovidershavelargeATMand
FrameRelaypublicnetworks,andtheInternetis
probablythemostubiquitouspublicnetworkofthem
all.
