mobile vpn (vpn 노드의이동성지원기술c3%d6%c8%c... · 2012-05-06 · 5. next hop...
TRANSCRIPT
Mobile VPN(VPN 노드의 이동성 지원 기술)
최 훈 (충남대학교), 이영석 (ETRI)[email protected] , [email protected]
2004.6.25
Contents
n VPNn MPLS VPN 표준화동향
u L2 MPLS VPNsu L3 MPLS VPNsu MPLS VPN over IPv6
n Mobile MPLS VPN over IPv4u Mobile IPv4u 동일 VPN 내의다른사이트로이동u 타 VPN 내의사이트으로이동
n Mobile MPLS VPN over IPv6u Mobile IPv6u Mobile VPN
VPNn IP 네트워크에서제공되는 VPN 분류
u CPE(Customer Premise Equipment) VPNu PPVPN(Provider Provisioned VPN)
� Network Based VPN
CPE-VPN PPVPN
• IPsec(IP security) • BGP/MPLS VPN(RFC2547bis)
• Virtual Router VPN
• L2 MPLS 기반 VPN
• VPLS
(Virtual Private LAN Service)
• L2TP(Layer 2 Tunneling Protocol)
• PPTP
(Point to Point Tunneling Protocol)
VPNLayer
Layer 3
Layer 2
MPLS VPN 표준화동향n MPLS VPNs
u Network based IP VPN using LSPs
u Layer 2 VPN(L2VPN) Working Group� L2 MPLS VPN
ü Martini draft, LDP basedü Kompella draft, BGP based
u Layer 3 VPN(L3VPN) Working Group� L3 MPLS VPN
ü E. Rosen, “BGP/MPLS VPNs,” IETF, RFC2547, March, 1999.
Layer 2 MPLS VPNs
n IETF 표준화동향u Internet Draft
� An Architecture for L2VPNsü Luca Martini, draft-ietf-ppvpn-l2vpn-00.txt, July, 2001.
� Transport of Layer 2 Frames over MPLSü Luca Martini, draft-martini-l2circuit-trans-mpls-13.txt, Dec., 2003.
� Encapsulation Methods for Transport of Layer 2 Frames Over IP and MPLS Networksü Luca Martini, draft-martini-l2circuit-encap-mpls-06.txt , Nov., 2003.
� MPLS-based Layer 2 VPNsü Kireeti Kompella, draft-kompella-ppvpn-l2vpn-00.txt, June, 2001
� Layer 2 VPNs Over Tunnels ü Kireeti Kompella, draft-kompella-ppvpn-l2vpn-03.txt, April, 2003
Layer 2 MPLS VPNs
Layer 3 MPLS VPNs (1)n IETF 표준화동향
u Internet Drafts� ISIS as the PE/CE Protocol in BGP/MPLS VPNs
ü Sheng Cheng, draft-sheng-isis-bgp-mpls-vpn-00.txt, April, 2003.� Hierarchy of Provider Edge Device in BGP/MPLS VPN
ü Li Bin, draft-libin-hierarchy-pe-bgp-mpls-vpn-02.txt, May, 2003.� BGP/MPLS IP VPNs
ü Eric Rosen, draft-ietf-l3vpn-rfc2547bis-01.txt, September, 2003.� Layer-3 VPN Import/Export Verification
ü Michael Behringer, draft-behringer-mpls-vpn-auth-03.txt, November, 2003,� Using BGP as an Auto-Discovery Mechanism for Layer-3 and Layer-2 VPNs
ü Hamid Ould-Brahim, draft-ietf-l3vpn-bgpvpn-auto-04.txt, May, 2004.� Applicability Statement for BGP/MPLS IP VPNs
ü Eric Rosen, draft-ietf-l3vpn-as2547-05.txt, May, 2004.
Layer 3 MPLS VPNs (2)n RFC2547bis
u BGP/MPLS VPNn Virtual Routers
Layer 3 MPLS VPNs (3)n RFC2547bis
u Use separate VRFs in PE with single BGP instance to distribute VPN routing information for entire network
Layer 3 MPLS VPNs (4)
n RFC2547bis as known as BGP/MPLS VPNsu Multi_Protocol-BGP used to distribute network reachability
information between PE devicesu BGP policies used contain distribution of reachability information
to relevant devicesu PE maintains multiple VRFs – one per VPNu LDP/RSVP used to set up LSP tunnelsu MP-BGP used to distribute inner label that identifies VPN
Layer 3 MPLS VPNs (5)n Virtual Routers
u Separate router instances in PE for each VPN
Layer 3 MPLS VPNs (5)
n RFC2547
FIB Table
1. VPN 식별
Next Hop Label Info
4. Next Hop 레이블선택
PE
5. Next Hop 레이블바인딩및전송
VPN LabelIP PKTIP PKT Next Hop Label
2. VPN 레이블바인딩
3. 해당 VPN의 FIB 선택
Layer 3 MPLS VPNs (6)n RFC2547
MPLS VPN over IPv6
n BGP/MPLS VPN over IPv6u Jeremy Clercq, draft-ietf-ppvpn-bgp-ipv6-vpn-03.txt, Nov., 2002.u BGP/MPLS VPN Extension for IPv6 VPN over an IPv4
infrastructuren IPv6 PE(6PE)
u Using IPv6 Provider edge router (Dual stack) over MPLS/IPv4u IPv6 reachability exchanged among 6PEs via iBGP(MP-BGP)u IPv6 packets transported from 6PE to 6PE inside MPLS
MPLS VPN over IPv6
Mobile MPLS VPN over IPv4
Mobile IPv4
FAHA
CN
Dat
a
Data
Data
1. 등록요청
2. 등록요청
3. 등록응답
4. 등록응답
이동
n Registration
MN
Mobile IPv4
FA
HA
CN
Data
Data
바인딩 갱신(Binding Update)
MN
n Route Optimization
Mobile VPN
n BGP/MPLS VPN with Mobility Supportsu RFC2547 기반 L3 MPLS VPN u Mobile IPv4 protocol suite
� RFC3344, Route Optimization Protocol
u Mobility Entity� Home Agent(HA)� Foreign Agent(FA)� “Correspondent Agent(CA)”개념도입
ü Correspondent Node(CN)가속한사이트내의 PE 라우터상에서수행ü HA가 CA로 Binding Update 메시지를전송ü CA는 CN을대신하여 MN의이동정보를관리
n CN은 Mobile IPv4 프로토콜에투명하게동작
동일 VPN 내의다른사이트로이동예
동일 VPN 내의다른사이트로이동n Mobile Node’s Movement Detection
u Mobile IPv4와비교� ICMP Agent Advertisement 메시지내의 ‘VPN Information’ Extension 추가ü MN이이동한 VPN 사이트정보포함
Type : 20Length : 6 byte (Type, Length 필드제외)VPN ID : Mobility Agent의 VPN 식별자VPN Address Prefix : VPN 사이트의 network prefix
동일 VPN 내의다른사이트로이동n MN’s Registration
u Mobile IPv4와비교� ‘Registration Request’메시지에 ‘VPN Information’ Extension 추가
ü MN의 Home VPN 사이트정보, MN이이동한 VPN 사이트정보
Type : 55 (Registration Request VPN information extension)56 (Registration Reply VPN information extension)
Length : 14 byteSource VPN ID : 이동노드의홈네트워크의 VPN 식별자Destination VPN ID : 이동노드가이동하여받은 AA내의 VPN 식별자VPN Address Prefix : 이동노드의홈네트워크의 VPN address prefix
동일 VPN 내의다른사이트로이동n MN’s Authentication (1)
u Mobile IPv4 인증메커니즘� MN-HA 사이의 Authentication Extension 사용 : Mandatory� MN-FA, FA-HA 사이의 Authentication Extension 사용 : Optional
Type : 32 (Mobile-Home) / 33 (Mobile-Foreign) / 34 (Foreign-Home)Length : 4 + Authenticator의 byte 수SPI : 두노드사이의 Security Parameter IndexAuthenticator : 가변길이의인증에사용되는값
동일 VPN 내의다른사이트로이동n MN’s Authentication (2)
u Mobile IPv4 인증메커니즘� SPI(Security Parameter Index)
ü Authenticator 값을구하는 Authentication Algorithm과그에사용되는Shared Key 값을정의
� Mobile IP의 Default Authentication algorithmü Keyed-MD5 사용, mode “Prefix + Suffix”사용
� Authenticatorü SPI를사용하여 Registration Request나 Registration Reply 메시지의 UDP
payload와 Extension의 Type, Length를포함하여계산
동일 VPN 내의다른사이트로이동n MN’s Authentication (3)
u MPLS VPN 내에서 Mobile IPv4 인증메커니즘이용� 동일 VPN 내에서는 SA(Security Association) 이용하여인증가능
ü 본방식에서는 Static SA를적용n 미리설정된 SA 내의 SPI를사용하여 Authentication Extension 작성
ü MN-HA, MN-FA, FA-HA 사이에 SA가없는경우n IKE 등을이용하여동적 SA 할당가능n Mobile IPv4 동작중에 SA 협상을수행하므로심각한부하야기
� 미리설정된 SA를이용하여 MN, FA, HA는 Authentication Extension 구성ü MN-HA Authenticationü MN-FA Authenticationü FA-HA Authentication
동일 VPN 내의다른사이트로이동n Home Agent’s Data Structure
u Mobile IPv4와비교� HA의 “Mobility Binding”에 VPN 정보추가
ü 이동노드의 Registration 메시지에서추출ü 발신지 VPN(Home VPN) 식별자, 목적지 VPN(Foreign VPN) 식별자ü “VPN Mobility Binding”예
동일 VPN 내의다른사이트로이동n Foreign Agent’s Data Structure
u Mobile IPv4와비교� FA의 “Visitor List”에 VPN 정보추가
ü 이동노드의 Registration 메시지에서추출ü 발신지 VPN 식별자, 이동노드홈주소, HA 주소, Care of Address, 인터페이스식별자
ü “VPN Visitor List”예
동일 VPN 내의다른사이트로이동n Route Optimization
u Triangle Routing Problem� P.17 그림
u Mobile IPv4와비교� Correspondent Agent(CA) 추가
ü HA가이동노드대신에 CA로 ‘Binding Update’전송n CN은 Mobile IPv4 프로토콜에투명하게동작
동일 VPN 내의다른사이트로이동n Route Optimization 후의 Packet Routing
동일 VPN 내의다른사이트로이동n Correspondent Agent’s Data Structure
u Mobile IPv4와비교� CA가 Correspondent Node 역할수행� CA의 “Binding Cache”에 VPN 정보추가
ü HA의 ‘Binding Update’메시지에서추출ü MN 홈주소, Care of Address, 목적지 VPN 식별자ü “VPN Binding Cache”예
동일 VPN 내의다른사이트로이동n Smooth Handover
타 VPN 내의사이트로이동n 타 VPN 사이의인증문제해결
u 동일 VPN 내에서는 SA가존재하거나 SA 협상이가능하므로 MN, FA, HA 간의상호인증가능
u 타 VPN 사이에도 SA가존재하거나협상가능하다고가정하면 MN의이동성지원� Authentication Extension 사용가능
ü MN-HA, MN-FA, FA-HA
타 VPN 내의사이트로이동n 타 VPN 내에서 MN과사설주소충돌가능성해결
u Care-of Address(COA) 사용불가� 동일한주소사용가능 :주소충돌의위험성
u Co-located COA 사용� DHCP
Mobile MPLS VPN over IPv6
Mobile IPv6
n Registration
HA
Correspondent Node
Data
이동
BA
BU
Data
IPsec ESP
Mobile Node
Mobile IPv6
n RR Protocol
HA
HoTI
BAHoTI
HoT
HoT
CoTI
CoT
Correspondent Node
Mobile Node
Mobile IPv6
n Route Optimization
BU BAData
Correspondent Node
Mobile Node
Mobile VPN
n BGP/MPLS VPN with Mobility Supports over IPv6u Mobile IPv6 Protocol
� RR(Return Routability) Protocol� Route Optimization Protocol
u Mobility Entity� Home Agent(HA)
Mobile MPLS VPN over IPv6
n Mobile IPv6 비교
HA
CN
Movement
MN
BU/BA
BU/BA
Mobile MPLS VPN over IPv6
n Mobile IPv6 비교
HA
CN
Movement
MN
IP PKT
IP PKT
Label
IP PKT
Label
IP PKT
IP P
KT
IP P
KT
Conclusions
n Compatibility with Mobile IPv4/IPv6n Mobility Supports
u Intra-Mobility within the same VPN domainu Inter-Mobility between different VPN domain
n Suggestionu New Mobility Entity : Correspondent Agent (IPv4)
n Applicabilityu IPv4/IPv6u IPsec VPN domain