P1: IXL
Virtual ̇Private WL040/Bidgolio-Vol I WL040-Sample.cls August 14, 2003 17:53 Char Count= 0
INTRODUCTION TOIP-BASEDVIRTUALPRIVATENETWORKS 5831212112 2In Port
B1
C1
D2In Port
A1
C2
D2In Port
A2
B2
C1In Port
A1
B2
D1A.1A.2D.3D.2B.1B.5C.4C.3CA BDFigure 3: Example of two connectionless VPNs.to forward user traffic. Instead, a routing protocol dis-
tributes topology information such that each node can
make an independent, yet coordinated, decision about the
next hop on which to forward packets that have a partic-
ular destination address prefix in the header. Unlike label
switching, the addresses in packet headers must be unique
throughout a set of interconnected networks, such as the
Internet. Therefore, the forwarding lookup table is iden-
tical in every node in a simple connectionless network.
Because each address must be unique, the forwarding ta-
ble could become quite large. The Internet scales to large
sizes by carefully administering address assignments so
that their forwarding tables need only process the high-
order prefix bits of the address.
In a connectionless network, a VPN is a logical over-
lay on a shared IP network of a different type. A shared IP
network may be the public Internet or a network that sup-
ports IP routing protocols implemented specifically for
use by enterprise customers. A secure IP VPN utilizes the
concept of an encrypted tunnel implemented at the en-
terprise equipment connected to the IP network. A tun-
nel may exist at the link layer or the network layer as
an association between two endpoints attached to a pub-
lic network, therefore making it virtual. Encryption is a
technique that scrambles information such that only the
intended receiver can decode it, thereby achieving privacy.
Because an IP network is connectionless, the packets be-
tween enterprise nodes may take different paths, depend-
ing on such conditions as link failures or the configuration
of routing parameters. IP routing protocols synchronize
the forwarding tables in all the nodes whenever the state
of the network changes. This fundamental difference in
paradigms is what has allowed the Internet to scale the
way it has in response to the tremendous demand that
arose in the latter half of the 1990s.
Figure 3 illustrates a connectionless IP-based VPN for
two enterprises. The enterprise nodes are shaded boxes,
each with an IP address that has a prefix (e.g., A.1 and B.5)
associated with a triangle indicating the network router to
which the access line attaches (e.g., A and B). For example,the gray-shaded enterprise node has an address prefix A.2
connected to the network router with address prefix A.
The figure illustrates the forwarding tables next to each
network router. Each table contains an entry labeled “In”
for the incoming packet address prefix, which is used to
look up the next-hop outgoing port. For example, at router
A, a packet received with destination address prefix B is
sent out on port 1. Note how these tables contain only
the address prefix and the next-hop link number, and not
the enterprise node address prefixes. Therefore, the enter-
prise equipment at the edge of the network implements
the IP VPN functions. This architecture has a number of
fundamental advantages. First, configuration changes to
the enterprise VPN do not require changes in the core
Internet. Second, because the Internet is a global pub-
lic network, a tunneled enterprise VPN can be implem-
ented across multiple Internet service provider (ISP) net-
works.
Now we look at a categorization of logical VPN types
and the terminology used to describe them.A Taxonomy of IP-Based Virtual Private
Networks
The taxonomy of VPN types is primarily determined by
whether the tunnels that provide the service terminate on
CE or PE devices (Carugi et al., 2002; Callon et al., 2002).
Figure 4 illustrates the case where the tunnels terminate
on the CE. A CE-based VPN is one in which knowledge of
the service aspects of the customer network is limited to
CE devices. Customer sites are interconnected via tunnels
or hierarchical tunnels, as defined in the glossary. The ser-
vice provider network is unaware of the existence of the
VPN because it operates exclusively on the headers of the
tunneled packets. Specifically, a CE-based L2 VPN is a
link layer (i.e., L2) service provided by CE equipment at
the customer sites, for example the Ethernet. In a similar
manner, a CE-based L3 VPN is a network layer (i.e., L3)
service provided by CE devices at customer sites, for ex-
ample the IP.