DOCSLIB.ORG

Customizable Virtual Private Network Service with Qos L

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Customizable Virtual Private Network Service with Qos L Computer Networks 36 )2001) 137±151 www.elsevier.com/locate/comnet Customizable virtual private network service with QoS L. Keng Lim, Jun Gao, T.S. Eugene Ng, Prashant R. Chandra, Peter Steenkiste *, Hui Zhang Computer Science Department, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213, USA Abstract In this paper, we propose and implement Virtual Network Service )VNS), a value-added network service for de- ploying virtual private networks )VPNs) in a managed wide-area IP network. The key feature of VNS is its capability of providing a customer with a VPNthat is customizable with management capabilities and performance properties comparable to a dedicated physical network. In addition, VNS ensures con®dentiality of data and principals through the use of IPSEC. The main technique underlying VNS is the virtualization of routers in both control and data planes. Virtualization of the control plane enables customizable routing and signaling per VPN. On the data plane, packet forwarding and link bandwidth are virtualized. Virtualization of the forwarding mechanism on the data plane enables forwarding of trac according to each VPN's topology and policies. Virtualization of the link bandwidth enables each VPNto have guaranteed quality of service )QoS) and customized resource management policies. We have developed a VNS prototype for deployment on the CAIRN network. The VNS prototype implements several resource management mechanisms including packet scheduling, signaling and runtime monitoring. A graphical user interface enables service providers to manage, con®gure and deploy VPNs remotely. Ó 2001 Elsevier Science B.V. All rights reserved. Keywords: Virtual private networks; Network quality of service; Programmable networks 1. Introduction network infrastructure amongst multiple VPNs. The ubiquity of the Internet makes it an ideal in- The Internet is gradually evolving into an in- frastructure for providing the VPNservice. Fig. 1 frastructure for network-based services. Virtual illustrates the situation where two dierent VPN private network )VPN) service will be one of the topologies are created on top of the same under- important Internet services. A VPNservice allows lying shared network infrastructure. a customer to build a virtual wide-area network on Various forms of private networking services top of a shared wide-area network infrastructure, have been available to enterprises for years. Ini- such as the Internet, without setting up any dedi- tially, private networks were built using dedicated cated physical connections. There is strong eco- leased lines, but the cost of building a large private nomic incentive for the VPNservice because of the network using dedicated hardware is prohibitive to opportunity to share a common expensive physical all but the largest corporations. Then, with the introduction of low-cost, packet-switched virtual circuit-based services such as Frame Relay and X.25, virtual private networking became possible. * Corresponding author. Tel.: +1-412-268-3261; fax: +1-412- 268-5576. Unfortunately, the availability and functionality E-mail address: [email protected] )P. Steenkiste). of these services is very limited. For an Internet- 1389-1286/01/$ - see front matter Ó 2001 Elsevier Science B.V. All rights reserved. PII: S 1 3 8 9 - 1 2 8 6 ) 0 1 ) 0 0 173-6 138 L.K. Lim et al. / Computer Networks 36 .2001) 137±151 In this paper, we propose and implement Virtual Network Service )VNS), a value-added network service for deploying VPNs in a man- aged wide-area IP network. VNS is built on top of the IP layer to ensure interoperability across various layer 2 technologies )e.g., ATM, MPLS). A VPNis constructed from virtual links. A vir- tual link is a link abstraction connecting any two physical nodes that are in the VPN's topology. Communication over the VPNis secure, and each virtual link is allocated a guaranteed bandwidth. Moreover, unused bandwidth is shared statistically between VPNs for additional performance gains. Fig. 1. Two VPNs built on top of one shared physical network The key advantage of VNS is that it deploys in VNS. VANESA is a graphical VPN management tool. The VPNcontroller is responsible for carrying out commands from VPNs that have a level of performance and degrees VANESA. of freedom in management that are comparable to physical private networks. For instance, instead of being restricted to only site-to-site virtual links, a based VPNservice to be a viable alternative, it customer has full control of the VPNtopology, must have properties comparable to that of a and how the VPNtopology maps onto the un- dedicated physical network. The service must derlying network. This has two advantages. First, provide mechanisms to enforce quality of service the topology can be engineered such that appli- )QoS) and con®dentiality of data must be guar- cations that are sensitive to the network topology anteed as the data travels over the common in- )such as multicast applications) can achieve the frastructure. In addition, the service must oer best performance. Second, by carefully choosing each VPNwith the autonomy to customize re- the topology, statistical sharing of bandwidth source management. within the VPNcan be optimized. In addition to Most Internet-based commercial VPNsolutions customizing the topology, each VPNcan also se- today construct virtual links using either site-to- lect its own control protocols. For example, it can site IP tunnels or site-to-site MPLS paths. The use a customized routing protocol that supports con®guration of the VPNtopology is therefore load balancing, policy-based routing or QoS highly restricted. The services supported are often routing. VNS also provides guaranteed QoS on limited to best-eort site-to-site connectivity and each virtual link in a VPN. Moreover, because link secure communication between sites. If QoS is bandwidth is virtualized using hierarchical packet oered, it is usually provided by over-provisioning scheduling, each VPNcan even have its own sig- network resources so that QoS service-level naling protocol )e.g., RSVP) to customize resource agreements are unlikely to be violated. Recently, sharing policies in the VPNor to provide per-¯ow some eorts such as in [5,12] use QoS strategies QoS to real-time applications. that require VPNtrac to be regulated at ingress The main technique underlying VNS is the vir- nodes. The downside is that the opportunity for tualization of the control and data planes in rou- statistical sharing of unused resources is reduced. ters. Virtualization of the control plane enables Another important limitation of these approaches each VPNto have the autonomy to execute cus- is the lack of customizability. For example, a tom routing and signaling protocols while sharing customer cannot control the routing of VPNtrac a common physical infrastructure. Our approach for load balancing or QoS routing, nor can a to provisioning customizable control planes le- customer specify resource management policies in verages a programmable router architecture that the VPN. provides an open programmable interface [29]. L.K. Lim et al. / Computer Networks 36 .2001) 137±151 139 In the data plane, packet forwarding and link 1. VANESA: VANESA is a Java-based centralized bandwidth are virtualized per VPN. Virtualization graphical user interface for con®guring and of the forwarding mechanism enables isolation managing VPNs. Fig. 2 is a screen capture of and routing of trac according to virtual topolo- VANESA. The idea here is similar to the con- gies. Virtualization of the link bandwidth provides cept of a software toolkit for deploying virtual each VPNwith virtual links of guaranteed capac- networks as described in [13] by Ferrari and ity, and the autonomy to specify its own band- Delgrossi. VANESA provides a simple interface width sharing policy. Earlier work in VPNservices for the network administrator to con®gure VPN such as in [7,15,24,31] did not consider statistical properties such as the virtual topology, band- sharing of under-utilized resources. In this work, width requirements of virtual links, parameters the additional performance bene®t of statistical for security con®guration and VPN membership multiplexing is achieved without compromising information. Members of a VPNare described any bandwidth guarantees by using the fair service by the member end hosts' IP addresses and/or curve )H-FSC) [27] hierarchical packet scheduler. the member subnets' network pre®xes. In addi- Architecturally, VNS is based on the Darwin [8] tion, VANESA can also be used to specify cus- router design, which is programmable and capable tom routing and signaling protocols that are to of virtualizing the link bandwidth. The Beagle [9] be deployed within a VPN. signaling protocol is used for resource allocation 2. VPN controller: The VPNcontroller is a pro- and control plane customization. In order to virtu- cess that runs on a host or router that has direct alize routing and forwarding, we extend the Darwin access to the network where VNS is deployed. router design to allow each VPNto have its own The job of the VPNcontroller is to act as a routing protocol and forwarding table. Secure proxy for control messages between VANESA communication is achieved through IPSEC [18]. and routers in the WANwhere VNSis de- The virtual network system administrator )VA- ployed. This enables VANESA to be executed NESA), a Java-based VPN management tool, pro- remotely from anywhere in the Internet. Fur- vides a user interface that hides the complexity of thermore, the complexity of the signaling re- the signaling from the user. VNS is targeted towards quired to set up the VPNis handled by the deployment on the CAIRNresearch network [1]. VPNcontroller and decoupled from the user in- The rest of this paper is organized as follows. In terface. This setup is depicted in Fig. 1. Section 2, we examine the overall system design of 3. Virtualizable VNS routers: VNS routers are VNS. In Section 3, we explain the key concept of Darwin-based routers built on commodity PC virtualization by describing the mechanisms used hardware running a variant of FreeBSD Unix.
Load more

Recommended publications
  • Cryptography
    Pattern Recognition and Applications Lab CRYPTOGRAPHY Giorgio Giacinto [email protected] University of Cagliari, Italy Spring Semester 2019-2020 Department of Electrical and Electronic Engineering Cryptography and Security • Used to hide the content of a message • Goals – Confidentiality – Authenticity – Integrity • The text is modified by an encryption function – An interceptor should not be able to understand all or part of the message content http://pralab.diee.unica.it 2 Encryption/Decryption Process Key Key (Optional) (Optional) Original Plaintext Encryption Ciphertext Decryption Plaintext http://pralab.diee.unica.it 3 Keys and Locks http://pralab.diee.unica.it 4 Keys L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M http://pralab.diee.unica.it 5 Keys L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M http://pralab.diee.unica.it 6 Steganography - = http://pralab.diee.unica.it https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1 7 Definitions • Cryptography algorithm C = E(K,M) A function E with two inputs – a message M – a key K that outputs – the encrypted message C The algorithm is based on a shared secret between the sender and the receiver K The Encryption Key http://pralab.diee.unica.it 8 Symmetric
    [Show full text]
  • N2N: a Layer Two Peer-To-Peer VPN
    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
    [Show full text]
  • Security & Savings with Virtual Private Networks
    Everybody’s connecting. Security & Savings with Virtual Private Networks In today’s New Economy, small businesses that might have dealt with just local or regional concerns now have to consider global markets and logistics. Many companies even have facilities spread across the country or throughout the world. At the same time security concerns of their network from hackers, Denial-of-Service (DoS) attacks and sending data over the Internet have become more widespread. Whether companies have a local, national, or global presence, they all need one thing: a way to maintain fast, secure, and reliable communications wherever their offices and workers are located. Until recently, such communications were only available by using leased telephone lines to maintain a Wide Area Network (WAN). Leased lines enabled companies to expand their private network beyond their immediate geographic area. Moreover, a WAN provided advantages over a public network like the Internet when it came to reliability, performance, and security. Unfortunately, leased lines are expensive to maintain, with costs rising as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a cost-effective way to extend their networks. The continuing popularity with the Internet has led to the evolution of Virtual Private Networks (VPNs). A VPN is a connection that allows private data to be sent securely over a shared or public network, such as the Internet. In fact, one of the driving forces behind VPNs is the Internet and its global presence. With VPNs, communication links between users and sites can be achieved quickly, inexpensively, and safely across the world.
    [Show full text]
  • The Internet in Transition: the State of the Transition to Ipv6 in Today's
    Please cite this paper as: OECD (2014-04-03), “The Internet in Transition: The State of the Transition to IPv6 in Today's Internet and Measures to Support the Continued Use of IPv4”, OECD Digital Economy Papers, No. 234, OECD Publishing, Paris. http://dx.doi.org/10.1787/5jz5sq5d7cq2-en OECD Digital Economy Papers No. 234 The Internet in Transition: The State of the Transition to IPv6 in Today's Internet and Measures to Support the Continued Use of IPv4 OECD FOREWORD This report was presented to the OECD Working Party on Communication, Infrastructures and Services Policy (CISP) in June 2013. The Committee for Information, Computer and Communications Policy (ICCP) approved this report in December 2013 and recommended that it be made available to the general public. It was prepared by Geoff Huston, Chief Scientist at the Asia Pacific Network Information Centre (APNIC). The report is published on the responsibility of the Secretary-General of the OECD. Note to Delegations: This document is also available on OLIS under reference code: DSTI/ICCP/CISP(2012)8/FINAL © OECD 2014 THE INTERNET IN TRANSITION: THE STATE OF THE TRANSITION TO IPV6 IN TODAY'S INTERNET AND MEASURES TO SUPPORT THE CONTINUED USE OF IPV4 TABLE OF CONTENTS FOREWORD ................................................................................................................................................... 2 THE INTERNET IN TRANSITION: THE STATE OF THE TRANSITION TO IPV6 IN TODAY'S INTERNET AND MEASURES TO SUPPORT THE CONTINUED USE OF IPV4 .......................... 4
    [Show full text]
  • Analysis of Recent Attacks on Ssl/Tls Protocols A
    ANALYSIS OF RECENT ATTACKS ON SSL/TLS PROTOCOLS A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY DUYGU OZDEN¨ IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY SEPTEMBER 2016 Approval of the thesis: ANALYSIS OF RECENT ATTACKS ON SSL/TLS PROTOCOLS submitted by DUYGU OZDEN¨ in partial fulfillment of the requirements for the de- gree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Bulent¨ Karasozen¨ Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Murat Cenk Supervisor, Cryptography, METU Examining Committee Members: Assoc. Prof. Dr. Murat Cenk Cryptography, METU Assoc. Prof. Dr. Ali Doganaksoy˘ Mathematics, METU Asst. Prof. Dr. Fatih Sulak Mathematics, ATILIM UNIVERSITY Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: DUYGU OZDEN¨ Signature : v vi ABSTRACT ANALYSIS OF RECENT ATTACKS ON SSL/TLS PROTOCOLS Ozden,¨ Duygu M.S., Department of Cryptography Supervisor : Assoc. Prof. Dr. Murat Cenk September 2016, 46 pages Transport Layer Security(TLS) and its predecessor Secure Socket Layer(SSL) are two important cryptographic, certificate based protocols that satisfy secure communication in a network channel. They are widely used in many areas such as online banking systems, online shopping, e-mailing, military systems or governmental systems.
    [Show full text]
  • Cryptographic Control Standard, Version
    Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Standard Office Instruction: OCIO-CS-STD-2009 Office Instruction Title: Cryptographic Control Standard Revision Number: 2.0 Issuance: Date of last signature below Effective Date: October 1, 2017 Primary Contacts: Kathy Lyons-Burke, Senior Level Advisor for Information Security Responsible Organization: OCIO Summary of Changes: OCIO-CS-STD-2009, “Cryptographic Control Standard,” provides the minimum security requirements that must be applied to the Nuclear Regulatory Commission (NRC) systems which utilize cryptographic algorithms, protocols, and cryptographic modules to provide secure communication services. This update is based on the latest versions of the National Institute of Standards and Technology (NIST) Guidance and Federal Information Processing Standards (FIPS) publications, Committee on National Security System (CNSS) issuances, and National Security Agency (NSA) requirements. Training: Upon request ADAMS Accession No.: ML17024A095 Approvals Primary Office Owner Office of the Chief Information Officer Signature Date Enterprise Security Kathy Lyons-Burke 09/26/17 Architecture Working Group Chair CIO David Nelson /RA/ 09/26/17 CISO Jonathan Feibus 09/26/17 OCIO-CS-STD-2009 Page i TABLE OF CONTENTS 1 PURPOSE ............................................................................................................................. 1 2 INTRODUCTION ..................................................................................................................
    [Show full text]
  • Empirical Analysis of the Effects and the Mitigation of Ipv4 Address Exhaustion
    TECHNISCHE UNIVERSITÄT BERLIN FAKULTÄT FÜR ELEKTROTECHNIK UND INFORMATIK LEHRSTUHL FÜR INTELLIGENTE NETZE UND MANAGEMENT VERTEILTER SYSTEME Empirical Analysis of the Effects and the Mitigation of IPv4 Address Exhaustion vorgelegt von M.Sc. Philipp Richter geboren in Berlin von der Fakultät IV – Elektrotechnik und Informatik der Technischen Universität Berlin zur Erlangung des akademischen Grades DOKTOR DER NATURWISSENSCHAFTEN -DR. RER. NAT.- genehmigte Dissertation Promotionsausschuss: Vorsitzender: Prof. Dr.-Ing. Sebastian Möller, Technische Universität Berlin Gutachterin: Prof. Anja Feldmann, Ph.D., Technische Universität Berlin Gutachter: Prof. Vern Paxson, Ph.D., University of California, Berkeley Gutachter: Prof. Steve Uhlig, Ph.D., Queen Mary University of London Tag der wissenschaftlichen Aussprache: 2. August 2017 Berlin 2017 Abstract IP addresses are essential resources for communication over the Internet. In IP version 4, an address is represented by 32 bits in the IPv4 header; hence there is a finite pool of roughly 4B addresses available. The Internet now faces a fundamental resource scarcity problem: The exhaustion of the available IPv4 address space. In 2011, the Internet Assigned Numbers Authority (IANA) depleted its pool of available IPv4 addresses. IPv4 scarcity is now reality. In the subsequent years, IPv4 address scarcity has started to put substantial economic pressure on the networks that form the Internet. The pools of available IPv4 addresses are mostly depleted and today network operators have to find new ways to satisfy their ongoing demand for IPv4 addresses. Mitigating IPv4 scarcity is not optional, but mandatory: Networks facing address shortage have to take action in order to be able to accommodate additional subscribers and customers. Thus, if not confronted, IPv4 scarcity has the potential to hinder further growth of the Internet.
    [Show full text]
  • Fireware Configuration Example
    Configuration Example Use a Branch Office VPN for Failover From a Private Network Link Example configuration files created with — WSM v11.10.1 Revised — 7/22/2015 Use Case In this configuration example, an organization has networks at two sites and uses a private network link to send traffic between the two networks. To make their network configuration more fault-tolerant, they want to set up a secondary route between the networks to use as a backup if the private network link fails, but they do not want to spend money on a second private network connection. To solve this problem, they can use a branch office VPN with dynamic routing. This configuration example provides a model of how you could set up your network to automatically fail over to a branch office VPN if a primary private network connection between two sites becomes unavailable. To use the branch office VPN connection for automatic failover, you must enable dynamic routing on the Firebox at each site. You can use any supported dynamic routing protocol (RIP v1, RIP v2, OSPF, or BGP v4). This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. Solution Overview A routing protocol is the method routers use to communicate with each other and share information about the status of network routing tables. On the Firebox, static routes are persistent and do not change, even if the link to the next hop goes down. When you enable dynamic routing, the Firebox automatically updates the routing table based on the status of the connection.
    [Show full text]
  • New Techniques to Enhance the Capabilities of the Socks Network Security Protocol
    NEW TECHNIQUES TO ENHANCE THE CAPABILITIES OF THE SOCKS NETWORK SECURITY PROTOCOL Mukund Sundararajan and Mohammad S. Obaidat Computer Science Department, Monmouth University, West Long Branch, NJ, U.S.A. Keywords: Security protocols for computer networks, SOCKS, telecommunications, multicast, UDP tunneling. Abstract: SOCKS is an industry standard network security protocol used in private networks to allow secure traversal of application layer traffic through the boundaries of the network. Standardized by IETF in Request for Comments (RFC) 1928 (Leech et al., 1996) as SOCKS Version 5, this protocol has found widespread use in various security frameworks to allow a variety of application layer protocols to securely traverse a firewall. This paper is the result of research performed on the usability of the protocol in application domains such as multicast. We discuss some of the shortcomings of the SOCKS protocol and provide a framework and the methods for enhancing the capabilities of the protocol in areas such as multicast and advanced TCP and UDP capabilities not addressed by the current standard of the protocol. The methods proposed are being implemented in a reference implementation by the authors. 1 INTRODUCTION Operating in a client server mode, application nodes or computers within a SOCKS protected In today’s global and geographically dispersed network are ‘socksified’ by a socks client library that organizational world, network security is a key provides a transparent abstraction layer between the concern to organizations and individuals. With application and the kernel socket library and hides advances in technology, most of today’s the implementation details of the socks protocol from organizations have their key resources and data the application.
    [Show full text]
  • Guidelines for the Secure Deployment of Ipv6
    Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks NIST Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-119 Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
    [Show full text]
  • Deploy CGN to Retain Ipv4 Addressing While Transitioning to Ipv6
    White Paper Deploy CGN to Retain IPv4 Addressing While Transitioning to IPv6 The IANA ran out of IPv4 addresses to allocate in February 2011, and the Regional Internet Registries (RIR) will have assigned most of their addresses by the end of 2011. The world is faced with the fundamental problem of IPv4 address space exhaustion. There is a huge demand for IP addresses resulting from the explosive growth of mobile devices, including smartphones, portable gaming consoles, tablets, laptops and netbooks, and machine-to- machine modules. Figure 1 shows the expected growth in mobile phones alone. The number of mobile subscribers is expected to be 4.5 billion by 2014. Figure 1. Expected Mobile Phone Growth (in Millions) (Source: IDC) Preserve IPv4 Addressing with CGN Service providers are looking for ways to extend the use of the IPv4 addresses they have during their transition to IPv6. IPv4 addresses are still valid and ubiquitous, and not everyone is using IPv6 yet, so the two addressing schemes will coexist for a long time. Although new IPv4 addresses are not available, there is a short-term alternative that ensures your business continuity. That alternative is Carrier Grade NAT (CGN), a solution that service providers can employ today to extend their use of IPv4 addresses. The extension is achieved in two ways: IPv4 addresses are extended because they are translated from many private addresses to one public address. The extension is also a time extension–-service providers can continue using IPv4-only networks for a while. Cisco’s approach to help customers as they transition to IPv6 is to “Preserve, Prepare and Prosper.” CGN helps customers “Preserve” the present mode of operation.
    [Show full text]
  • What Is a Virtual Private Network?
    C H A P T E R 1 What Is a Virtual Private Network? A virtual private network (VPN) allows the provisioning of private network services for an organization or organizations over a public or shared infrastructure such as the Internet or service provider backbone network. The shared service provider backbone network is known as the VPN backbone and is used to transport traffic for multiple VPNs, as well as possibly non-VPN traffic. VPNs provisioned using technologies such as Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits (VC) have been available for a long time, but over the past few years IP and IP/Multiprotocol Label Switching (MPLS)-based VPNs have become more and more popular. This book focuses on describing the deployment of IP- and IP/MPLS-based VPNs. The large number of terms used to categorize and describe the functionality of VPNs has led to a great deal of confusion about what exactly VPNs are and what they can do. The sections that follow cover VPN devices, protocols, technologies, as well as VPN categories and models. VPN Devices Before describing the various VPN technologies and models, it is useful to first describe the various customer and provider network devices that are relevant to the discussion. Devices in the customer network fall into one of two categories: • Customer (C) devices—C devices are simply devices such as routers and switches located within the customer network. These devices do not have direct connectivity to the service provider network. C devices are not aware of the VPN. • Customer Edge (CE) devices—CE devices, as the name suggests, are located at the edge of the customer network and connect to the provider network (via Provider Edge [PE] devices).
    [Show full text]