Computer Networks 36 )2001) 137±151 www.elsevier.com/locate/comnet Customizable virtual private network service with QoS L. Keng Lim, Jun Gao, T.S. Eugene Ng, Prashant R. Chandra, Peter Steenkiste *, Hui Zhang Computer Science Department, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213, USA Abstract In this paper, we propose and implement Virtual Network Service )VNS), a value-added network service for de- ploying virtual private networks )VPNs) in a managed wide-area IP network. The key feature of VNS is its capability of providing a customer with a VPNthat is customizable with management capabilities and performance properties comparable to a dedicated physical network. In addition, VNS ensures con®dentiality of data and principals through the use of IPSEC. The main technique underlying VNS is the virtualization of routers in both control and data planes. Virtualization of the control plane enables customizable routing and signaling per VPN. On the data plane, packet forwarding and link bandwidth are virtualized. Virtualization of the forwarding mechanism on the data plane enables forwarding of trac according to each VPN's topology and policies. Virtualization of the link bandwidth enables each VPNto have guaranteed quality of service )QoS) and customized resource management policies. We have developed a VNS prototype for deployment on the CAIRN network. The VNS prototype implements several resource management mechanisms including packet scheduling, signaling and runtime monitoring. A graphical user interface enables service providers to manage, con®gure and deploy VPNs remotely. Ó 2001 Elsevier Science B.V. All rights reserved. Keywords: Virtual private networks; Network quality of service; Programmable networks 1. Introduction network infrastructure amongst multiple VPNs. The ubiquity of the Internet makes it an ideal in- The Internet is gradually evolving into an in- frastructure for providing the VPNservice. Fig. 1 frastructure for network-based services. Virtual illustrates the situation where two dierent VPN private network )VPN) service will be one of the topologies are created on top of the same under- important Internet services. A VPNservice allows lying shared network infrastructure. a customer to build a virtual wide-area network on Various forms of private networking services top of a shared wide-area network infrastructure, have been available to enterprises for years. Ini- such as the Internet, without setting up any dedi- tially, private networks were built using dedicated cated physical connections. There is strong eco- leased lines, but the cost of building a large private nomic incentive for the VPNservice because of the network using dedicated hardware is prohibitive to opportunity to share a common expensive physical all but the largest corporations. Then, with the introduction of low-cost, packet-switched virtual circuit-based services such as Frame Relay and X.25, virtual private networking became possible. * Corresponding author. Tel.: +1-412-268-3261; fax: +1-412- 268-5576. Unfortunately, the availability and functionality E-mail address: [email protected] )P. Steenkiste). of these services is very limited. For an Internet- 1389-1286/01/$ - see front matter Ó 2001 Elsevier Science B.V. All rights reserved. PII: S 1 3 8 9 - 1 2 8 6 ) 0 1 ) 0 0 173-6 138 L.K. Lim et al. / Computer Networks 36 .2001) 137±151 In this paper, we propose and implement Virtual Network Service )VNS), a value-added network service for deploying VPNs in a man- aged wide-area IP network. VNS is built on top of the IP layer to ensure interoperability across various layer 2 technologies )e.g., ATM, MPLS). A VPNis constructed from virtual links. A vir- tual link is a link abstraction connecting any two physical nodes that are in the VPN's topology. Communication over the VPNis secure, and each virtual link is allocated a guaranteed bandwidth. Moreover, unused bandwidth is shared statistically between VPNs for additional performance gains. Fig. 1. Two VPNs built on top of one shared physical network The key advantage of VNS is that it deploys in VNS. VANESA is a graphical VPN management tool. The VPNcontroller is responsible for carrying out commands from VPNs that have a level of performance and degrees VANESA. of freedom in management that are comparable to physical private networks. For instance, instead of being restricted to only site-to-site virtual links, a based VPNservice to be a viable alternative, it customer has full control of the VPNtopology, must have properties comparable to that of a and how the VPNtopology maps onto the un- dedicated physical network. The service must derlying network. This has two advantages. First, provide mechanisms to enforce quality of service the topology can be engineered such that appli- )QoS) and con®dentiality of data must be guar- cations that are sensitive to the network topology anteed as the data travels over the common in- )such as multicast applications) can achieve the frastructure. In addition, the service must oer best performance. Second, by carefully choosing each VPNwith the autonomy to customize re- the topology, statistical sharing of bandwidth source management. within the VPNcan be optimized. In addition to Most Internet-based commercial VPNsolutions customizing the topology, each VPNcan also se- today construct virtual links using either site-to- lect its own control protocols. For example, it can site IP tunnels or site-to-site MPLS paths. The use a customized routing protocol that supports con®guration of the VPNtopology is therefore load balancing, policy-based routing or QoS highly restricted. The services supported are often routing. VNS also provides guaranteed QoS on limited to best-eort site-to-site connectivity and each virtual link in a VPN. Moreover, because link secure communication between sites. If QoS is bandwidth is virtualized using hierarchical packet oered, it is usually provided by over-provisioning scheduling, each VPNcan even have its own sig- network resources so that QoS service-level naling protocol )e.g., RSVP) to customize resource agreements are unlikely to be violated. Recently, sharing policies in the VPNor to provide per-¯ow some eorts such as in [5,12] use QoS strategies QoS to real-time applications. that require VPNtrac to be regulated at ingress The main technique underlying VNS is the vir- nodes. The downside is that the opportunity for tualization of the control and data planes in rou- statistical sharing of unused resources is reduced. ters. Virtualization of the control plane enables Another important limitation of these approaches each VPNto have the autonomy to execute cus- is the lack of customizability. For example, a tom routing and signaling protocols while sharing customer cannot control the routing of VPNtrac a common physical infrastructure. Our approach for load balancing or QoS routing, nor can a to provisioning customizable control planes le- customer specify resource management policies in verages a programmable router architecture that the VPN. provides an open programmable interface [29]. L.K. Lim et al. / Computer Networks 36 .2001) 137±151 139 In the data plane, packet forwarding and link 1. VANESA: VANESA is a Java-based centralized bandwidth are virtualized per VPN. Virtualization graphical user interface for con®guring and of the forwarding mechanism enables isolation managing VPNs. Fig. 2 is a screen capture of and routing of trac according to virtual topolo- VANESA. The idea here is similar to the con- gies. Virtualization of the link bandwidth provides cept of a software toolkit for deploying virtual each VPNwith virtual links of guaranteed capac- networks as described in [13] by Ferrari and ity, and the autonomy to specify its own band- Delgrossi. VANESA provides a simple interface width sharing policy. Earlier work in VPNservices for the network administrator to con®gure VPN such as in [7,15,24,31] did not consider statistical properties such as the virtual topology, band- sharing of under-utilized resources. In this work, width requirements of virtual links, parameters the additional performance bene®t of statistical for security con®guration and VPN membership multiplexing is achieved without compromising information. Members of a VPNare described any bandwidth guarantees by using the fair service by the member end hosts' IP addresses and/or curve )H-FSC) [27] hierarchical packet scheduler. the member subnets' network pre®xes. In addi- Architecturally, VNS is based on the Darwin [8] tion, VANESA can also be used to specify cus- router design, which is programmable and capable tom routing and signaling protocols that are to of virtualizing the link bandwidth. The Beagle [9] be deployed within a VPN. signaling protocol is used for resource allocation 2. VPN controller: The VPNcontroller is a pro- and control plane customization. In order to virtu- cess that runs on a host or router that has direct alize routing and forwarding, we extend the Darwin access to the network where VNS is deployed. router design to allow each VPNto have its own The job of the VPNcontroller is to act as a routing protocol and forwarding table. Secure proxy for control messages between VANESA communication is achieved through IPSEC [18]. and routers in the WANwhere VNSis de- The virtual network system administrator )VA- ployed. This enables VANESA to be executed NESA), a Java-based VPN management tool, pro- remotely from anywhere in the Internet. Fur- vides a user interface that hides the complexity of thermore, the complexity of the signaling re- the signaling from the user. VNS is targeted towards quired to set up the VPNis handled by the deployment on the CAIRNresearch network [1]. VPNcontroller and decoupled from the user in- The rest of this paper is organized as follows. In terface. This setup is depicted in Fig. 1. Section 2, we examine the overall system design of 3. Virtualizable VNS routers: VNS routers are VNS. In Section 3, we explain the key concept of Darwin-based routers built on commodity PC virtualization by describing the mechanisms used hardware running a variant of FreeBSD Unix.