VPNs, Tunneling, and Overlay NetworksVirtual Private Networks (VPNs)A virtual private network (VPN) is a data network having connections that make use of publicnetworking facilities. The (VPN) part of public network is set up "virtually" by a private-sectorentity to provide public networking services to small entities. With the globalization ofbusinesses, many companies have facilities across the world and use VPNs to maintain fast,secure, and reliable communications across their branches.Creating a VPN benefits an organization benefits by providing • Extended geographical communication • Reduced operational cost • Enhanced organizational management • Enhanced network management with simplified local area networks • Improved productivity and globalization
Remote-Access VPNRemote-access VPN is a user-to-LAN connection that an organization uses to connect its users toa private network from various remote locations. Large remote-access VPNs are normallyoutsourced to an Internet service provider to set up a network-access server. Other users,working off campus, can then reach the network-access server and use the VPN software toaccess the corporate network.Tunneling in a remote-access VPN uses mainly the Point-to-Point Protocol (PPP). PPP is thecarrier for other Internet protocols when communicating over the network between a hostcomputer and a remote point.Site-to-Site VPNSite-to-site VPNs can be classified as either intranets or extranets. • Intranet VPNs connect an organizations remote-site LANs into a single private network. • Extranet VPNs allow two organizations to work in a shared environment through a tunnel built to connect their LANs.In a site-to-site VPN, generic routing encapsulation (GRE) is normally the encapsulating protocol. GREprovides the framework for the encapsulation over an IP-based protocol. IPsec in tunnel mode issometimes used as the encapsulating protocol
Tunneling and Point-to-Point Protocol (PPP)A tunnel is a connection that forms a virtual network on top of a physical network. In computernetworking, a tunnel resembles a telephone line in a public switched telephone network.Besides Internet protocols, tunneling requires two other types of protocols: 1. Carrier protocols, through which information travels over the public network 2. Encapsulating protocols, through which data is wrapped, encapsulated, and securedOne of the amazing implications of VPNs is that packets that use a protocol not supported on theInternet, such as NetBeui, can be placed inside an IP packet and sent safely over the Internet.Point-to-Point Protocol (PPP)The basic notion in tunneling is packet encapsulation from one protocol into the same or higher-layer protocol. Thus, a tunnel can also be defined as an encapsulating protocol for protocols atthe lower layers. Tunneling protocols, such as the Point-to-Point Protocol (PPP) or the Point-to-Point Tunneling Protocol (PPTP) are encapsulating protocols that allow an organization toestablish secure connections from one point to another while using public resources. A PPPconnection is a serial connection between a user and an Internet service provider.Security in VPNsWithout using dedicated hardware, a VPN uses virtual connections routed through the Internetfrom the companys private network to the remote site. Companies can create their own VPNs toaccommodate the needs of remote employees and distant offices. This section looks at methods
for keeping VPN connections secure. A well-protected VPN uses firewalls, encryption systems,IPsec features, and an authentication server.A firewall provides an effective barrier between a private network and the Internet. Firewalls canbe set up to restrict the number of open ports to monitor what types of packets are passed throughand which protocols are allowed through.Multiprotocol Label Switching (MPLS)Multiprotocol label switching (MPLS) improves the overall performance and delaycharacteristics of the Internet. MPLS transmission is a special case of tunneling and is anefficient routing mechanism. Its connection-oriented forwarding mechanism, together with layer2 label-based lookups, enables traffic engineering to implement peer-to-peer VPNs effectively.MPLS adds some traditional layer 2 capabilities and services, such as traffic engineering, to theIP layer.This technology adds new capabilities to IP-based networks: • Connection-oriented QoS support • Traffic engineering • VPN support • Multiprotocol supportMPLS network architectures also support other applications, such as IP multicast routing andQoS extensions. The power of MPLS lies in the number of applications made possible withsimple label switching, ranging from traffic engineering to peer-to-peer VPNs.MPLS OperationMPLS is based on the assignment of labels to packets. Assigning labels to each packet makes alabel-swapping scheme perform its routing process much more efficiently. An MPLS networkconsists of nodes called label switch routers (LSR). An LSR switches labeled packets accordingto particular switching tables. An LSR has two distinct functional components: a controlcomponent and a forwarding component. The control component uses routing protocols, such asOSPF and the border gateway protocol (BGP). The control component also facilitates theexchange of information with other LSRs to build and maintain the forwarding table.MPSL Packet FormatMPLS uses label stacking to become capable of multilevel hierarchical routing. A label enablesthe network to perform faster by using smaller forwarding tables, a property that ensures aconvenient scalability of the network.MPLS header encapsulation for an IP packet. An MPLS label is a 32-bit field consisting ofseveral fields as follows. • Label value is a 20-bit field label and is significant only locally. • Exp is a 3-bit field reserved for future experimental use. • S is set to 1 for the oldest entry in the stack and to 0 for all other entries.
• Time to live is an 8-bit field used to encode a hop-count value to prevent packets from looping forever in the networkRouting in MPLS DomainsAn ingress LSR is an edge device that performs the initial packet processing and classificationand applies the first label. An ingress LSR creates a new label. A core LSR swaps the incominglabel with a corresponding next-hop label found from a forwarding table. At the other end of thenetwork, another edge router, the egress LSR, is an outbound edge router and pops the label fromthe packet. It should be noted that multiple labels may be attached to a packet, forming a stack oflabels. Label stacking enables multilevel hierarchical routing. For example, BGP labels are usedfor higher-level hierarchical packet forwarding from one BGP speaker to the other, whereasInterior Gateway Protocol (IGP) labels are used for packet forwarding within an autonomoussystem. Only the label at the top of the stack determines the forwarding decision.
Tunneling and Use of FECIn an MPLS operation, any traffic is grouped into FECs. FEC implies that a group of IP packetsare forwarded in the same manner for example, over the same path or with the same forwardingtreatment. A packet can be mapped to a particular FEC, based on the following criteria: • Source and/or destination IP address or IP network addresses • TCP/UDP port numbers • Class of service • ApplicationsAs mentioned earlier, labels have only local significance. This fact removes a considerableamount of the network-management burden. An MPLS packet may carry as many labels asrequired by a network sender. The process of labeled packets can always be performed based onthe top label. The feature of label stack allows the aggregation of LSPs into a single LSP for aportion of the route, creating an MPLS tunnel.Label Distribution Protocol (LDP)The Label Distribution Protocol (LDP) is a set of rules by which an LSR informs another LSR ofan FEC. LDP enables two LSRs to understand each others MPLS capabilities.Traffic EngineeringHigh-quality connections can be expensive in an Internet service provider domain. Trafficengineering enables an ISP to route high-quality traffic to offer the best service to users in termsof throughput and delay. This way, traffic engineering reduces the cost of a network connection.Traffic engineering substitutes the need to manually configure network devices to set up explicitroutes. In MPLS, traffic engineering is an automated scheme for control signaling and linkbandwidth assignment and has a dynamic adaptation mechanism.MPLS-Based VPNsRoutine operations of virtual private networks require the use of both wide-area intradomainrouting and interdomain routing schemes. A VPNs request to form a tunnel can be processed at
the edge routers. For example, multiprotocol-based Border Gateway Protocol (BGP) makesMPLS-based VPN easier to manage VPN sites and VPN membership, mainly owing to thetraffic engineering feature of MPLS. In an MPLS network, VPNs can be deployed by deliveringthe service using MPLS-aware subscriber equipment on the same infrastructure used fordeploying Internet services.Overlay NetworksAn overlay network is an application-specific computer network built on top of another network.In other words, an overlay network creates a virtual topology on top of the physical topology.This type of network is created to protect the existing network structure from new protocolswhose testing phases require Internet use. Such networks protect packets under test whileisolating them from the main networking infrastructure in a test bed.Overlay networks are self-organized. When a node fails, the overlay network algorithm should providesolutions that let the network recover and recreate an appropriate network structure. Anotherfundamental difference between an overlay network and an unstructured network is that overlays look-up routing information is on the basis of identifiers derived from the content of moving frames.Peer-to-Peer (P2P) ConnectionAs an overlay network resembles a system consisting of various applications running on a singleoperating system, it could also resemble a set of tunnels that interconnect resources and users.The interconnects are carried out by peer-to-peer (P2P) protocols.
Let δ be the time required to establish a connection and tf be the time to finish the service as soonas the connection establishes. Assuming that the requests arrive at random to a peer node, theservice time s is